from:http://blog. gosecure. ca/2 0 1 6/0 4/2 7/binary-webshell-through-opcache-in-php-7/
In the PHP 7.0 release at the beginning, there are a lot of PHP developers for its performance improvement is very attention. In the introduction of OPcache, PHP performance has been greatly improved, many developers are beginning to use OPcache as PHP application accelerator. OPcache bring good performance while it also brings new security risks, the following content is GoSecure blog published an article for PHP 7.0 OPcache execute PHP code technical blog post.
This article will introduce a new in PHP 7 is due in the use of the default OPcache engine attack. The use of this attack vector, the attacker can bypass the“Web directories prohibit file write”the limit, You can also execute his own malicious code.
OPcache is PHP 7.0 built-in caching engine. It by compiling the PHP script file as byte code, and byte code into memory.
OPcache cache file format seehere.
At the same time, it in the file system also provides a cache file. In PHP. ini configuration is as follows, you need to specify a cache directory:
In the specified directory, the OPcache stores the compiled PHP script file, these cache files are placed in the Web directory, the same directory structure. Such as, the compiled /var/www/index.php the file cache will be stored in /tmp/opcache/[system_id]/var/www/index. php. bin.
system_id is the current PHP version, Zend extension version number, and each data type size MD5 hash value. In the latest version of Ubuntu(16.04), and system_id is the current through the Zend and PHP version number is calculated, its value is 81d80d78c6ef96b89afaadc7ffc5d7ea it. This hash value is likely to be used to ensure that multiple installed version of the binary cache file compatibility. When the OPcache in the first cache file, the directory will be created. Later in this article, we will see each OPcache cache file of the file header are stored system_id it. Interesting is that running Web service user to the OPcache cache directory such as:/tmp/opcache/inside all the subdirectories and files have write permissions.
$ ls /tmp/opcache/
drwx------ 4 www-data www-data 4 0 9 6 Apr 2 6 0 9:1 6 81d80d78c6ef96b89afaadc7ffc5d7ea
As you can see, the www-data user to the OPcache cache directory has write permissions, therefore, we can use an already compiled webshell cached file to replace the OPcache cache directory in the existing cache files to achieve the execution of malicious code purposes.
You want to use OPcache code execution, we need to first find the OPcache cache directory such as:/tmp/opcache/[system_id] as well as Web directories such as:/var/www/ on. Assume that the target site already exists an implementation of the phpinfo() function in the file. Through this file, we can obtain the OPcache cache directory, Web directory, as well as the calculation system_id required several field values. I wrote a script, you can use phpinfo() to calculate the system_id.
Also note, the target site must be the presence of a file upload vulnerability. Assuming that php. ini configuration opcache options are as follows:
opcache. validate_timestamp = 0 ; PHP 7 The default value is 1 opcache. file_cache_only = 1 ; PHP 7 The default value is 0 opcache. file_cache = /tmp/opcache
In this case, we can use upload vulnerability to upload files to the Web directory, but found that the Web directory does not have read and write permissions. This time, you can replace /tmp/opcache/[system_id]/var/www/index. php. bin is a webshell binary cache file running webshell for.
In PHP. ini file to set the opcache. file_cache is what you want to specify the cache directory
Running PHP Server(php-S 127.0.0.1:8 0 8 0), and then to index.php send the request(wget 127.0.0.1:8 0 8 0), The trigger cache engine for file cache.
Open your the settings of the cache directory index. php. the bin file is the compiled webshell binary cache file.
Modify the index. php. bin file head of system_id is the target site of the system_id is. In the file header signature part of the back is the system_id value.
By uploading vulnerability the modified index. php. bin uploaded to /tmp/opcache/[system_id]/var/www/index. php. bin, overwrite the original index. php. bin
Re-visit index.php , then you run our webshell