安全代码审计-PHP
<h1 style="color: black; text-align: left; margin-bottom: 10px;">前言:</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">这篇<span style="color: black;">文案</span>:该 CMS 版本是 4.2。以下漏洞均被 CNVD 收录。</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">环境说明:</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">PHP版本用 7.0.9 就好了。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/b4accbed7e6b4d088fc516fe9d72a405~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838924&x-signature=RP%2F8nMtV%2FjCxLbFkCHuGIchupL4%3D" style="width: 50%; margin-bottom: 20px;"></div>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">SSRF:</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">按照</span>功能点定向审计,在后台的工具栏有一个采集功能,<span style="color: black;">按照</span>经验这种功能<span style="color: black;">通常</span>存在 SSRF。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/97193d204ca34a90a094ef0544c4ec78~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838924&x-signature=%2BMpbfCPl5PZhKDjs5%2BejS2aYSEc%3D" style="width: 50%; margin-bottom: 20px;"></div>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/aa5a47b0d76a4a3cbfd1a3a11ec617be~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838924&x-signature=hIu2lQeM7LcLQ71pOGyV0qvtkFA%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;"><span style="color: black;">【一>所有资源关注我,私信回复"资料"获取<一】</span></span></strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1、网络安全学习路线</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2、电子书籍(白帽子)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">3、安全大厂内部视频</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">4、100份src文档</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">5、<span style="color: black;">平常</span>安全面试题</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">6、ctf大赛经典题目解析</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">7、全套工具包</p>8、应急响应笔记
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">运用</span> python3 在本地开启简易的 http 服务。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/9abbacdd042e44f894cff4678f08da32~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838924&x-signature=Bo6la7kFaTdxRZ0KjA6CxRDwS%2Bk%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">点击下一步,果不其然存在 SSRF。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/a3587b75f67949cea3d8e6f840b2c613~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838924&x-signature=Mnj8TEOIzB93jScVeMPvDESUaaI%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">进行漏洞分析。</p><span style="color: black;">按照</span> burpsuite 抓到的请求包很容易定位到代码位置。
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/1545e1b4f2c344c885e1d1401fc2a535~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838924&x-signature=b00wZP3ZwrDxmFiExnCICnd3x3g%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">在文件 </p>upload/plugins/sys/admin/Collect.php#Collect->add,POST 的参数cjurl 未做安全处理被传入到 $this->caiji->str <span style="color: black;">办法</span>。
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/a18106f30e994a03858c08462bd5349b~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838924&x-signature=ZupE6k8eGzv6mRVXnyeAz8yenOU%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">那样</span><span style="color: black;">咱们</span>跟进到 $this->caiji->str <span style="color: black;">办法</span>,<span style="color: black;">然则</span> phpstorm 找不到定义该<span style="color: black;">办法</span>的位置。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/349a035c130b4b74a9343d924cd0b25c~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838924&x-signature=67PVsDOsfYtZ36rDG%2BrhIBE0SCI%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">处理</span>办法,<span style="color: black;">咱们</span><span style="color: black;">能够</span>连续按两下 Shift 键直接寻找。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/ca27c4dcb8654f659610aece4dc7b0a7~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838924&x-signature=x6gjgRzDSylDom6ClLOJqvKoonM%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">跟进到 str <span style="color: black;">办法</span>后,<span style="color: black;">发掘</span> url 参数被传入 htmlall <span style="color: black;">办法</span>,继续跟进该<span style="color: black;">办法</span>。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/c59e44e3580d4f57aea3ecc4fbf9ad24~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838924&x-signature=Zv0Hi2CtMs996F21%2BgUe%2B17j%2F2s%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">能够</span>看到 htmlall <span style="color: black;">办法</span><span style="color: black;">运用</span>了 curl 请求 url。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/2e3dbcd85af246ba8b25d20861b9dbda~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838924&x-signature=35uYdKuriUOIeh0DrAgpP1ga2do%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">基本上有调用 $this->caiji->str <span style="color: black;">办法</span>的<span style="color: black;">地区</span>都存在 SSRF 漏洞。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/f72c772c0c094417b60246820612e7bc~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838924&x-signature=k%2Fij8Zde7xYBHd5uH63sK1ISNG4%3D" style="width: 50%; margin-bottom: 20px;"></div>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">文件覆盖<span style="color: black;">引起</span> GETSHELL:</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">经过</span><span style="color: black;">敏锐</span>函数回溯参数过程的方式找到该漏洞。</p><span style="color: black;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">在 </p>upload/cscms/app/helpers/common_helper.php#write_file <span style="color: black;">运用</span>了文件写入的<span style="color: black;">敏锐</span>函数,跟 SSRF 的 htmlall 是同一个文件。
