Execute root command in PHP

Source: Internet
Author: User
Tags chmod include printf iptables

In the study of C before the time of PHP, when the need to use PHP to run the root command, has been fruitless, until one day to search the super this plug-in.

With the study of c more days. Found that you can use the C language to wrap the external command to run. The experiment was successful.

You do not need any external tools to implement the root command in PHP.

Platform: Linux. Experimental command iptables The current directory is/var/www/html/http
When writing a program, use the root user

As we all know, iptables non-root cannot run.

First, write a C program.

Named as: ipt.c

The following is the program code

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>

int main ()
{
uid_t uid, euid;

UID = Getuid ();
Euid = Geteuid ();

printf ("My uid:%u\n", Getuid ()); This shows that the current UID can be commented out.
printf ("My Euid:%u\n", Geteuid ()); This shows the current euid.
if (Setreuid (Euid, UID))//Exchange these two IDs
Perror ("Setreuid");
printf ("After Setreuid uid:%u\n", Getuid ());
printf ("Afer sertreuid euid:%u\n", Geteuid ());

System ("/sbin/iptables-l"); Execute iptables-l command
return 0;
}



Compile the file Gcc-o ipt-wall ipt.c

Generate IPT This executable file under this path.

If you use PHP Web page to call the IPT now, even if the setreuid is not the case.

The next thing to do is chmod u+s./ipt

LS a bit
-rwsr-xr-x 1 root root 5382 June 2 21:45 IPT

The S bit has been set up.

Then write a PHP page to call it.

The following is the program code
<?php
Echo ' <pre> ';

$last _line = System ('/var/www/html/http/ipt ', $retval);

Echo '
</pre>
&LT;HR/>return value: '. $retval;
?>


Browsing in the browser.


Chain INPUT (Policy ACCEPT)
Target Prot opt source destination

Chain FORWARD (Policy DROP)
Target Prot opt source destination
ACCEPT All--anywhere anywhere state related,established

Chain OUTPUT (Policy ACCEPT)
Target Prot opt source destination
My uid:48
My euid:0
After Setreuid uid:0
Afer sertreuid euid:48


--------------------------------------------------------------------------------
Last line of the Output:afer Sertreuid euid:48
--------------------------------------------------------------------------------
Return value:0


The command executed successfully.

As we all know: Apache has a UID of 48. The valid user ID and the actual user ID are interchanged after the call to Setreuid. (The chmod u+s must be in effect) so that the current UID of Apache is 0 so that you can execute the root command.




Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.