phpBB Phar反序列化远程代码执行漏洞分析(CVE-2018-19274)<\/h1>

漏洞概述<\/h2>
phpBB™ 是世界上应用最广泛的开源论坛软件。在phpBB v3.2.3及以前的版本中，存在一个严重的远程代码执行漏洞，攻击者可以通过构造特殊的PHAR文件触发反序列化漏洞，最终获取Webshell。<\/p>

漏洞影响<\/h2>

影响版本：phpBB v3.2.3及以前的版本<\/li>

漏洞条件：

拥有控制管理面板的权限（可通过社工、弱口令、钓鱼等方式获取）<\/li>

能够上传恶意附件<\/li> <\/ul> <\/li> <\/ul>

漏洞原理<\/h2>

核心漏洞点<\/h3>

漏洞的核心在于phpBB3\/includes\/functions_acp.php<\/code>文件中的validate_config_vars<\/code>函数：<\/p>

\/\/ 通过file_exists函数判断$path是否存在
<\/span><\/span><\/span>\/\/ 此处若可以被上传PHAR归档包，文件路径可控，就可以通过phar:\/\/协议进行反序列化攻击
<\/span><\/span><\/span><\/span>if<\/span> (file_exists<\/span>($path))
<\/span><\/span><\/code><\/pre>漏洞触发流程<\/h3>

前端上传恶意附件<\/strong>：攻击者在前台发帖时上传包含恶意序列化数据的PHAR文件<\/li>
后台触发反序列化<\/strong>：在管理面板的附件设置中，通过精心构造的config[img_imagick]<\/code>参数触发phar反序列化<\/li>
利用链执行<\/strong>：利用Guzzle库的FileCookieJar<\/code>类完成文件写入，获取Webshell<\/li>
<\/ol>
详细分析<\/h2>
1. 漏洞触发点分析<\/h3>
漏洞触发始于acp_attachments->main()<\/code>方法，关键调用链如下：<\/p>

phpBB3\/includes\/acp\/acp_attachments.php<\/code>中的main()<\/code>方法<\/li>
调用validate_config_vars()<\/code>函数<\/li>
传入两个参数：

$display_vars['vars']<\/code>：系统配置定义<\/li>
$cfg_array<\/code>：来自$_REQUEST['config']<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
2. validate_config_vars函数分析<\/h3>
在phpBB3\/includes\/functions_acp.php<\/code>中：<\/p>
foreach<\/span> ($config_vars as<\/span> $config_name =><\/span> $config_definition) {
<\/span><\/span>    \/\/ 检查$cfg_array中是否有与系统配置相同的键名
<\/span><\/span><\/span><\/span>    \/\/ 检查键值是否存在$config_definition['validate']
<\/span><\/span><\/span><\/span>    if<\/span> (...<\/span>) {
<\/span><\/span>        $validator =<\/span> explode<\/span>(':'<\/span>, $config_definition['validate'<\/span>]);
<\/span><\/span>        $type =<\/span> $validator[0<\/span>];
<\/span><\/span>        
<\/span><\/span>        switch<\/span> ($type) {
<\/span><\/span>            case<\/span> 'wpath'<\/span>:<\/span>
<\/span><\/span>                \/\/ 关键漏洞点：缺少break语句
<\/span><\/span><\/span><\/span>                $path =<\/span> in_array<\/span>($config_definition['validate'<\/span>], array<\/span>('wpath'<\/span>, 'path'<\/span>, 'rpath'<\/span>, 'rwpath'<\/span>)) 
<\/span><\/span>                    ?<\/span> $phpbb_root_path .<\/span> $cfg_array[$config_name] 
<\/span><\/span>                    :<\/span> $cfg_array[$config_name];
<\/span><\/span>                \/\/ 触发file_exists检查
<\/span><\/span><\/span><\/span>                if<\/span> (file_exists<\/span>($path)) {
<\/span><\/span>                    ...<\/span>
<\/span><\/span>                }
<\/span><\/span>            case<\/span> 'absolute_path'<\/span>:<\/span>
<\/span><\/span>            case<\/span> 'absolute_path_writable'<\/span>:<\/span>
<\/span><\/span>            case<\/span> 'path'<\/span>:<\/span>
<\/span><\/span>                \/\/ 由于缺少break，可以绕过路径前缀拼接
<\/span><\/span><\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. 绕过路径限制<\/h3>
通过分析发现img_imagick<\/code>元素的验证类型为absolute_path<\/code>，可以绕过路径前缀拼接：<\/p>
foreach<\/span> ($display_vars['vars'<\/span>] as<\/span> $key =><\/span> $value) {
<\/span><\/span>    if<\/span> (($value['validate'<\/span>] ===<\/span> 'absolute_path'<\/span>) or<\/span> 
<\/span><\/span>        ($value['validate'<\/span>] ===<\/span> 'absolute_path_writable'<\/span>) or<\/span> 
<\/span><\/span>        ($value['validate'<\/span>] ===<\/span> 'path'<\/span>)) {
<\/span><\/span>        print<\/span>('66'<\/span>.<\/span>$key.<\/span>'77'<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>4. 恶意文件上传<\/h3>
上传位置为前台发帖附件处，关键函数调用栈：<\/p>

phpBB3\/phpbb\/plupload\/plupload.php<\/code>中的handle_upload<\/code><\/li>
计算上传文件路径的函数temporary_filepath<\/code>：

