?

Oct 27 2017

CodeIgniter框架內核設計缺陷可致任意代碼執行

首頁 » 漏洞收集 » CodeIgniter框架內核設計缺陷可致任意代碼執行   

官方承認這個問題,說明會發布補丁,但不愿承認這是個『漏洞』……不過也無所謂,反正是不是都沒美刀~

  CI在加載模板的時候,會調用 $this->load->view('template_name', $data);

  內核中,查看view函數源碼:

  /system/core/Loader.php

  public function view($view, $vars = array(), $return = FALSE)

  {

  return $this->_ci_load(array('_ci_view' => $view, '_ci_vars' => $this->_ci_object_to_array($vars), '_ci_return' => $return));

  }

  ...

  protected function _ci_load($_ci_data)

  {

  // Set the default data variables

  foreach (array('_ci_view', '_ci_vars', '_ci_path', '_ci_return') as $_ci_val)

  {

  $$_ci_val = isset($_ci_data[$_ci_val]) ? $_ci_data[$_ci_val] : FALSE;

  }

  $file_exists = FALSE;

  // Set the path to the requested file

  if (is_string($_ci_path) && $_ci_path !== '')

  {

  $_ci_x = explode('/', $_ci_path);

  $_ci_file = end($_ci_x);

  }

  else

  {

  $_ci_ext = pathinfo($_ci_view, PATHINFO_EXTENSION);

  $_ci_file = ($_ci_ext === '') ? $_ci_view.'.php' : $_ci_view;

  foreach ($this->_ci_view_paths as $_ci_view_file => $cascade)

  {

  if (file_exists($_ci_view_file.$_ci_file))

  {

  $_ci_path = $_ci_view_file.$_ci_file;

  $file_exists = TRUE;

  break;

  }

  if ( ! $cascade)

  {

  break;

  }

  }

  }

  if ( ! $file_exists && ! file_exists($_ci_path))

  {

  show_error('Unable to load the requested file: '.$_ci_file);

  }

  // This allows anything loaded using $this->load (views, files, etc.)

  // to become accessible from within the Controller and Model functions.

  $_ci_CI =& get_instance();

  foreach (get_object_vars($_ci_CI) as $_ci_key => $_ci_var)

  {

  if ( ! isset($this->$_ci_key))

  {

  $this->$_ci_key =& $_ci_CI->$_ci_key;

  }

  }

  /*

  * Extract and cache variables

  *

  * You can either set variables using the dedicated $this->load->vars()

  * function or via the second parameter of this function. We'll merge

  * the two types and cache them so that views that are embedded within

  * other views can haveaccess to these variables.

  */

  if (is_array($_ci_vars))

  {

  $this->_ci_cached_vars = array_merge($this->_ci_cached_vars, $_ci_vars);

  }

  extract($this->_ci_cached_vars);

  /*

  * Buffer the output

  *

  * We buffer the output for two reasons:

  * 1. Speed. You get a significant speed boost.

  * 2. So that the final rendered template can be post-processed by

  * the output class. Why do we need post processing? For one thing,

  * in order to show the elapsed page load time. Unless we can

  * intercept the content right before it's sent to the browser and

  * then stop the timer it won't be accurate.

  */

  ob_start();

  // If the PHP installation does not support short tags we'll

  // do a little string replacement, changing the short tags

  // to standard PHP echo statements.

  if ( ! is_php('5.4') && ! ini_get('short_open_tag') && config_item('rewrite_short_tags') === TRUE)

  {

  echo eval('?>'.preg_replace('/;*\s*\?>/', '; ?>', str_replace(' }

  else

  {

  include($_ci_path); // include() vs include_once() allows for multiple views with the same name

  }

  log_message('info', 'File loaded: '.$_ci_path);

  // Return the file data if requested

  if ($_ci_return === TRUE)

  {

  $buffer = ob_get_contents();

  [@ob_end_clean](/ob_end_clean)();

  return $buffer;

  }

  /*

  * Flush the buffer... or buff the flusher?

  *

  * In order to permit views to be nested within

  * other views, we need to flush the content back out whenever

  * we are beyond the first level of output buffering so that

  * it can be seen and included properly by the first included

  * template and any subsequent ones. Oy!

  */

  if (ob_get_level() > $this->_ci_ob_level + 1)

  {

  ob_end_flush();

  }

  else

  {

  $_ci_CI->output->append_output(ob_get_contents());

  [@ob_end_clean](/ob_end_clean)();

  }

  return $this;

  }

  且看這一段:

  if (is_array($_ci_vars))

  {

  $this->_ci_cached_vars = array_merge($this->_ci_cached_vars, $_ci_vars);

  }

  extract($this->_ci_cached_vars);

  這個extract將導致變量覆蓋漏洞。

  $this->_ci_cached_vars是來自$_ci_vars,而$_ci_vars是來自用戶傳給view方法的第二個參數。(正常情況下是開發者傳給模板的變量)

  而我們看到extract后面:

  extract($this->_ci_cached_vars);

  ob_start();

  // If the PHP installation does not support short tags we'll

  // do a little string replacement, changing the short tags

  // to standard PHP echo statements.

  if ( ! is_php('5.4') && ! ini_get('short_open_tag') && config_item('rewrite_short_tags') === TRUE)

  {

  echo eval('?>'.preg_replace('/;*\s*\?>/', '; ?>', str_replace('}

  else

  {

  include($_ci_path); // include() vs include_once() allows for multiple views with the same name

  }

  include($_ci_path),$_ci_path是模板地址,因為之前的變量覆蓋,將會導致任意文件包含漏洞,進而getshell。

  所以,只要我們可以控制view的第二個參數的『鍵值』,傳入 _ci_path=file:///etc/passwd ,在被extract后覆蓋原來的模板地址,將可以包含/etc/passwd。

  這個漏洞和 http://**.**.**.**/bugs/wooyun-2014-051906 有點類似,就是在assign(CI里叫$this->load->vars或是$this->load->view)的時候傳入數組導致的。

  如下Controller將可導致漏洞

  defined('BASEPATH') OR exit('No direct script access allowed');

  class Welcome extends CI_Controller {

  public function index()

  {

  $data = $this->input->post();

  $this->load->view('welcome_message', $data);

  }

  }

QQ20160310-6@2x.png

  這個也類似:

  public function index()

  {

  $data = $this->input->post('info');

  $this->load->vars($data);

  $this->load->view('welcome_message');

  }

QQ20160310-7@2x.png

  當開啟了遠程文件包含的情況下,也可以直接包含php://input

QQ20160310-8@2x.png

  解決方案

  將extract換成

  foreach($this->_ci_cached_vars as $key => $value) {

  if(strpos($key, '_ci') !== 0) {

  $$key = $value;

  }

  }

正文部分到此結束

文章標簽:這篇文章木有標簽

版權聲明:若無特殊注明,本文皆為( mOon )原創,轉載請保留文章出處。

也許喜歡: «Python3編寫的CMS漏洞檢測工具(含300POC) | 利用mysql general log 寫shell 可行性簡要分析»

你腫么看?

你還可以輸入 250/250 個字

? 微笑 大笑 拽 大哭 親親 流汗 噴血 奸笑 囧 不爽 暈 示愛 害羞 吃驚 驚嘆 愛你 嚇死了 呵呵

評論信息框

這篇文章還沒有收到評論,趕緊來搶沙發吧~

?
?
河北11选5开奖