Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to use PHP-FPM to bypass open_basedir". The content in the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "how to use PHP-FPM to bypass open_basedir".

0X00 installation mode

There are several common installation modes in PHP:

1. CGI mode

CGI is a universal gateway interface. HTTP servers use such interface programs to call external programs, and external programs can be written in any computer language, such as Conometer, CGI, Perl, Visual Basic,Shell, etc. In history, Perl is the most widely used language to write CGI programs.

When the server thinks that this is a CGI request, it will call the relevant CGI program, and transmit the data to the CGI program through the environment variables and standard output. The CGI program processes the data, generates html, and then returns the content to the server through the standard output. The server gives the content to the user's browser, and the CGI process exits.

The emergence of CGI changes WEB from static to dynamic. With the increasing popularity of Web, many websites need dynamic pages in order to interact with visitors. The shortcomings of the CGI approach are becoming more and more prominent. Because HTTP wants to generate a dynamic page, the system must start a new process to run the CGI program. CGI uses fork and execution, and each request needs to be processed by a new CGI program. Continuous fork is a time-consuming and resource-consuming work, resulting in poor performance. Here comes the FastCGI.

2. FastCGI mode

FastCGI is developed and improved from CGI. The main disadvantage of the traditional CGI interface is poor performance, because every time the HTTP server encounters a dynamic program, it needs to restart the script parser to perform parsing, and the result is returned to the HTTP server. This is almost unavailable when dealing with highly concurrent access. In addition, the security of the traditional CGI interface is also very poor, and now it is rarely used. The FASTCGI Fast Universal Gateway interface is a memory-resident CGI, which is actually the process management of CGI programs. The FastCGI interface adopts the Champare S structure, which can separate the HTTP server from the script parsing server, and start one or more script parsing daemons on the script parsing server. Every time the HTTP server encounters a dynamic program, it can deliver it directly to the FastCGI process for execution, and then return the results to the browser. This approach allows the HTTP server to handle static requests exclusively or return the results of the dynamic script server to the client, which greatly improves the performance of the entire application system.

For related Fastcgi learning, you can go to the Hotan Network Security Laboratory to operate the experiment-Fastcgi Security: experiment: Fastcgi Security (Hetian Network Security Lab) this experiment introduces fastcgi security, which is based on nginx+php+fastcgi and is prone to errors when multiple fastcgi servers do load balancing.

3. Module mode

The Module mode runs php as a submodule of apache and uses LoadModule to load the php module, such as in the configuration file of apache

/ / httpd.conf LoadModule php7_module "${INSTALL_DIR} / bin/php/php7.2.13/php7apache2_4.dll"

When web accesses the php file, apache invokes the php module to parse, and phpmodule passes the data to the php parser through sapi for parsing.

4. PHP-FPM mode

Finally, the protagonist of this article, PHP-FPM,FPM, is a FastCGI protocol parser. Server middleware such as Nginx packages user requests according to the rules of FastCGI and sends them to PHP-FPM, and then PHP-FPM parses the packaged data and communicates with FastCGI. PHP-FPM is to implement and manage processes of FastCGI protocol (fastcgi process manager), manage a process pool and process requests from web servers. Among them, there are two ways of communication between Ngnix and PHP-FPM, which are TCP mode and Unix domain sockets mode. Only tcp socket communication mode can be used in windows system.

TCP mode

In TCP mode, the PHP-FPM process listens on the local port (default is 9000). Ngnix packages the user's request to php-fpm according to the rules of fastcgi, and PHP-FPM calls cgi for parsing. TCP communication mode allows communication between network processes or local processes through loopback.

Unix domain sockets mode

Unix socket, also known as IPC (inter-process communication Inter-process Communication) socket, is used to achieve inter-process communication on the same host. This way requires filling in the socket file location of PHP-FPM in the Ngnix configuration file.

In the article written by P God's Fastcgi protocol analysis & PHP-FPM unauthorized access vulnerability & Exp, the principle has been explained in detail:

If the user visits

Http://127.0.0.1/index.php?a=1&b=2

If the web directory is / var/www/html,Nginx, turn the request into a key-value pair

{'GATEWAY_INTERFACE':' FastCGI/1.0', 'REQUEST_METHOD':' GET', 'SCRIPT_FILENAME':' / var/www/html/index.php', 'SCRIPT_NAME':' / index.php', 'QUERY_STRING':'? a 'REQUEST_URI':' / index.php?a=1&b=2', 'DOCUMENT_ROOT':' / var/www/html', 'SERVER_SOFTWARE':' php/fcgiclient' 'REMOTE_ADDR':' 127.0.0.1, 'REMOTE_PORT':' 12345, 'SERVER_ADDR':' 127.0.0.1, 'SERVER_PORT':' 80, 'SERVER_NAME': "localhost,' SERVER_PROTOCOL': 'HTTP/1.1'}

This array is actually part of the $_ SERVER array in PHP, which is the environment variable in PHP. Its purpose is not only to populate the $_ SERVER array, but also to tell FPM which PHP file to execute. When PHP-FPM gets the packet, it parses it, gets the environment variable, and executes the PHP file that the value of SCRIPT_FILENAME points to, / var/www/html/index.php.