$this->temporary_directory<\/code>为.\/files\/plupload<\/code><\/li>
$file_name<\/code>可控<\/li>
文件后缀可控<\/li>
$this->config['plupload_salt']<\/code>可从数据库备份中获取<\/li>
<\/ul>
<\/li>
<\/ol>
最终上传路径格式为：

.\/files\/plupload\/[plupload_salt]_[md5(filename)]zip.part<\/code><\/p>
5. 利用链分析<\/h3>
利用PHP网络请求插件Guzzle完成反序列化利用：<\/p>
\/\/ phpBB3\/vendor\/guzzlehttp\/guzzle\/src\/Cookie\/FileCookieJar.php
<\/span><\/span><\/span><\/span>public<\/span> function<\/span> __destruct() {
<\/span><\/span>    $this-><\/span>save<\/span>($this-><\/span>filename<\/span>);  \/\/ 关键点：析构函数调用save
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>public<\/span> function<\/span> save<\/span>($filename) {
<\/span><\/span>    file_put_contents<\/span>($filename, $str);  \/\/ 最终写入文件
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞利用步骤<\/h2>

获取管理员权限<\/strong>：通过社工、弱口令等方式获取管理员权限<\/li>
上传恶意PHAR文件<\/strong>：

构造包含恶意序列化数据的PHAR文件<\/li>
通过前台发帖附件功能上传<\/li>
<\/ul>
<\/li>
获取plupload_salt<\/strong>：

进入管理面板的数据库备份功能<\/li>
下载数据库备份获取plupload_salt<\/code>值<\/li>
<\/ul>
<\/li>
计算上传文件路径<\/strong>：

使用公式：[plupload_salt]_[md5(filename)]zip.part<\/code><\/li>
<\/ul>
<\/li>
触发反序列化<\/strong>：

在管理面板的附件设置中提交恶意请求：<\/li>
<\/ul>
POST<\/span> \/phpBB3\/adm\/index.php?i=acp_attachments&mode=attach&sid=... HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>...<\/span>
<\/span><\/span>config%5Bimg_imagick%5D=phar:\/\/..\/files\/plupload\/[恶意文件名]&...
<\/span><\/span><\/code><\/pre><\/li>
获取Webshell<\/strong>：

利用链执行后会在指定位置写入Webshell<\/li>
<\/ul>
<\/li>
<\/ol>
防御措施<\/h2>

升级到phpBB最新版本<\/li>
严格过滤管理员面板的输入参数<\/li>
对文件上传功能加强限制<\/li>
使用强密码保护管理员账户<\/li>
限制管理面板的访问IP<\/li>
<\/ol>
参考链接<\/h2>

phpBB官方安全公告<\/a><\/li>
PHP Phar反序列化漏洞原理<\/a><\/li>
Guzzle库安全公告<\/a><\/li>
<\/ul>

phpBB Phar反序列化远程代码执行漏洞分析(CVE-2018-19274)<\/h1>

漏洞概述<\/h2> phpBB™ 是世界上应用最广泛的开源论坛软件。在phpBB v3.2.3及以前的版本中，存在一个严重的远程代码执行漏洞，攻击者可以通过构造特殊的PHAR文件触发反序列化漏洞，最终获取Webshell。<\/p>

漏洞原理<\/h2>

详细分析<\/h2>

参考链接<\/h2> phpBB官方安全公告<\/a><\/li> PHP Phar反序列化漏洞原理<\/a><\/li> Guzzle库安全公告<\/a><\/li> <\/ul>

漏洞概述<\/h2>
phpBB™ 是世界上应用最广泛的开源论坛软件。在phpBB v3.2.3及以前的版本中，存在一个严重的远程代码执行漏洞，攻击者可以通过构造特殊的PHAR文件触发反序列化漏洞，最终获取Webshell。<\/p>

参考链接<\/h2>

phpBB官方安全公告<\/a><\/li>
PHP Phar反序列化漏洞原理<\/a><\/li>
Guzzle库安全公告<\/a><\/li> <\/ul>