A case of GETSHELL Analysis and early warning at the Front desk of typecho 04/23 Update SLTechnology News&Howtos

A case of GETSHELL Analysis and early warning at the Front desk of typecho

2025-04-23 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Internet Technology >

Shulou(Shulou.com)06/01 Report--

This article mainly introduces the typecho foreground GETSHELL analysis early warning case, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let the editor take you to understand it.

0x01 vulnerability description

The serialization string passed in by the user is directly processed in the if` judgment of install.php, and a complete pop execution chain can be found in the existing framework to cause arbitrary php command execution.

Impact of 0x02 vulnerability attack surface

Influence surface

Almost all typecho on the market that are not up-to-date are affected by this vulnerability.

Affect the version

Gitcommit 242fc1a4cb3d6076505f851fdcd9c1bbf3e431a5

Almost all previous versions

Repair version

Gitcommite277141c974cd740702c5ce73f7e9f382c18d84e

Future commit

0x03 repair scheme

Vulnerability code

As you can expect here, there should be no developers who obviously write dangerous operations in _ _ constract ().

So when you turn to string concatenation,

Look for the following _ _ toString ()

In fact, only three class have this _ _ toString ()

Var/Typecho/Feed.php

Var/Typecho/Config.php

Var/Typecho/Db/Query.php

There are roughly several calls to this

Php

$item ['xxx']

$item ['xxx']-> $yyyy

$this- >

There can be some new thinking from this point.

Because it is deserialization, we can also control the properties in the object, so now look for the _ _ get () method

Php

Class Typecho_Config implements Iterator

Class IXR_Client

Class Typecho_Plugin

Class Widget_Themes_Edit extends Widget_Abstract_Options implements Widget_Interface_Do

Class Typecho_Date

Class Typecho_Request

Abstract class Typecho_Widget

Class Typecho_Widget_Helper_Layout

There are so many functions with _ _ get () method

There is a place that is completely unaltered.

Then the constructed specified code is executed directly by the call_user_func

0x04 attacks utilize Analysis Playload Generation

Php

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.