Yet another disable_functions bypass. Nothing really new, just another way of doing the same thing. Tested in PHP 7.4/8.2 on x86_64 linux.
You'll need to run yadf on the same arch as the target (or compile the shared object for the target's arch).
- Edit the rev.sh file, or create yours
- Generate the malicious PHP file with:
./yadf.py --input rev.sh --output malicious.php- Upload the malicious.php file
- pwn
yadf uses a lockfile to determine if the shell has already been spawned, so that the webserver does not try to spawn a new one, preventing an unintentional DoS on the webserver. Without this, the webserver will be executing our shared object everytime and thus trying to spawn the reverse shell, leading to an infinite loop causing the unavailability of the webserver.
The malicious PHP file generated starts by removing the lockfile and setting the LD_PRELOAD with our shared object file compiled earlier. It uses the /dev/shm directory to store the files, which is a "secure" and "no traces" directory.
That said, the target must not have blacklisted the putenv() function, since we need to update the LD_PRELOAD variable to be able to bypass the disable_function properly. In a cenario where the php.ini does not have the putenv() function in disable_functions option, yadf will work as expected; otherwise, it will not.
- Test on different archs
- Test on different PHP versions
- Test on different distros
- Implement Windows support
Bypass_Disable_functions_Shell
Boitatech