{"id":8617,"date":"2016-03-05T19:28:07","date_gmt":"2016-03-06T00:28:07","guid":{"rendered":"httpss:\/\/www.powenko.com\/wordpress\/?p=8617"},"modified":"2016-03-05T19:28:07","modified_gmt":"2016-03-06T00:28:07","slug":"php-%e5%9f%b7%e8%a1%8csudo-%e6%ac%8a%e9%99%90%e7%9a%84shell-script","status":"publish","type":"post","link":"https:\/\/www.powenko.com\/wordpress\/?p=8617","title":{"rendered":"PHP \u57f7\u884csudo  \u6b0a\u9650\u7684shell script"},"content":{"rendered":"<pre class=\"brush: php; title: ; notranslate\" title=\"\">\r\n&lt;?php\r\necho exec(&quot;cd temp; .\/php_root &quot;);\r\n\/\/echo shell_exec(&quot;whoami&quot;);\r\nphpinfo();\r\n?&gt;\r\n\r\n\r\n<\/pre>\n<p>wrapper.c<\/p>\n<pre class=\"brush: php; title: ; notranslate\" title=\"\">\r\n#include &lt;stdlib.h&gt;\r\n#include &lt;sys\/types.h&gt;\r\n#include &lt;unistd.h&gt;\r\n\r\nint\r\nmain (int argc, char *argv&#x5B;])\r\n{\r\n     setuid (0);\r\n\r\n     \/* WARNING: Only use an absolute path to the script to execute,\r\n      *          a malicious user might fool the binary and execute\r\n      *          arbitary commands if not.\r\n      * *\/\r\n     \/\/system(&quot;cp 1.png 3.png&quot;);\r\n     system (&quot;.\/php_shell.sh&quot;);\r\n     \/\/i=system (&quot;ls &quot;);\r\n     \/\/printf(&quot;The value returned was: %d.\\n&quot;,i);\r\n     return 0;\r\n}\r\n\r\n<\/pre>\n<pre class=\"brush: php; title: ; notranslate\" title=\"\">\r\n#!\/bin\/sh\r\n\r\n# sips -s format png  1.png --out  2.png \r\nsudo rm -rf code\r\nmkdir code\r\ncd code\r\nsudo yes | ls  &amp; (nsPID=$! ; sleep 10 ; kill -STOP $nsPID)\r\ncd ..\r\ncp 1.png 4.png\r\n\r\n\r\n<\/pre>\n<p>\u4e26\u4e14\u57f7\u884c\u4ee5\u4e0b\u6307\u4ee4\u3000\u8a2d\u5b9a\u548c\u7de8\u8b6f\u7a0b\u5f0f<\/p>\n<pre class=\"brush: php; title: ; notranslate\" title=\"\">\r\nsudo chown root php_shell.sh\r\nsudo chmod u=rwx,go=xr php_shell.sh\r\nsudo gcc wrapper.c -o php_root\r\nsudo chown root php_root\r\nsudo chmod u=rwx,go=xr,+s php_root\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>&lt;?php echo exec(&quot;cd temp; .\/php_root &quot;); \/ [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[313],"tags":[],"class_list":["post-8617","post","type-post","status-publish","format-standard","hentry","category-cgi"],"_links":{"self":[{"href":"https:\/\/www.powenko.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/8617"}],"collection":[{"href":"https:\/\/www.powenko.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.powenko.com\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.powenko.com\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.powenko.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8617"}],"version-history":[{"count":1,"href":"https:\/\/www.powenko.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/8617\/revisions"}],"predecessor-version":[{"id":8618,"href":"https:\/\/www.powenko.com\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/8617\/revisions\/8618"}],"wp:attachment":[{"href":"https:\/\/www.powenko.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8617"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.powenko.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8617"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.powenko.com\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8617"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}