</span>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/374d5b57f9f6401592b5ceecca050e20~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838924&x-signature=mAQU3R%2BNeb8z%2FrKtziIv8Im%2FxX0%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">运用</span> Ctrl+Shift+F <span style="color: black;">查询</span><span style="color: black;">那些</span>位置调用了 write_file,在</p>upload/plugins/sys/admin/Plugins.php#Plugins->_route_file 调用了 write_file函数,并且 note[
<span style="color: black;">note</span><span style="color: black;">[‘name’] 和 note[</span><span style="color: black;">note</span><span style="color: black;">[‘url’] 的值是以字符串方式拼接到文件内容的,该内容是注释,<span style="color: black;">咱们</span><span style="color: black;">能够</span><span style="color: black;">运用</span>换行绕过。</span>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/b4e2daf8a82f48dd883408770df03e2e~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838924&x-signature=plxdStSS1WQcOY3iYI4nd1ne5VU%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">查询</span><span style="color: black;">那些</span>位置调用了 _route_file,跟踪 $note 的值<span style="color: black;">是不是</span>可控,调用该函数的位置有<span style="color: black;">非常多</span>,<span style="color: black;">最后</span>找到一处可利用。在 </p>upload/plugins/sys/admin/Plugins.php#Plugins->setting_save 调用了 _route_file,<span style="color: black;">因为</span>该函数内容有点多,<span style="color: black;">因此</span>我将它拆分成两个界面,<span style="color: black;">有些</span>不重要的内容进行闭合。画红线的位置是调用到 _route_file 必须设置的,<span style="color: black;">能够</span>看到在标蓝色3的位置获取到了 $note 的值,分析到<span style="color: black;">这儿</span><span style="color: black;">能够</span><span style="color: black;">起始</span>复现了。
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/fe75cdfcda4c4c04b7f8763f5c9672de~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838924&x-signature=sNbcd1s7998rKKSZH4QOulqTa2Q%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">运用</span> burpsuite 抓取请求包。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/81168990a49b420d973bd1ec11bff8b5~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838924&x-signature=zbG5F2sVEhgtDZvkZi8JU9zbsQE%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">修改请求包内容写入构造好的代码,<span style="color: black;">能够</span>看到我<span style="color: black;">运用</span>了 %0a 换行去绕过注释。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p26-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/21f51ca4c8b84f839d184156039be79b~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838924&x-signature=28HVq6c9MSq3qazlJPEhka2qn%2Bk%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">在 </p>upload/cscms/config/dance/rewrite.php <span style="color: black;">能够</span>看到成功写入。
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/4e315ddd5d424d519f0de32121424fe3~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838924&x-signature=T%2BTp0aKx7C7JuZEKWS6Rh7Hw0II%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">寻找引用 rewrite.php 的位置,懒得去看代码了,<span style="color: black;">经过</span>点击各个页面,经过不懈<span style="color: black;">奋斗</span><span style="color: black;">最终</span>在个人中心的音乐页面找到,<span style="color: black;">因此</span>你需要注册一个会员用户。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/4f14322c6118455aa5f4725e5405a175~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838924&x-signature=J83D7drWah9qtTIg7QHLkl2AhYw%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">重放 burpsuite 抓到的请求包,成功输出内容。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/88499c8a73274a729c04a0894364ee9f~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838924&x-signature=iAfvlhzlTjuwTQ36UxeWAZroHdY%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">到<span style="color: black;">这儿</span>其实事情还<span style="color: black;">无</span>结束,当我尝试写入恶意内容<span style="color: black;">发掘</span>被转义了。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/df333285ed374440b498980c970ed806~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838924&x-signature=Y3WD1nEKyUX6dDH2cnP11KGbq14%3D" style="width: 50%; margin-bottom: 20px;"></div>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/3da8d4dae0e142cca5ef11babe0e2be4~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838924&x-signature=q7BvwajR4u0PvAmBOVsuqnPuokI%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">试了 eval、shell_exec 等均被转义,<span style="color: black;">然则</span> assert <span style="color: black;">无</span>被转义,<span style="color: black;">思虑</span>到 assert 在PHP7版本之后的问题,我还是需要找一个更好的办法。懒得去看转义的代码了,我<span style="color: black;">按照</span>PHP的动态特性<span style="color: black;">运用</span>以下<span style="color: black;">办法</span>成功 RCE。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/dc954861b5264f0398c758c5cd5977ac~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838924&x-signature=Tdnb6puwW%2FySQmI%2B%2BTsnoGmnUZI%3D" style="width: 50%; margin-bottom: 20px;"></div>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/ce50219f848a4c0dbdd84e9e52b154d1~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838924&x-signature=C%2FFSuT%2BrJyHiwTCHYVQHA03kZoY%3D" style="width: 50%; margin-bottom: 20px;"></div>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">总结:</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">此次代码审计<span style="color: black;">运用</span>了通用代码审计思路的两种,<span style="color: black;">第1</span>种:<span style="color: black;">按照</span>功能点定向审计、第二种:<span style="color: black;">敏锐</span>函数回溯参数过程,<span style="color: black;">无</span>用到的是通读全文代码。活用 phpstorm <span style="color: black;">能够</span>让代码审计的效率大大<span style="color: black;">增多</span>。</span></p>
页:
[1]