fny5jt9 发表于 2024-11-3 11:58:42

一次代码审计实战案例「思路流程」


    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/10d4f5678d5843679517406ad97026b7~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1729839620&amp;x-signature=uuay8ECUjbWLwrOMuFzpABihHus%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <h1 style="color: black; text-align: left; margin-bottom: 10px;">前言:</h1>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">利用这个 CMS <span style="color: black;">瞧瞧</span>能<span style="color: black;">不可</span>挖到漏洞,运气还是不错地挖到了两个,分别是 SSRF 与文件覆盖 GETSHELL,下面给<span style="color: black;">大众</span>讲解一下这次审计的思路过程。该 CMS 版本是 4.2。以下漏洞均被 CNVD 收录。</span></p>
    <h1 style="color: black; text-align: left; margin-bottom: 10px;">环境说明:</h1>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">PHP版本用 7.0.9 就好了。</span></p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/e93f248a3178428c9c025e2335d36b0e~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1729839620&amp;x-signature=3I66tntIfNxUzstpU3iIgryNcTw%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <h1 style="color: black; text-align: left; margin-bottom: 10px;">SSRF:</h1>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">按照</span>功能点定向审计,在后台的工具栏有一个采集功能,<span style="color: black;">按照</span>经验这种功能<span style="color: black;">通常</span>存在 SSRF。</span></p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/3ceff708779c48199d547b34399da151~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1729839620&amp;x-signature=mD7r%2FLyGUhxNUqwK%2BfTva%2BS19d4%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/12ee971de2934982b6b97d00a071b094~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1729839620&amp;x-signature=R11ke%2BXXMIe0%2B3vI9T5F3HPszkM%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">运用</span> python3 在本地开启简易的 http 服务。</span></p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/ba434fc8ad3f4c028fafbb1a28867ecd~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1729839620&amp;x-signature=QGuSxAARbc2PsG4ZX%2Bcj3vfm290%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">点击下一步,果不其然的存在 SSRF。</span></p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/68ccacf08907408b807d26994508a45c~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1729839620&amp;x-signature=EjEuY0ic3tgfF7R0paX2nP2sZws%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">进行漏洞分析。</span></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;"><span style="color: black;">【→所有资源关注我,私信回复“资料”获取←】</span></span></strong></p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1、网络安全学习路线</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2、电子书籍(白帽子)</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">3、安全大厂内部视频</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">4、100份src文档</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">5、<span style="color: black;">平常</span>安全面试题</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">6、ctf大赛经典题目解析</p>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">7、全套工具包</p>8、应急响应笔记

    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">按照</span> burpsuite 抓到的请求包很容易定位到代码的位置。</span></p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/0ed18ef3650944ce828f713f3c6ba1ac~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1729839620&amp;x-signature=55dd4JMlUcW5HISg9Lz8UvPazaw%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">该文件 </p>upload/plugins/sys/admin/Collect.php#Collect-&gt;add,POST 的参数cjurl 未做安全处理被传入到 $this-&gt;caiji-&gt;str <span style="color: black;">办法</span>。
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/252fc0ef60ef473580826a3e43671caa~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1729839620&amp;x-signature=vzXvjKAPmooWUBd7YgWFdCE4g%2Bs%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">那样</span><span style="color: black;">咱们</span>跟进到 $this-&gt;caiji-&gt;str <span style="color: black;">办法</span>,<span style="color: black;">然则</span> phpstorm 找不到定义该<span style="color: black;">办法</span>的位置。</span></p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/0426723d83a6443da7fbf156b42ed5af~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1729839620&amp;x-signature=oZ1yJDw47yYfBxSa6bkq6KrfnWI%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">处理</span>办法,<span style="color: black;">咱们</span><span style="color: black;">能够</span>连续按两下 Shift 键直接寻找。</span></p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/504aff8ee5d147f198d129768b22e775~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1729839620&amp;x-signature=5a8%2FKKixIvsC3LLTJrHXw%2F%2FrElI%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">跟进到 str <span style="color: black;">办法</span>后,<span style="color: black;">发掘</span> url 参数被传入 htmlall <span style="color: black;">办法</span>,继续跟进该<span style="color: black;">办法</span>。</span></p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/476716c68bca418fa319333968f8714c~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1729839620&amp;x-signature=v6Jl2QMLhVNzQaZfcf%2FzrnK8JEk%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">能够</span>看到 htmlall 方法<span style="color: black;">运用</span>了 curl 请求 url。</span></p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/70075d5946254f8eb0a4397088728f16~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1729839620&amp;x-signature=seqLUjED5Qgw6Ntlj9P8Kd%2BoE6Q%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">基本上有调用 $this-&gt;caiji-&gt;str <span style="color: black;">办法</span>的<span style="color: black;">地区</span>都存在 SSRF 漏洞。</span></p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/1ae49a7f974445b18e92a10089904691~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1729839620&amp;x-signature=gZqYRXSVeAZ5M5MS4uPYffdopNM%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <h1 style="color: black; text-align: left; margin-bottom: 10px;">文件覆盖<span style="color: black;">引起</span> GETSHELL:</h1>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">经过</span><span style="color: black;">敏锐</span>函数回溯参数过程的方式找到该漏洞。</p><span style="color: black;">
      <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">在 </p>upload/cscms/app/helpers/common_helper.php#write_file <span style="color: black;">运用</span>了文件写入的<span style="color: black;">敏锐</span>函数,跟 SSRF 的 htmlall 是同一个文件。
    </span>

