PHP提权

2016-09-21

php运行环境本身有权限限制,有些命令即使关闭安全模式也无法运行,下面通过C来实现提权:

/*
 PHP提权
 Mail : malu#malu.me
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main(int argc, void **argv){
        if(argc<2){
                return 0;
        }
        uid_t uid ,euid,i;
        uid = 0;
        euid = geteuid();
        char execname[10240];
        //printf("my uid :%u\n",getuid());
        //printf("my euid :%u\n",geteuid());
        if(setreuid(euid, uid)){
                perror("setreuid");
        }else{
                //printf("after uid :%u\n",getuid()); 
                //printf("after euid :%u\n",geteuid()); 
                sprintf(execname, "%s",argv[1]);
                for(i=2;i<argc;i++){
                        sprintf(execname, "%s %s",execname,argv[i]);
                }
                system(execname);
                return 0;
        }
}

把以上C代码编译,并赋予s权限:

gcc a.c
chmod 4777 a.out

接下来就可以通过a.out来提权执行任何命令了。