How to use 0X01

PHP-FPM listens to port 9000 by default. If this port is exposed to the public network, we can construct the FastCGI protocol and communicate with FPM. At this point, you can use SCRIPT_FILENAME to specify the execution of the php file, and return 404 if the file does not exist. There is a configuration in Nginx that only files with certain suffixes are allowed to be executed by PHP-FPM, which defaults to .php, security.limit_extensions

; Limits the extensions of the main script FPM will allow to parse. This can; prevent configuration mistakes on the web server side. You should only limit; FPM to .php extensions to prevent malicious users to use other extensions to; exectute php code. ; Note: set an empty value to allow all extensions. ; Default Value: .php; security.limit_extensions = .php .php3 .php4 .php5 .php7

To avoid 404, you first need to find the existing PHP file. If you don't know the absolute path of the web or the php file name in the web directory, you can use the global search to get the default php file in the environment.

Find /-name "* .php"

How can we break the limit to execute arbitrary PHP code when we get a webshell?

First of all, we can control SCRIPT_FILENAME and let fpm execute any file, but only execute the file on the target server, not the file we need it to execute, but there are many interesting techniques in PHP, such as two configuration items in php.ini.

Auto_prepend_file / / include the file specified in auto_prepend_file before executing the target file auto_append_file / / include the file pointed to by auto_append_file after the execution of the target file

If you set auto_prepend_file to php://input, it is equivalent to including the contents of $_ POST before executing any php file. To use php://input, you need to turn on remote file inclusion (allow_url_include).

Two more environment variables are parsed in PHP-FPM

PHP_VALUE / / is used to set the configuration item for PHP. Most php except disable_function configure PHP_ADMIN_VALUE.

Set auto_prepend_file = php://input and allow_url_include = On, and then put the code we need to execute in Body to execute arbitrary code.

{'GATEWAY_INTERFACE':' FastCGI/1.0', 'REQUEST_METHOD':' GET', 'SCRIPT_FILENAME':' / var/www/html/index.php', 'SCRIPT_NAME':' / index.php', 'QUERY_STRING':'? a 'REQUEST_URI':' / index.php?a=1&b=2', 'DOCUMENT_ROOT':' / var/www/html', 'SERVER_SOFTWARE':' php/fcgiclient' 'REMOTE_ADDR':' 127.0.0.1, 'REMOTE_PORT':' 12345, 'SERVER_ADDR':' 127.0.0.1, 'SERVER_PORT':' 80, 'SERVER_NAME': "localhost,' SERVER_PROTOCOL': 'HTTP/1.1'' PHP_VALUE': 'auto_prepend_file = php://input',' PHP_ADMIN_VALUE': 'allow_url_include = On'}

The above description is only the normal process of attacking PHP-FPM. If the restriction of disable_functions is added in the environment, if you use malicious FastCgi including PHP_VALUE==disable_function= to attack FPM, you can only modify the EG (ini_directives) that displays phpinfo information, that is, superficial modification, which is invalid for functions that have been disabled.

Analysis of 0X02 instance

Take a problem in SUCTF2019 as an example, easyphp, after obtaining the webshell, it is found that there is a limitation of disable_functions, here you can bypass open_basedir by communicating with php-fpm.

If you want to get flag, you need to use php_value to reset the value of open_basedir.

'PHP_VALUE': 'auto_prepend_file = php://input'+chr (0x0A) +' open_basedir = /'

The environment given by the government is very problematic. Without the upload directory, you need to add it by yourself. After entering it, it was not successful to reproduce it directly with the official exp. When you went in, docker found that php-fpm didn't start at all, and emmmm was drunk.

Start a phpfpm directly in ubuntu16.04

Sudo apt update sudo apt install-y nginx sudo apt install-y software-properties-common sudo add-apt-repository-y ppa:ondrej/php sudo apt update sudo apt install-y php7.3-fpm

Modify nginx site file

Sudo vim / etc/nginx/sites-enabled/default

Enable unix socket mode

Sudo vim / etc/php/7.3/fpm/pool.d/www.conf

Configure php-fpm snooping and change the listen parameter to 127.0.0.1

Restart php-fpm and nginx

/ etc/init.d/php7.3-fpm restart service nginx restart

Modify the corresponding open_basedir

Use php-fpm communication to modify basedir and modify it with p-god script

Finally, bypass open_basedir successfully.

Thank you for reading, the above is the content of "how to use PHP-FPM to bypass open_basedir". After the study of this article, I believe you have a deeper understanding of how to use PHP-FPM to bypass open_basedir, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.