    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/582ede178617487a8f26e1bb79cc446a~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1729839620&amp;x-signature=46FuVRYt4nkCK0vjXbCC9rii%2BLI%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">运用</span> Ctrl+Shift+F <span style="color: black;">查询</span><span style="color: black;">那些</span>位置调用了 write_file,在 </p>upload/plugins/sys/admin/Plugins.php#Plugins-&gt;_route_file 调用了 write_file函数,并且 $note[$key] 和 $note[$key] 的值是以字符串方式拼接到文件内容的,该内容是注释,<span style="color: black;">咱们</span><span style="color: black;">能够</span><span style="color: black;">运用</span>换行绕过。
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/bdbec19f58cc44298f461e0808ba81ef~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1729839620&amp;x-signature=mAUde8aZXRVlrdW6naK4CgyNH%2BI%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">查询</span><span style="color: black;">那些</span>位置调用了 _route_file,跟踪 $note 的值<span style="color: black;">是不是</span>可控,调用该函数的位置有<span style="color: black;">非常多</span>,<span style="color: black;">最后</span>找到一处可利用。在 </p>upload/plugins/sys/admin/Plugins.php#Plugins-&gt;setting_save 调用了 _route_file,<span style="color: black;">因为</span>该函数内容有点多,<span style="color: black;">因此</span>我将它拆分成两个界面,<span style="color: black;">有些</span>不重要的内容进行闭合。画红线的位置是调用到 _route_file 必须设置的,<span style="color: black;">能够</span>看到在标蓝色3的位置获取到了 $note 的值,分析到<span style="color: black;">这儿</span><span style="color: black;">能够</span><span style="color: black;">起始</span>复现了。
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/df3ddaf729da492ab61022e1b5a7c1a5~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1729839620&amp;x-signature=r1s2HfoEBnotS1Qg3YP%2BzVSxHDg%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">运用</span> burpsuite 抓取请求包。</span></p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/4ffe5f4a2b864d96ab9beaa168b8a334~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1729839620&amp;x-signature=iYpyzUk8JpO173Dk%2BNk%2FBYFaeYs%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">修改请求包内容写入构造好的代码,<span style="color: black;">能够</span>看到我<span style="color: black;">运用</span>了什么 %0a 换行去绕过去注释。</span></p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/d7b94c448b7446898bad3976a1d8b4d3~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1729839620&amp;x-signature=H4kBPiYTu8vF01EKQXqV77%2Fy0LQ%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">在 </p>upload/cscms/config/dance/rewrite.php <span style="color: black;">能够</span>看到成功写入。

    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/6ff631874f1545f9990f865dbbd07697~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1729839620&amp;x-signature=Xl5jwW6itW%2FJ%2B7B35lqH5T%2BRWT0%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">寻找引用 rewrite.php 的位置,懒得去看代码了,<span style="color: black;">经过</span>点击各个页面,经过不懈<span style="color: black;">奋斗</span><span style="color: black;">最终</span>在个人中心的音乐页面找到,<span style="color: black;">因此</span>你需要注册一个会员用户。</span></p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/7d9dab71c1904bb79048e04f30c09b34~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1729839620&amp;x-signature=32mEjcn%2BnE3sBNTSODKxkq4pHzI%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">重放 burpsuite 抓到的请求包,成功输出内容。</span></p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p26-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/7828e600dd3646299054d0235d9ecc53~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1729839620&amp;x-signature=i6GncgUwIWgNsfAGdXVU%2BYmgK9Q%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">到<span style="color: black;">这儿</span>其实事情还<span style="color: black;">无</span>结束,当我尝试写入恶意内容<span style="color: black;">发掘</span>被转移了。</span></p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/32efb093f8e64b9f80814de061a69281~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1729839620&amp;x-signature=zt2LYSJPV6bY9ScHUvyUp%2BpgSwA%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/c079660b206242518a390cf0f286e1be~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1729839620&amp;x-signature=sttbh9W3YmrHZvdhVPlU2asHpx0%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">试了 eval、shell_exec 等均被转移,<span style="color: black;">然则</span> assert <span style="color: black;">无</span>被转移,<span style="color: black;">思虑</span>到 assert 在PHP7版本之后的问题,我还是需要找一个更好的办法。懒得去看转义的代码了,我<span style="color: black;">按照</span>PHP的动态特性<span style="color: black;">运用</span>以下<span style="color: black;">办法</span>成功 RCE。</span></p>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/32aaed647a3a431d867288fdd1e8edb9~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1729839620&amp;x-signature=Quc6CuWsZR5CtPc70bpTA%2Fz%2Fq%2BQ%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/3fb0d5b39d844fb8bd2d76114b0e88f7~noop.image?_iz=58558&amp;from=article.pc_detail&amp;lk3s=953192f4&amp;x-expires=1729839620&amp;x-signature=4goNSCx4t5MuLCIfUXJYMesA2Fc%3D" style="width: 50%; margin-bottom: 20px;"></div>
    <h1 style="color: black; text-align: left; margin-bottom: 10px;">总结:</h1>
    <p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">此次代码审计<span style="color: black;">运用</span>了通用代码审计思路的两种,<span style="color: black;">第1</span>种:<span style="color: black;">按照</span>功能点定向审计、第二种:<span style="color: black;">敏锐</span>函数回溯参数过程,<span style="color: black;">无</span>用到的是通读全文代码。活用 phpstorm <span style="color: black;">能够</span>让代码审计的效率大大<span style="color: black;">增多</span>。</span></p>




页: [1]
查看完整版本: 一次代码审计实战案例「思路流程」