Shulou(Shulou.com)06/01 Report--

This article shows you how to disable the execution of Shell code in PHP, the content is concise and easy to understand, it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

I. description of the problem

Unable to execute system command during Getshell

2. Direct utilization process

Transfer the bypass_disablefunc.php and bypass_disablefunc_x64.so shared files to the target server and specify three parameters to construct the URL.

Http://site.com/bypass_disablefunc.php?cmd= command execution input & outpath=outpath&sopath=sopath

One is the cmd parameter, the system command to be executed.

The second is the outpath parameter, which saves the file path of the output result of the command execution (such as / tmp/xx), which is easy to display on the page. In addition, you should pay attention to whether web has read and write permissions, whether web can be accessed across directories, and that files will be overwritten and deleted.

The third is the sopath parameter, which specifies the absolute path of the shared object of the hijacked system function (such as / var/www/bypass_disablefunc_x64.so) (specified when uploading). In addition, for this parameter, you should pay attention to whether web can access it across directories.

Premise:

Understand the system information, if the system is not debian, x64 of the same type of linux system, it needs to be recompiled

Bypass_disablefunc_x64.so is the shared object that executes the command

Use the command gcc-shared-fPIC bypass_disablefunc.c-o bypass_disablefunc_x64.so

Compile the bypass_disablefunc.c. If the target is x86 architecture, you need to add the-M32 option to recompile, bypass_disablefunc_x86.so.

Guarantee: whether the outpath file path web has read and write permissions, whether web can be accessed across directories, and whether files will be overwritten and deleted.

III. Description of the code execution process

1. Write the malicious shell instruction as cmd > / tmp/xx 2 > & 1 in order to read the return message and error message.

2. Pass malicious shell instructions to the shared file to wait for execution by writing a new environment variable EVIL_CMDLINE (the system does not exist, project generation).

3. Make the prepared shared file code load first by writing the LD_PRELOAD environment variable

4. Trigger the loading of shared files through the mail function

Shared file content work: through the _ _ attribute__ ((_ _ constructor__)) modifier function, the shared file will be executed once it is loaded, regardless of whether the trigger load function (mail used here) is successful or not, and whether the third-party plug-in exists or not.

5. When the shared file is loaded, the system function modified by _ _ attribute__ ((_ _ constructor__)) will be executed before the third-party plug-in function that triggers the loading. Before executing the system function system (cmdline), use extern char** environ to break the second load of the shared file (otherwise the second loaded constructor loads the shared file a third time before executing the system function system (cmdline), round trip, thus reaching an infinite loop).

6. The binary file of the command is successfully executed in the memory of the system, and the results or error messages of the execution are recorded in the / tmp/xx file.

7, through the nl2br (file_get_contents ($out_path)) sentence branches are displayed on the web page, and finally delete the file through unlink, waiting for the next write, display.

Code preview

Bypass_disablefunc.php file-passing malicious shell commands, setting the highest level of loading, displaying command execution

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.