g0tmi1k
commented
6 years ago Is the PHP function disabled?
Closed Ninja-Pandit closed 6 years ago
g0tmi1k
commented
6 years ago Is the PHP function disabled?
Ninja-Pandit
commented
6 years ago you talking about ..
# Function gen_evil_url <cmd> [shell]
def gen_evil_url(evil, shell=false)
# PHP function to use (don't forget about disabled functions...)
phpfunction = $drupalverion.start_with?("8")? "exec" : "passthru"
phpfunction = "passthru"
puts "[i] PHP cmd: #{phpfunction}" if shell
puts "[i] Payload: #{evil}" if not shell
this..?
still it didn't work i don't have any idea..help..!!
m4lv0id
commented
6 years ago @MyRootChutiya The problem you are facing is most probably due to the PHP function system() is disabled on the server-site but you can write files to the web-root, which you could have decoded and check before hand and also I would suggest you to read more on the same. PHP.INI disable_functions
There are possible ways to bypass these protection, Example : PHP < 5.6.2 - 'Shellshock' 'disable_functions()' Bypass Command Injection which to work you need to make sure you have a vulnerable bash on machine (Windows servers are not affected) or If I remember correctly you can bypass it via some CGI tricks too.
Off that said, I guess there is nothing wrong with the exploit functionality but then a timeout can be added to the exploit to mitigate the terminal hang you mentioned about.
P.S - I'm pretty sure that this exploit is for educational and research purposes. So, do make you are using it in those limits.
well drupalgeddon2.rb said shell is wroted in Root Dir
Very Good News Everyone! Wrote to the web root! Waayheeeey!!!
[i] Fake shell: curl 'https://site.com/user/password/s.php' -d 'c=hostname'
but it doesn't execute the command as well as it just hang my terminal see the screenshot :(