Mini CMS v1.1 垂直越权漏洞分析与利用<\/h1>

一、系统概述<\/h2>
Mini CMS 是一个针对个人网站设计的微型内容管理系统，具有以下特点：<\/p>
不需要数据库支持，只需要PHP运行环境<\/li>
针对个人网站设计，没有复杂的成员管理和权限设置<\/li>
使用标签而非分类系统<\/li>
只有"文章"和"页面"两个基本系统<\/li>
版本：v1.1<\/li> <\/ul>
二、漏洞发现<\/h2>

0x01 垂直越权漏洞<\/h3>

漏洞位置<\/h4>
mc-admin\/index.php<\/code> - 登录验证逻辑<\/li>
mc-admin\/head.php<\/code> - 权限验证逻辑<\/li>
mc-admin\/post.php<\/code> - 业务逻辑与权限验证分离<\/li>
<\/ul>
漏洞分析<\/h4>


认证机制分析<\/strong>：<\/p>

登录成功后设置cookie：mc_token = md5(用户名_密码)<\/code><\/li>
权限验证仅检查cookie中的mc_token<\/code>是否匹配md5(用户名_密码)<\/code><\/li>
<\/ul>
<\/li>

权限验证缺陷<\/strong>：<\/p>

post.php<\/code>文件中权限验证位于第188行<\/li>
但在权限验证前已经执行了多个功能函数，包括delete_post()<\/code><\/li>
导致未授权用户可以执行删除操作<\/li>
<\/ul>
<\/li>

关键代码片段<\/strong>：<\/p>
\/\/ mc-admin\/index.php 登录验证
<\/span><\/span><\/span><\/span>if<\/span> (isset<\/span>($_POST['login'<\/span>])) {
<\/span><\/span>    if<\/span> ($_POST['user'<\/span>] ==<\/span> $mc_config['user_name'<\/span>] &&<\/span> $_POST['pass'<\/span>] ==<\/span> $mc_config['user_pass'<\/span>]) {
<\/span><\/span>        setcookie<\/span>('mc_token'<\/span>, md5<\/span>($mc_config['user_name'<\/span>].<\/span>'_'<\/span>.<\/span>$mc_config['user_pass'<\/span>]));
<\/span><\/span>        Header<\/span>("Location:<\/span>{<\/span>$mc_config['site_link'<\/span>]}<\/span>\/mc-admin\/post.php"<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ mc-admin\/head.php 权限验证
<\/span><\/span><\/span><\/span>if<\/span> (isset<\/span>($_COOKIE['mc_token'<\/span>])) {
<\/span><\/span>    $token =<\/span> $_COOKIE['mc_token'<\/span>];
<\/span><\/span>    if<\/span> ($token !=<\/span> md5<\/span>($mc_config['user_name'<\/span>].<\/span>'_'<\/span>.<\/span>$mc_config['user_pass'<\/span>])) {
<\/span><\/span>        Header<\/span>("Location:index.php"<\/span>);
<\/span><\/span>        exit<\/span>;
<\/span><\/span>    }
<\/span><\/span>} else<\/span> {
<\/span><\/span>    Header<\/span>("Location:index.php"<\/span>);
<\/span><\/span>    exit<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ mc-admin\/post.php 删除功能
<\/span><\/span><\/span><\/span>function<\/span> delete_post<\/span>($id) {
<\/span><\/span>    global<\/span> $state, $index_file, $mc_posts;
<\/span><\/span>    \/\/ 删除逻辑...
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>if<\/span> (isset<\/span>($_GET['delete'<\/span>]) ||<\/span> (isset<\/span>($_GET['apply'<\/span>]) &&<\/span> $_GET['apply'<\/span>] ==<\/span> 'delete'<\/span>)) {
<\/span><\/span>    \/\/ 删除操作执行...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
漏洞利用<\/h4>


未授权删除文章<\/strong>：<\/p>

构造Payload直接访问删除功能：
http:\/\/target\/mc-admin\/post.php?state=delete&delete=文章ID
<\/code><\/pre>
<\/li>
无需任何认证信息即可删除指定ID的文章<\/li>
<\/ul>
<\/li>

批量删除<\/strong>：<\/p>

构造Payload：
http:\/\/target\/mc-admin\/post.php?state=delete&apply=delete&ids=ID1,ID2,ID3
<\/code><\/pre>
<\/li>
<\/ul>
<\/li>
<\/ol>
0x02 后台GetShell漏洞<\/h3>
前提条件<\/h4>

需要管理员权限（能够进入后台）<\/li>
<\/ul>
漏洞位置<\/h4>

mc-admin\/conf.php<\/code> - 系统配置保存功能<\/li>
<\/ul>
漏洞分析<\/h4>


配置保存机制<\/strong>：<\/p>

使用var_export()<\/code>函数将配置写入mc-conf.php<\/code>文件<\/li>
配置项包括站点名称、描述、链接、用户名、密码等<\/li>
<\/ul>
<\/li>

安全缺陷<\/strong>：<\/p>

虽然单引号会被转义，但可以通过构造特殊Payload实现代码注入<\/li>
尝试注入PHP代码会被转义函数处理<\/li>
<\/ul>
<\/li>

关键代码<\/strong>：<\/p>
$mc_config['comment_code'<\/span>] =<\/span> get_magic_quotes_gpc<\/span>() ?<\/span> stripslashes<\/span>(trim<\/span>($_POST['comment_code'<\/span>])) :<\/span> trim<\/span>($_POST['comment_code'<\/span>]);
<\/span><\/span>$code =<\/span> "<?php<\/span>\n\$<\/span>mc_config = "<\/span>.<\/span>var_export<\/span>($mc_config, true<\/span>).<\/span>"<\/span>\n<\/span>?>"<\/span>;
<\/span><\/span>file_put_contents<\/span>('..\/mc-files\/mc-conf.php'<\/span>, $code);
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
漏洞利用<\/h4>


尝试注入<\/strong>：<\/p>

构造Payload：xxx');assert($_GET[x]);\/*<\/code><\/li>
但会被var_export()<\/code>函数转义单引号<\/li>
<\/ul>
<\/li>

实际利用限制<\/strong>：<\/p>

由于var_export()<\/code>的安全处理，直接代码注入较难实现<\/li>
需要寻找其他可利用的点或结合其他漏洞<\/li>
<\/ul>
<\/li>
<\/ol>
三、修复建议<\/h2>


垂直越权修复<\/strong>：<\/p>

在post.php<\/code>文件所有功能函数前添加权限验证<\/li>
使用统一的权限验证机制，避免验证遗漏<\/li>
<\/ul>
<\/li>

安全增强<\/strong>：<\/p>

对敏感操作增加二次验证<\/li>
实现CSRF防护机制<\/li>
对文件写入操作进行更严格的安全检查<\/li>
<\/ul>
<\/li>

代码结构优化<\/strong>：<\/p>

将权限验证提取为独立函数或类<\/li>
在入口处统一进行权限验证<\/li>
<\/ul>
<\/li>
<\/ol>
四、总结<\/h2>
该Mini CMS v1.1存在严重的垂直越权漏洞，主要由于权限验证与业务逻辑执行顺序不当导致。攻击者无需认证即可执行文章删除等敏感操作。虽然后台GetShell因安全函数处理较难实现，但仍建议开发者加强安全措施，特别是权限验证机制的设计与实现。<\/p>