HEX
Server: LiteSpeed
System: Linux srv1.dhviews.com 5.14.0-570.23.1.el9_6.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Jun 24 11:27:16 EDT 2025 x86_64
User: bdedition (1723)
PHP: 7.4.33
Disabled: NONE
$ pwd: /opt/cpvendor/cpvendor/bin/
Upload Files
File: //opt/cpvendor/cpvendor/bin/cloudlinux-webuzo.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(int argc, char *argv[], char **environ){
	
	int i = 0;
	char **cmd;
	char *aa[20];
	char *allowed_env[60];
	int iav = 0;
	char *env_list[] = {"soft_egid", "soft_euid", "REMOTE_USER", "SSH_AUTH_SOCK", "SERVER_ADDR", "LOCAL_ADDR", "SERVER_NAME", "HTTP_HOST", "REQUEST_SCHEME", "REQUEST_URI", "LOGNAME", "HTTP_ACCEPT_ENCODING", "HTTPS", "SSL", "SERVER_PORT", "REMOTE_ADDR", "PHP_AUTH_PW", "PHP_AUTH_USER", "USER", "USERNAME", "HOME", "SCRIPT_FILENAME", "REMOTE_PASSWORD", "SESSION_ID", "SESSION_KEY", "QUERY_STRING", "POST", "HTTP_X_FORWARDED_FOR", "HTTP_REFERER", "REQUEST_METHOD", "HTTP_USER_AGENT", "CONTENT_LENGTH", "DOCUMENT_ROOT", "PHP_SELF", "WEBUZO_TASKID", "WEBUZO_TASKUUID"};
	
	int num_env_list = sizeof(env_list) / sizeof(env_list[0]);
	//printf("%d", num_env_list);
	
	int ii = 1;
	char *ss = *environ;
	char *f = "=";
	
	for (; ss; ii++) {
		
		//printf("%s\n", ss);
		
		for(i = 0; i < num_env_list; i++){
			//printf("String = %s\n", env_list[i] );
			//printf("String = %s\n", getenv(env_list[i]) );
			
			// e.g. HOME == HOME=/home/soft and EQUAL SIGN in HOME=/home/soft == "=" then allow this var
			if(strncmp(env_list[i], ss, strlen(env_list[i])) == 0 && strncmp(ss+strlen(env_list[i]), f, 1) == 0){
				//printf("%d\n", strncmp(ss+strlen(env_list[i]), f, 1));break;
				//printf("%s\n", ss);
				allowed_env[iav] = ss;
				iav++;
				break;
			}
			
		}
		
		// Point to next value
		ss = *(environ+ii);
		
	}
	
	char soft_euid[20] = "soft_euid=";
	char euid[20];
	sprintf(euid, "%d", getuid());
	strcat(soft_euid, euid);
	allowed_env[iav] = &soft_euid[0];
	iav++;
	
	char soft_egid[20] = "soft_egid=";
	char egid[20];
	sprintf(egid, "%d", getgid());
	strcat(soft_egid, egid);
	allowed_env[iav] = &soft_egid[0];
	iav++;
	
	allowed_env[iav] = (char *)0;
	
	aa[0] = "/usr/local/emps/bin/php";
	aa[1] = "-d auto_prepend_file=none";
	aa[2] =	"-d auto_append_file=none";
	aa[3] = "-d disable_functions=\"\"";
	aa[4] = "/opt/cpvendor/bin/kickstart.php";
	int iaa = 5;
	
	for (i = 1; i < argc; i++) {
		aa[iaa] = argv[i];
		iaa++;
	}
	
	aa[iaa] = (char *)0;
	
	cmd = aa;
	
	setuid( 0 );
	
	setgid( 0 );
	
	return execve("/usr/local/emps/bin/php", cmd, allowed_env);
	
}
@ Telegram