PHP提权

2016-09-21

php运行环境本身有权限限制,有些命令即使关闭安全模式也无法运行,下面通过C来实现提权:

/*
PHP提权
Mail : malu#malu.me
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main(int argc, void **argv){
if(argc<2){
return 0;
}
uid_t uid ,euid,i;
uid = 0;
euid = geteuid();
char execname[10240];
//printf("my uid :%u\n",getuid());
//printf("my euid :%u\n",geteuid());
if(setreuid(euid, uid)){
perror("setreuid");
}else{
//printf("after uid :%u\n",getuid());
//printf("after euid :%u\n",geteuid());
sprintf(execname, "%s",argv[1]);
for(i=2;i<argc;i++){
sprintf(execname, "%s %s",execname,argv[i]);
}
system(execname);
return 0;
}
}

把以上C代码编译,并赋予s权限:

gcc a.c
chmod 4777 a.out

接下来就可以通过a.out来提权执行任何命令了。