一、漏洞复现
1、搭建docker环境(yum install docker-re)
2、拉取镜像
配置docker-compose.yml文件,并拉取镜像
docker-compose up -d
version: '2' services: nginx: image: nginx:1 volumes: - ./www:/usr/share/nginx/html - ./default.conf:/etc/nginx/conf.d/default.conf depends_on: - php ports: - "8080:80" php: image: php:7.1.32-fpm volumes: - ./www:/var/www/html
default.conf
server { listen 80 default_server; listen [::]:80 default_server; root /usr/share/nginx/html; index index.html index.php; server_name _; location / { try_files $uri $uri/ =404; } location ~ [^/].php(/|$) { fastcgi_split_path_info ^(.+?.php)(/.*)$; include fastcgi_params; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_index index.php; fastcgi_param REDIRECT_STATUS 200; fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name; fastcgi_param DOCUMENT_ROOT /var/www/html; fastcgi_pass php:9000; } }
二、源码分析
static void init_request_info(void) { fcgi_request *request = (fcgi_request*) SG(server_context); //文件绝对路径 char *env_script_filename = FCGI_GETENV(request, "SCRIPT_FILENAME"); //env_path_translated值和env_script_filename值一样 char *env_path_translated = FCGI_GETENV(request, "PATH_TRANSLATED"); char *script_path_translated = env_script_filename; char *ini; int apache_was_here = 0; /* some broken servers do not have script_filename or argv0 * an example, IIS configured in some ways. then they do more * broken stuff and set path_translated to the cgi script location */ if (!script_path_translated && env_path_translated) { script_path_translated = env_path_translated; } /* initialize the defaults */ SG(request_info).path_translated = NULL; SG(request_info).request_method = NULL; SG(request_info).proto_num = 1000; SG(request_info).query_string = NULL; SG(request_info).request_uri = NULL; SG(request_info).content_type = NULL; SG(request_info).content_length = 0; SG(sapi_headers).http_response_code = 200; if (script_path_translated) { const char *auth; //获取request请求中的参数 char *content_length = FCGI_GETENV(request, "CONTENT_LENGTH"); char *content_type = FCGI_GETENV(request, "CONTENT_TYPE"); char *env_path_info = FCGI_GETENV(request, "PATH_INFO"); char *env_script_name = FCGI_GETENV(request, "SCRIPT_NAME"); ... if (CGIG(fix_pathinfo)) { struct stat st; char *real_path = NULL; char *env_redirect_url = FCGI_GETENV(request, "REDIRECT_URL"); char *env_document_root = FCGI_GETENV(request, "DOCUMENT_ROOT"); char *orig_path_translated = env_path_translated; char *orig_path_info = env_path_info; char *orig_script_name = env_script_name; char *orig_script_filename = env_script_filename; int script_path_translated_len; ... if (script_path_translated && //script_path_translated_len是请求uri_path中第一个斜杠前的内容:如http://127.0.0.1/index.php/test,则变量的值为/var/www/html/index.php的长度 (script_path_translated_len = strlen(script_path_translated)) > 0 && (script_path_translated[script_path_translated_len-1] == '/' || #ifdef PHP_WIN32 script_path_translated[script_path_translated_len-1] == '\' || #endif (real_path = tsrm_realpath(script_path_translated, NULL)) == NULL) ) { //字符串复制 char *pt = estrndup(script_path_translated, script_path_translated_len); //url的长度取决于nginx的配置当请求url,http://127.0.0.1/index.php/123%0atest.php。script_path_translated来自于nginx的配置,为/var/www/html/index.php/123 test.php int len = script_path_translated_len; ... int ptlen = strlen(pt); int slen = len - ptlen; //request中path_info的长度,此参数值可控 int pilen = env_path_info ? strlen(env_path_info) : 0; int tflag = 0; char *path_info; if (apache_was_here) { /* recall that PATH_INFO won't exist */ path_info = script_path_translated + ptlen; tflag = (slen != 0 && (!orig_path_info || strcmp(orig_path_info, path_info) != 0)); } else { //在c语言中,char *变量,加一个int数字,是一个使指针指向的地址偏移 path_info = env_path_info ? env_path_info + pilen - slen : NULL; tflag = (orig_path_info != path_info); }
