In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-02 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Internet Technology >
Share
Shulou(Shulou.com)06/01 Report--
This article mainly introduces the typecho foreground GETSHELL analysis early warning case, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor take you to understand it.
0x01 vulnerability description
The serialization string passed in by the user is directly processed in the if` judgment of install.php, and a complete pop execution chain can be found in the existing framework to cause arbitrary php command execution.
Impact of 0x02 vulnerability attack surface
Influence surface
Almost all typecho on the market that are not up-to-date are affected by this vulnerability.
Affect the version
Gitcommit 242fc1a4cb3d6076505f851fdcd9c1bbf3e431a5
Almost all previous versions
Repair version
Gitcommite277141c974cd740702c5ce73f7e9f382c18d84e
Future commit
0x03 repair scheme
Vulnerability code
As you can expect here, there should be no developers who obviously write dangerous operations in _ _ constract ().
So when you turn to string concatenation,
Look for the following _ _ toString ()
In fact, only three class have this _ _ toString ()
Var/Typecho/Feed.php
Var/Typecho/Config.php
Var/Typecho/Db/Query.php
There are roughly several calls to this
Php
$item ['xxx']
$item ['xxx']-> $yyyy
$this- >
There can be some new thinking from this point.
Because it is deserialization, we can also control the properties in the object, so now look for the _ _ get () method
Php
Class Typecho_Config implements Iterator
Class IXR_Client
Class Typecho_Plugin
Class Widget_Themes_Edit extends Widget_Abstract_Options implements Widget_Interface_Do
Class Typecho_Date
Class Typecho_Request
Abstract class Typecho_Widget
Class Typecho_Widget_Helper_Layout
There are so many functions with _ _ get () method
There is a place that is completely unaltered.
Then the constructed specified code is executed directly by the call_user_func
0x04 attacks utilize Analysis Playload Generation
Php
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.