Wrong information

Question

Wrong information

hahaSec opened this issue 5 years ago · 8 comments

Hello
My version of PHP is PHP Version 7.1.27

disable_functions：passthru,exec,system,chroot,chgrp,chown,shell_exec,proc_open,proc_get_status,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,stream_socket_server,fsocket,popen

I uploaded exploit. PHP to the website，Execution is wrong, and the information is as follows.

Couldn't parse ELF

Can you solve it, please?

Answer 1 · 2019-10-02T15:05:37.000Z

This looks like it could be caused by the php binary/library being compiled without RELRO. I have pushed a commit that addresses this issue, please pull the code and try again.

Answer 2 · 2019-10-02T15:32:28.000Z

看来这可能是由于在没有RELRO的情况下编译php二进制/库引起的。我已经推送了一个致力于解决此问题的提交，请提取代码，然后重试。

I tested the error on the real target webllshell as follows

I tested it in the PHP environment of the local Windows and reported the following errors

Answer 3 · 2019-10-02T15:48:14.000Z

This looks like it could be caused by the php binary/library being compiled without RELRO. I have pushed a commit that addresses this issue, please pull the code and try again.

Can you tell me what kind of test you are in?

Answer 4 · 2019-10-02T15:59:55.000Z

This looks like it could be caused by the php binary/library being compiled without RELRO. I have pushed a commit that addresses this issue, please pull the code and try again.
The code used in this article was tested in Windows local PHP environment as follows
https://bugs.php.net/bug.php?id=77843

Answer 5 · 2019-10-02T16:12:56.000Z

Even though it's possible to exploit this vulnerability on Windows, this PoC is for Linux x64 only, I should have clarified that.

The exploit was tested on various php7.1-7.3 builds for Ubuntu and CentOS with fpm/cli/apache2 server APIs. As stated in README, it's not guaranteed to work everywhere. I can, however, try to debug the problem if you can provide the binary that's causing issues.

Alternatively, you can try incrementing the $n_alloc variable.

Answer 6 · 2019-10-09T13:04:37.000Z

php 7.2.21
Couldn't get basic_functions address

base:
4194304
elf
Array
(
    [0] => 11988256
    [1] => 5693068
    [2] => 242184
)

any ideas ?

Answer 7 · 2019-10-30T04:54:34.000Z

Looks like the ELF parsing stage gives wrong results. Can you provide the php binary that's having issues with this PoC?

Answer 8 · 2020-02-27T04:38:32.000Z

Fixed in b160b06.