[php]
<?php
echo exec("cd temp; ./php_root ");
//echo shell_exec("whoami");
phpinfo();
?>

[/php]

wrapper.c
[php]
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int
main (int argc, char *argv[])
{
setuid (0);

/* WARNING: Only use an absolute path to the script to execute,
* a malicious user might fool the binary and execute
* arbitary commands if not.
* */
//system("cp 1.png 3.png");
system ("./php_shell.sh");
//i=system ("ls ");
//printf("The value returned was: %d.\n",i);
return 0;
}

[/php]

[php]
#!/bin/sh

# sips -s format png 1.png –out 2.png
sudo rm -rf code
mkdir code
cd code
sudo yes | ls & (nsPID=$! ; sleep 10 ; kill -STOP $nsPID)
cd ..
cp 1.png 4.png

[/php]

並且執行以下指令　設定和編譯程式
[php]
sudo chown root php_shell.sh
sudo chmod u=rwx,go=xr php_shell.sh
sudo gcc wrapper.c -o php_root
sudo chown root php_root
sudo chmod u=rwx,go=xr,+s php_root
[/php]