Audit of vulnerabilities

Source is in/SRC/extend/extcore ImageCrop. PHP/crop this method found a getimagesize function, this function is to be able to trigger the phar deserialization vulnerabilities, and of the secondary development of the CMS is based on a thinkphp5.1 framework, There is a deserialization bug in the framework that everyone is familiar with, so we just want to be able to control the $imgData variable

$imgData ($this->getImgData($img)); Controlled. We’ll follow it in

private function getImgData($img){ if(strripos($img, 'http://')! ==FALSE OR strripos($img,'https://') ! $data=file_get_contents($img); $file=DOC_ROOT.'/'.$img; if(is_file($file)) { $data = file_get_contents($file); }else{ return false; } } return $data; }Copy the code

As you can see, it restricts access to off-site images to only the http:// or https:// argument

Let’s look at the global search crop method and see where it gets called, okay

We are in the SRC/application/task/controller/UtilController. PHP/cropimage found a crop_image function, we track

function crop_image($file, $options){
    // echo $file;
    $imageCrop=new \extcore\ImageCrop($file, $options);
    return $imageCrop->crop();
}
Copy the code

Notice that the crop function above us is called here

$paths=explode(‘.’,$img); $paths=explode(‘.’,$img); $paths ==3. GetImgData limits the start of HTTP. If we want phar to deserialize, it must start with phar://. So let’s put the path of our phar file on VPS directly

$paths ==3, so we can use the hexadecimal bypass method, so we can only use this method in Linux. Here is a script that I wrote earlier to turn to hexadecimal

<? PHP $IP = '127.0.0.1; $ip = explode('.',$ip); $r = ($ip[0] << 24) | ($ip[1] << 16) | ($ip[2] << 8) | $ip[3] ; if($r < 0) { $r += 4294967296; } echo "decimal :"; echo $r; Echo "octal :"; echo decoct($r); Echo "hexadecimal :"; echo dechex($r); ? >Copy the code

We paste our own VPS address at $IP, noting that the resulting hexadecimal is preceded by 0x

And then cacheImage

$response = crop_image($paths[0].'.'.$paths[2], $args);
Copy the code

$paths[2] is the parameter that you want to control. If explode splits the url into 3 parts, you can create a form like http://vps-ip/1.1.txt. If ($paths[0].’.’) {$paths[2] = 1

We also place the path of test.phar on the VPS, the CMS background can upload JPG files, of course, phar deserialization even JPG files can successfully reverse sequence, here I directly put in the root directory for convenience

Echo $img = $img; echo $img = $img;

Let’s access the route to CacheImage

As you can see, our $img has changed to 1.txt, and the getimagesize function has successfully received the contents we put in 1.txt

If we pass CMD to our command, we can see that the vulnerability has been successfully exploited

This paper involves relevant experiments: code audit of any file upload vulnerability 01 (through the study of this section, understand the principle of file upload vulnerability, through the code audit to master the causes of file upload vulnerability, upload bypass methods and repair methods.)

conclusion

The vulnerability has been submitted to CNVD platform, and this vulnerability can only be successfully implemented under Linux due to the problem of hexadecimal bypass. Therefore, CMS can be tested in Docker, and it is easier to find phar deserialization vulnerability in some small CMS. Since the background is generally capable of uploading JPG files, there are many functions that can trigger phar