环境搭建
在Windows下使用phpstudy搭建
apache版本:2.4.39
php版本:5.6.9
mysql版本:5.7.26
phpmyadmin 4.8.1下载:https://www.exploit-db.com/exploits/50457
使用composer进行安装
漏洞复现
首先在phpmyadmin根目录上一级创建phpinfo.php
然后登陆phpmyadmin,访问/index.php?target=db_sql.php%253f%2F..%2F..%2Fphpinfo.php
源码分析
index.php
查看根目录下,index.php中target参数相关代码
/*
* Black list of all scripts to which front-end must submit data.
* Such scripts must not be loaded on home page.
*
*/
$target_blacklist = array ( //黑名单
'import.php', 'export.php'
);
// If we have a valid target, let's load that script instead
if (! empty($_REQUEST['target'])
&& is_string($_REQUEST['target']) //需要是字符串
&& ! preg_match('/^index/', $_REQUEST['target']) //不能以index开头
&& ! in_array($_REQUEST['target'], $target_blacklist) //黑名单
&& Core::checkPageValidity($_REQUEST['target']) //白名单过滤,函数见下文
) {
include $_REQUEST['target'];
exit;
}
Core::checkPageValidity
Core::checkPageValidity方法位于libraries/classes/Core.php中443行,此函数作用为判断?前面的内容是否在白名单中,是则返回true。但是函数并没有对输入的参数做修改,截取的结果都保存在$_page中,所以target只需前面为白名单&%3F
或者白名单%253F
就可以绕过Core::checkPageValidity方法的白名单检测。
/**
* boolean phpMyAdmin.Core::checkPageValidity(string &$page, array $whitelist)
*
* checks given $page against given $whitelist and returns true if valid
* it optionally ignores query parameters in $page (script.php?ignored)
*
* @param string &$page page to check
* @param array $whitelist whitelist to check page against
*
* @return boolean whether $page is valid or not (in $whitelist or not)
*/
public static function checkPageValidity(&$page, array $whitelist = [])
{
if (empty($whitelist)) { //没有传入$whitelist
$whitelist = self::$goto_whitelist; //$goto_whitelist见下文
}
if (! isset($page) || !is_string($page)) {
return false;
}
if (in_array($page, $whitelist)) { //判断是否在白名单
return true;
}
$_page = mb_substr( //截取?前面的内容
$page,
0,
mb_strpos($page . '?', '?')
);
if (in_array($_page, $whitelist)) { //判断是否在白名单
return true;
}
$_page = urldecode($page); //url解码
$_page = mb_substr( //截取?前面的内容
$_page,
0,
mb_strpos($_page . '?', '?')
);
if (in_array($_page, $whitelist)) { //判断是否在白名单
return true;
}
return false;
}
self::$goto_whitelist
点击查看代码
/**
* the whitelist for goto parameter
* @static array $goto_whitelist
*/
public static $goto_whitelist = array(
'db_datadict.php',
'db_sql.php',
'db_events.php',
'db_export.php',
'db_importdocsql.php',
'db_multi_table_query.php',
'db_structure.php',
'db_import.php',
'db_operations.php',
'db_search.php',
'db_routines.php',
'export.php',
'import.php',
'index.php',
'pdf_pages.php',
'pdf_schema.php',
'server_binlog.php',
'server_collations.php',
'server_databases.php',
'server_engines.php',
'server_export.php',
'server_import.php',
'server_privileges.php',
'server_sql.php',
'server_status.php',
'server_status_advisor.php',
'server_status_monitor.php',
'server_status_queries.php',
'server_status_variables.php',
'server_variables.php',
'sql.php',
'tbl_addfield.php',
'tbl_change.php',
'tbl_create.php',
'tbl_import.php',
'tbl_indexes.php',
'tbl_sql.php',
'tbl_export.php',
'tbl_operations.php',
'tbl_structure.php',
'tbl_relation.php',
'tbl_replace.php',
'tbl_row_action.php',
'tbl_select.php',
'tbl_zoom_select.php',
'transformation_overview.php',
'transformation_wrapper.php',
'user_password.php',
);
分析总结
从整体分析来看,target参数传入后,只对其做了黑白名单判断,并没有修改target的值,通过判断后直接传入include()中进行文件包含。在Core::checkPageValidity方法中,直接导致文件包含漏洞的原因是,使用了一次urldecode进行裁剪判断。虽然直接传入/index.php?target=db_sql.php%3F/../../phpinfo.php
也可以绕过Core::checkPageValidity的检测,但是当到了include中,就变成了include('db_sql.php?/../../phpinfo.php')
,此时db_sql.php?/
不会作为目录解析,include会返回错误。
但是由于Core::checkPageValidity中使用了urldecode进行检测,便可以使用双重url编码,传入/index.php?target=db_sql.php%253F/../../phpinfo.php
,到include时,就变成了include('db_sql.php%3F/../../phpinfo.php')
,db_sql.php%3F/
作为目录解析,所以可以成功实现本地任意文件包含。