A mall system deserialization vulnerability
0x1 Vulnerability Analysis
Vulnerability file:
/module/Shopfront/src/Shopfront/Controller/ BrandController.php
68 rows sort_c base64 decoding parameter, then the deserialization.
The ZendFramework 2 cms uses a frame, version 2.4
We look phpggc there are no relevant payload
There is a number greater than the version 2.0.1 of the payload, we generate about
test
Found that successful code execution
0x2 poc construction
Of course, using the configuration tool poc is very convenient, but we try to structure yourself, to be able to more clearly understand the structure of this deserialization use chain
This call is the first use of chains \ Zend \ Log \ Logger function of __destruct
Traversing the writers, and then call its shutdown method.
Here is a selection of \ Zend \ Log \ shutdown method Writer \ Mail class
184 line into the function
Traversal $ numEntriesPerPriority, then __toString method will trigger $ numEntries
\ Zend \ Tag \ Cloud class
Call the render method
Then call a method that returns an object getTagDecorator render method
\Zend\Tag\Cloud\Decorator\HtmlCloud
First determine whether $ tag array, then implode processing method came wrapTag
171 line to get a $ escaper objects, and then to meet certain conditions to enter into escapeHtmlAttr method $ escaper object.
\Zend\Escaper\escaper
Was treated preg_replace_callback line 166, using the $ this-> htmlAttrMatcher method. We set \ filter method Zend \ Filter \ FilterChain class
这里先进行了针对对象的clone操作,再遍历了$chain,依次传入到call_user_func函数中,再对$valueFiltered值进行处理后又会传回到$valueFiltered进行下一个$filter方法的处理,也就是我们只需要调用一个类的一个可以返回我们可控字符串的方法,就可以使$valueFiltered变量可控。
这里采用的是\Zend\Json\Expr类的__toString方法,返回我们指定的字符串
然后再对返回字符串进行处理。
也就是传入的$chain要是数组格式,$chain[0][0]= \Zend\Json\Expr这个类,$chain[0][1]=__toString,也就是要执行的方法,$chain[1]就是我们要执行的函数,比如assert。
这里有一个问题,就是我们传入数组的话,clone会出错,就不能进入到代码执行的步骤。所以得采用和数组相当的一个类。这里采用的是SplFixedArray类解决了这个问题。
那我们根据一些特定条件以及漏洞触发链,自己构造一个poc
生成poc
测试