HackTricks

Important note:

dl is a PHP function that can be used to load PHP extensions. It the function isn't disabled it could be abused to bypass disable_functions and execute arbitrary commands.
However, it has some strict limitations:

• The dl function must be present in the environment and not disabled
• The PHP Extension must be compiled with the same major version (PHP API version) that the server is using (you can see this information in the output of phpinfo)
• The PHP extension must be located in the directory that is defined by the extension_dir directive (you can see it in the output of phpinfo). It's very unprobeable that an attacker trying to abuse the server will have write access over this directory, so this requirement probably will prevent you to abuse this technique).

If you meet these requirements, continue reading the post https://antichat.com/threads/70763/ to learn how to bypass disable_functions. Here is a summary:

The dl function is used to load PHP extensions dynamically during script execution. PHP extensions, typically written in C/C++, enhance PHP's functionality. The attacker, upon noticing the dl function is not disabled, decides to create a custom PHP extension to execute system commands.

Steps Taken by the Attacker:

1. PHP Version Identification:

   • The attacker determines the PHP version using a script (<?php echo 'PHP Version is '.PHP_VERSION; ?>).

2. PHP Source Acquisition:

   • Downloads the PHP source from the official PHP website or the archive if the version is older.

3. Local PHP Setup:

   • Extracts and installs the specific PHP version on their system.

4. Extension Creation:

   • Studies creating PHP extensions and inspects the PHP source code.
   • Focuses on duplicating the functionality of the exec function located at ext/standard/exec.c.

Notes for Compiling the Custom Extension:

1. ZEND_MODULE_API_NO:

   • The ZEND_MODULE_API_NO in bypass.c must match the current Zend Extension Build, retrievable with:

     php -i | grep "Zend Extension Build" |awk -F"API4" '{print $2}' | awk -F"," '{print $1}'
     

2. PHP_FUNCTION Modification:

   • For recent PHP versions (5, 7, 8), PHP_FUNCTION(bypass_exec) may need adjustment. The provided code snippet details this modification.

Custom Extension Files:

• bypass.c:
  • Implements the core functionality of the custom extension.
• php_bypass.h:
  • Header file, defining extension properties.
• config.m4:
  • Used by phpize to configure the build environment for the custom extension.

Building the Extension:

1. Compilation Commands:

   • Uses phpize, ./configure, and make to compile the extension.
   • Resulting bypass.so is then located in the modules subdirectory.

2. Cleanup:

   • Runs make clean and phpize --clean after compilation.

Uploading and Executing on the Victim Host:

1. Version Compatibility:

   • Ensures PHP API versions match between the attacker's and victim's systems.

2. Extension Loading:

   • Utilizes the dl function, circumventing restrictions by using relative paths or a script to automate the process.

3. Script Execution:

   • The attacker uploads bypass.so and a PHP script to the victim's server.
   • The script uses dl_local function to dynamically load bypass.so and then calls bypass_exec with a command passed via the cmd query parameter.

Command Execution:

• The attacker can now execute commands by accessing: http://www.example.com/script.php?cmd=<command>

This detailed walkthrough outlines the process of creating and deploying a PHP extension to execute system commands, exploiting the dl function, which should ideally be disabled to prevent such security breaches.