Bypass Disable Functions
Practice bypassing disabled dangerous features that run operating system commands or start processes.
info
60 min
18,291
To access material, start machines and answer questions login.
What is a file upload vulnerability?
This vulnerability occurs in web applications where there is the possibility of uploading a file without being checked by a security system that curbs potential dangers.
It allows an attacker to upload files with code (scripts such as ., .aspx and more) and run them on the same server, more information in this room.
Why this room?
Among the typically applied measures is disabling dangerous functions that could execute operating system commands or start processes. Functions such as system() or shell_exec() are often disabled through directives defined in the .ini configuration file. Other functions, perhaps less known as dl() (which allows you to load a extension dynamically), can go unnoticed by the system administrator and not be disabled. The usual thing in an intrusion test is to list which functions are enabled in case any have been forgotten.
One of the easiest techniques to implement and not very widespread is to abuse the mail() and putenv() functionalities. This technique is not new, it was already reported to in 2008 (opens in new tab) by gat3way, but it still works to this day. Through the putenv() function, we can modify the environment variables, allowing us to assign the value we want to the variable LD_PRELOAD. Roughly LD_PRELOAD will allow us to pre-load a .so library before the of the libraries, so that if a program uses a function of a library (libc.so for example), it will execute the one in our library instead of the one it should. In this way, we can hijack or "hook" functions, modifying their behaviour at will.
Chankro (opens in new tab): tool to evade disable_functions and open_basedir
Through Chankro, we generate a script that will act as a dropper, creating on the server a .so library and the binary (a , for example) or bash script (reverse shell, for example) that we want to execute freely, and that will later call putenv() and mail() to launch the process.
Install tool:
clone https://github.com/TarlogicSecurity/Chankro.
Chankro
python2 chankro.py --help
python chankro.py --arch 64 --input c.sh --output tryhackme.php --path /var/www/html--arch = Architecture of system victim 32 o 64.
--input = file with your payload to execute
--output = Name of the file you are going to create; this is the file you will need to upload.
--path = It is necessary to specify the absolute path where our uploaded file is located. For example, if our file is located in the uploads folder DOCUMENTROOT + uploads.
Now, when executing the script in the web server, the necessary files will be created to execute our payload.
My command run successfully, and I created a file in the directory with the output of the command.
Credits.
All credit goes to Tarlogic (opens in new tab) for the script and explaining the method of the bypass.
Answer the questions below
Read the above.
Icon made by Pixel perfect (opens in new tab) from www.flaticon.com (opens in new tab)
Answer the questions below
Compromise the machine and locate the flag.txt
Ready to learn Cyber Security?
TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.
Already have an account? Log in