下面的代码进行举例分析:
path_info = env_path_info ? env_path_info + pilen - slen : NULL;
替换成类似代码:由此可以看出,下面的代码在c语言中可以起到偏移char *首地址的#include <stdio.h>
int main() { char *a = "aaaaaaaa"; char *b = a-2; printf("%s",b);
//path_info[0]此地址对应的是path_info的首地址。根据fpm代码,则是可操作堆上任意数据置为0,那我们就可以把_fcgi_data_seg结构体的char* pos置零
FCGI_PUTENV(request, "ORIG_PATH_INFO", orig_path_info); old = path_info[0]; path_info[0] = 0; //orig_script_name变量不为空 if (!orig_script_name || strcmp(orig_script_name, env_path_info) != 0) { if (orig_script_name) {
FCGI_PUTENV(request, "ORIG_SCRIPT_NAME", orig_script_name);//进入此函数
}
php源码中FCGI_PUTENV函数
#define FCGI_PUTENV(request, name, value) fcgi_quick_putenv(request, name, sizeof(name)-1, FCGI_HASH_FUNC(name, sizeof(name)-1), value)
查看fcgi_quick_putenv函数
char* fcgi_quick_putenv(fcgi_request *req, char* var, int var_len, unsigned int hash_value, char* val) { if (val == NULL) { fcgi_hash_del(&req->env, hash_value, var, var_len); return NULL; } else { return fcgi_hash_set(&req->env, hash_value, var, var_len, val, (unsigned int)strlen(val)); } }
查看fcgi_hash_set函数,其中fcgi_request结构体为
//此为fcgi_request的机构体 struct _fcgi_request { int listen_socket; int tcp; int fd; int id; int keep; #ifdef TCP_NODELAY int nodelay; #endif int ended; int in_len; int in_pad; fcgi_header *out_hdr; unsigned char *out_pos; unsigned char out_buf[1024*8]; unsigned char reserved[sizeof(fcgi_end_request_rec)]; fcgi_req_hook hook; int has_env; fcgi_hash env;//此处是request->env存放的位置,存储的是nginx配置的ENV全局变量,在fcgi_hash_set中的变量名为h };
现在请联系之前,path_info[0]=0这段代码,这段代码表示我们可以随意在栈上的任意位置置为0。现在也就是说,传入fcgi_hash_set函数中的fcgi_hash *h我们可以修改这个变量中的任意位置为0,
static char* fcgi_hash_set(fcgi_hash *h, unsigned int hash_value, char *var, unsigned int var_len, char *val, unsigned int val_len) { unsigned int idx = hash_value & FCGI_HASH_TABLE_MASK; fcgi_hash_bucket *p = h->hash_table[idx]; while (UNEXPECTED(p != NULL)) {
//php全局变量名称hash_value相等,p中的var值以传入的固定的全局变量名称开头就可以,以及全局变量名称长度相同,则可覆盖到php其他全局变量的值,hash函数如下
/***
*memcmp是比较内存区域buf1和buf2的前count个字节。该函数是按字节进行比较的
*memcmp(p->var, var, var_len)这段函数是比较p->var中的值是否是以var的值开头
*#define FCGI_HASH_FUNC(var, var_len)
*(UNEXPECTED(var_len < 3) ? (unsigned int)var_len :
*(((unsigned int)var[3]) << 2) +
*(((unsigned int)var[var_len-2]) << 4) +
*(((unsigned int)var[var_len-1]) << 2) +
*var_len)
*/
if (UNEXPECTED(p->hash_value == hash_value) && p->var_len == var_len && memcmp(p->var, var, var_len) == 0) { p->val_len = val_len; p->val = fcgi_hash_strndup(h, val, val_len); return p->val; } p = p->next; } if (UNEXPECTED(h->buckets->idx >= FCGI_HASH_TABLE_SIZE)) { fcgi_hash_buckets *b = (fcgi_hash_buckets*)malloc(sizeof(fcgi_hash_buckets)); b->idx = 0; b->next = h->buckets; h->buckets = b; } p = h->buckets->data + h->buckets->idx; h->buckets->idx++; p->next = h->hash_table[idx]; h->hash_table[idx] = p; p->list_next = h->list; h->list = p; p->hash_value = hash_value; p->var_len = var_len;
//进入fcgi_hash_strndup此函数 p->var = fcgi_hash_strndup(h, var, var_len); p->val_len = val_len; p->val = fcgi_hash_strndup(h, val, val_len); return p->val; }
进入fcgi_hash_strndup此函数
static inline char* fcgi_hash_strndup(fcgi_hash *h, char *str, unsigned int str_len) { char *ret; if (UNEXPECTED(h->data->pos + str_len + 1 >= h->data->end)) { unsigned int seg_size = (str_len + 1 > FCGI_HASH_SEG_SIZE) ? str_len + 1 : FCGI_HASH_SEG_SIZE; fcgi_data_seg *p = (fcgi_data_seg*)malloc(sizeof(fcgi_data_seg) - 1 + seg_size); p->pos = p->data; p->end = p->pos + seg_size; p->next = h->data; h->data = p; }
//写入数据 ret = h->data->pos; memcpy(ret, str, str_len); ret[str_len] = 0; h->data->pos += str_len + 1; return ret; }
到现在,全局变量的值已经可控的了。
如何使用修改全局变量导致远程代码执行,可参考poc