Audit of vulnerabilities
Source is in/SRC/extend/extcore ImageCrop. PHP/crop this method found a getimagesize function, this function is to be able to trigger the phar deserialization vulnerabilities, and of the secondary development of the CMS is based on a thinkphp5.1 framework, There is a deserialization bug in the framework that everyone is familiar with, so we just want to be able to control the $imgData variable
$imgData ($this->getImgData($img)); Controlled. We’ll follow it in
private function getImgData($img){ if(strripos($img, 'http://')! ==FALSE OR strripos($img,'https://') ! $data=file_get_contents($img); $file=DOC_ROOT.'/'.$img; if(is_file($file)) { $data = file_get_contents($file); }else{ return false; } } return $data; }Copy the code
As you can see, it restricts access to off-site images to only the http:// or https:// argument
Let’s look at the global search crop method and see where it gets called, okay
We are in the SRC/application/task/controller/UtilController. PHP/cropimage found a crop_image function, we track
function crop_image($file, $options){
// echo $file;
$imageCrop=new \extcore\ImageCrop($file, $options);
return $imageCrop->crop();
}
Copy the code
Notice that the crop function above us is called here
$paths=explode(‘.’,$img); $paths=explode(‘.’,$img); $paths ==3. GetImgData limits the start of HTTP. If we want phar to deserialize, it must start with phar://. So let’s put the path of our phar file on VPS directly
$paths ==3, so we can use the hexadecimal bypass method, so we can only use this method in Linux. Here is a script that I wrote earlier to turn to hexadecimal
<? PHP $IP = '127.0.0.1; $ip = explode('.',$ip); $r = ($ip[0] << 24) | ($ip[1] << 16) | ($ip[2] << 8) | $ip[3] ; if($r < 0) { $r += 4294967296; } echo "decimal :"; echo $r; Echo "octal :"; echo decoct($r); Echo "hexadecimal :"; echo dechex($r); ? >Copy the code
We paste our own VPS address at $IP, noting that the resulting hexadecimal is preceded by 0x
And then cacheImage
$response = crop_image($paths[0].'.'.$paths[2], $args);
Copy the code
$paths[2] is the parameter that you want to control. If explode splits the url into 3 parts, you can create a form like http://vps-ip/1.1.txt. If ($paths[0].’.’) {$paths[2] = 1
We also place the path of test.phar on the VPS, the CMS background can upload JPG files, of course, phar deserialization even JPG files can successfully reverse sequence, here I directly put in the root directory for convenience
Echo $img = $img; echo $img = $img;
Let’s access the route to CacheImage
As you can see, our $img has changed to 1.txt, and the getimagesize function has successfully received the contents we put in 1.txt
If we pass CMD to our command, we can see that the vulnerability has been successfully exploited
This paper involves relevant experiments: code audit of any file upload vulnerability 01 (through the study of this section, understand the principle of file upload vulnerability, through the code audit to master the causes of file upload vulnerability, upload bypass methods and repair methods.)
conclusion
The vulnerability has been submitted to CNVD platform, and this vulnerability can only be successfully implemented under Linux due to the problem of hexadecimal bypass. Therefore, CMS can be tested in Docker, and it is easier to find phar deserialization vulnerability in some small CMS. Since the background is generally capable of uploading JPG files, there are many functions that can trigger phar