Execute root command in PHP

In the study of C before the time of PHP, when the need to use PHP to run the root command, has been fruitless, until one day to search the super this plug-in.

With the study of c more days. Found that you can use the C language to wrap the external command to run. The experiment was successful.

You do not need any external tools to implement the root command in PHP.

Platform: Linux. Experimental command iptables The current directory is/var/www/html/http
When writing a program, use the root user

As we all know, iptables non-root cannot run.

First, write a C program.

Named as: ipt.c

The following is the program code

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main ()
{
uid_t uid, euid;

UID = Getuid ();
Euid = Geteuid ();

printf ("My uid:%u\n", Getuid ()); This shows that the current UID can be commented out.
printf ("My Euid:%u\n", Geteuid ()); This shows the current euid.
if (Setreuid (Euid, UID))//Exchange these two IDs
Perror ("Setreuid");
printf ("After Setreuid uid:%u\n", Getuid ());
printf ("Afer sertreuid euid:%u\n", Geteuid ());

System ("/sbin/iptables-l"); Execute iptables-l command
return 0;
}



Compile the file Gcc-o ipt-wall ipt.c

Generate IPT This executable file under this path.

If you use PHP Web page to call the IPT now, even if the setreuid is not the case.

The next thing to do is chmod u+s./ipt

LS a bit
-rwsr-xr-x 1 root root 5382 June 2 21:45 IPT

The S bit has been set up.

Then write a PHP page to call it.

The following is the program code
<?php
Echo ' <pre> ';

$last _line = System ('/var/www/html/http/ipt ', $retval);

Echo '
</pre>
&LT;HR/>return value: '. $retval;
?>


Browsing in the browser.


Chain INPUT (Policy ACCEPT)
Target Prot opt source destination

Chain FORWARD (Policy DROP)
Target Prot opt source destination
ACCEPT All--anywhere anywhere state related,established

Chain OUTPUT (Policy ACCEPT)
Target Prot opt source destination
My uid:48
My euid:0
After Setreuid uid:0
Afer sertreuid euid:48


--------------------------------------------------------------------------------
Last line of the Output:afer Sertreuid euid:48
--------------------------------------------------------------------------------
Return value:0


The command executed successfully.

As we all know: Apache has a UID of 48. The valid user ID and the actual user ID are interchanged after the call to Setreuid. (The chmod u+s must be in effect) so that the current UID of Apache is 0 so that you can execute the root command.