• Stars
    star
    170
  • Rank 223,357 (Top 5 %)
  • Language
    JavaScript
  • Created over 5 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

antsword bypass PHP disable_functions

AntSword Bypass disable_function

突破 disable_functions 执行系统命令,绕过 Open_basedir 等安全机制

php.ini 样例:

disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,exec,shell_exec,popen,proc_open,passthru,symlink,link,syslog,imap_open,ld,mail,system

open_basedir=.:/proc/:/tmp/

安装

商店安装

进入 AntSword 插件中心,选择「绕过disable_functions」,点击安装

手动安装

1.获取源代码

$ git clone https://github.com/Medicean/as_bypass_php_disable_functions.git

或者

点击 这里 下载源代码,并解压。

2.拷贝源代码至插件目录

将插件目录拷贝至 antSword/antData/plugins/ 目录下即安装成功

演示图

bypass_disable_funcs_main.png

如何使用

绕过open_basedir思路(蚁剑插件演示)

测试环境

参见 AntSword-Labs/bypass_disable_functions

支持情况:

模式 Bypass 方式 Linux Windows
LD_PRELOAD 启动新WebServer Yes No
Fastcgi/PHP_FPM 启动新WebServer Yes Yes (不支持 IIS PIPE )
Apache_mod_cgi 重定向输出到文件 Yes No (TODO)
JSON_Serializer_UAF stdout Yes No (TODO)
PHP7_GC_UAF stdout Yes No (TODO)
PHP7_Backtrace_UAF stdout Yes No (TODO)
PHP74_FFI 重定向输出到文件 Yes Yes
iconv 启动新WebServer Yes No (TODO)
PHP7_ReflectionProperty_UAF stdout Yes No (TODO)
PHP7_UserFilter stdout Yes Yes
PHP_Concat_UAF stdout Yes No
  • LD_PRELOAD

    利用 LD_PRELOAD 环境变量加载 so 文件, LD_PRELOAD 只在 Linux 系统上才有

  • PHP-FPM/FCGI

适用于PHP-FPM/FCGI 监听在 unix socket 或者 tcp socket 上时使用。常见的比如: nginx + fpm

IIS+FPM 使用的是「管道」通信,不适用

相关链接

More Repositories

1

VulApps

快速搭建各种漏洞环境(Various vulnerability environment)
Shell
3,585
star
2

SuperTerm

利用 webshell 创建交互式终端(Create an interactive terminal with webshell.)
JavaScript
55
star
3

SublimeXssEncode

Converts characters from one encoding to another using a transformation.
Python
37
star
4

AS_Out-of-Network

AntSword 出网探测插件
JavaScript
22
star
5

as_messycoderecover

尝试恢复乱码
JavaScript
18
star
6

w0rmHole

Android wormhole tool
Python
16
star
7

AS_BugScan

通过 Webshell 创建 BugScan 节点(需要目标支持 Python2.7)
JavaScript
14
star
8

VSCodeXssEncode

Converts characters from one encoding to another using a transformation. This tool will help you encode payloads in testing sql injections, XSS holes and site security.
JavaScript
9
star
9

AS_MS17-010_Scan

AntSword MS17-010扫描插件
JavaScript
9
star
10

GenShell

AntSword Generate Shell Plugin
JavaScript
8
star
11

as_netstat

AntSword 无命令执行权限下获取网络连接情况插件
JavaScript
7
star
12

PortScan

AntSword 端口扫描插件,支持 PHP, ASP, ASPX
JavaScript
7
star
13

Medicean.github.io

http://blog.evalbug.com
HTML
6
star
14

AS_Redis

AntSword Redis Plugin, required antSword >= 2.0.2.1(开发版)
JavaScript
5
star
15

create-antsword-plugin

Generate AntSword Plugin template
JavaScript
4
star
16

python-ping

python ping
Python
4
star
17

ImportShell

导入AntSword Shell配置
JavaScript
3
star
18

CopyShell

AntSword 插件,复制选中的WebShell配置到剪贴板。
JavaScript
3
star
19

as_jwtdebugger

AntSword JWT-Debugger Plugin. Like jwt.io
JavaScript
2
star