某开源企业站CMS安全审计报告分析<\/h1>

前言<\/h2>
本文对某国产开源企业级CMS系统进行了详细的安全审计，发现了多个高危漏洞，包括重安装漏洞导致Getshell、SQL注入、任意文件删除等。以下是详细的分析过程和利用方法。<\/p>

系统入口分析<\/h2>

入口文件index.php<\/code>关键代码：<\/p>

<?<\/span>php<\/span>
<\/span><\/span>if<\/span>( !<\/span>file_exists<\/span>(dirname<\/span>(__FILE__<\/span>) .<\/span> "\/include\/config.db.php"<\/span>) ) {
<\/span><\/span>    header<\/span>("Location:install\/index.php"<\/span>);
<\/span><\/span>    exit<\/span>();
<\/span><\/span>}
<\/span><\/span>require_once<\/span>( "include\/common.inc.php"<\/span> );
<\/span><\/span>$mod =<\/span> str_replace<\/span>( '..\/'<\/span>, ''<\/span>, $mod );
<\/span><\/span>
<\/span><\/span>if<\/span>( empty<\/span>( $mod ) ) {
<\/span><\/span>    $mod =<\/span> 'index'<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>$action_file =<\/span> WEB_INCLUDE<\/span> .<\/span> '\/action\/'<\/span> .<\/span> $mod .<\/span> '.php'<\/span>;
<\/span><\/span>file_exists<\/span>($action_file) &&<\/span> require_once<\/span>($action_file);
<\/span><\/span>
<\/span><\/span>$cls_tpl =<\/span> cls_app<\/span>::<\/span> get_template<\/span>( $mod );
<\/span><\/span>$cls_tpl-><\/span>display<\/span>();
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>安全观察<\/strong>：<\/p>

$mod = str_replace( '..\/', '', $mod );<\/code> 使用简单的字符串替换来防止目录穿越，但可以使用...\/.\/<\/code>形式绕过<\/li>
文件包含限制后缀必须为.php<\/code>，且前缀固定，无法直接利用伪协议<\/li>
<\/ol>
全局变量注册问题<\/h2>
common.inc.php<\/code>中存在全局变量注册：<\/p>
$req_data =<\/span> array<\/span>();
<\/span><\/span>foreach<\/span>( array<\/span>('_GET'<\/span>, '_POST'<\/span>, '_COOKIE'<\/span>) as<\/span> $_request ) {
<\/span><\/span>    foreach<\/span>( 
<\/span><\/span>$$<\/span>
<\/span><\/span>_request<\/span> as<\/span> $_k =><\/span> $_v ) {
<\/span><\/span>        ${$_k} =<\/span> _get_request<\/span>($_v);
<\/span><\/span>        if<\/span>( '_COOKIE'<\/span> !=<\/span> $_request ) {
<\/span><\/span>            $req_data[$_k] =<\/span> _get_request<\/span>($_v);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>unset<\/span>($_GET, $_POST);
<\/span><\/span><\/code><\/pre>风险<\/strong>：<\/p>

将GET、POST、COOKIE参数注册为全局变量，可能导致变量覆盖漏洞<\/li>
<\/ul>
重安装漏洞(Getshell)<\/h2>
漏洞位置<\/h3>
install_action.php<\/code>中的安装完成处理：<\/p>
function<\/span> install_end<\/span>() {
<\/span><\/span>    \/\/安装收尾
<\/span><\/span><\/span><\/span>    \/\/把安装文件的名字换了
<\/span><\/span><\/span><\/span>    @<\/span>rename<\/span>('index.php'<\/span>, 'index.php_bak'<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>问题<\/strong>：<\/p>

只重命名了前端文件，后端逻辑文件仍然存在<\/li>
知道安装文件位置即可重新安装<\/li>
<\/ul>
配置文件写入漏洞<\/h3>
install_action.php<\/code>中的数据库配置写入：<\/p>
function<\/span> write_db_config<\/span>($db_type, $db_host, $db_name, $db_pass, $db_table, $db_tablepre) {   
<\/span><\/span>    global<\/span> $db_code;
<\/span><\/span>    $db_config =<\/span> ""<\/span>;
<\/span><\/span>    $db_config .=<\/span> "<?php<\/span>\n\n<\/span>"<\/span>;
<\/span><\/span>    $db_config .=<\/span> "<\/span>\$<\/span>db_type = '"<\/span> .<\/span> $db_type .<\/span> "';<\/span>\n<\/span>"<\/span>;
<\/span><\/span>    $db_config .=<\/span> "<\/span>\$<\/span>db_host = '"<\/span> .<\/span> $db_host .<\/span> "';<\/span>\n<\/span>"<\/span>;
<\/span><\/span>    $db_config .=<\/span> "<\/span>\$<\/span>db_name = '"<\/span> .<\/span> $db_name .<\/span> "';<\/span>\n<\/span>"<\/span>;
<\/span><\/span>    $db_config .=<\/span> "<\/span>\$<\/span>db_pass = '"<\/span> .<\/span> $db_pass .<\/span> "';<\/span>\n<\/span>"<\/span>;
<\/span><\/span>    $db_config .=<\/span> "<\/span>\$<\/span>db_table = '"<\/span> .<\/span> $db_table .<\/span> "';<\/span>\n<\/span>"<\/span>;
<\/span><\/span>    $db_config .=<\/span> "<\/span>\$<\/span>db_ut = '"<\/span> .<\/span> $db_code .<\/span> "';<\/span>\n<\/span>"<\/span>;
<\/span><\/span>    $db_config .=<\/span> "<\/span>\$<\/span>db_tablepre = '"<\/span> .<\/span> $db_tablepre .<\/span> "';<\/span>\n\n<\/span>"<\/span>;
<\/span><\/span>    $db_config .=<\/span> "?>"<\/span>;
<\/span><\/span>    require_once<\/span>("..\/include\/class\/class.file.php"<\/span>);
<\/span><\/span>    $cls_file =<\/span> new<\/span> cls_file<\/span>('..\/include\/config.db.php'<\/span>);
<\/span><\/span>    $cls_file-><\/span> set_text<\/span>($db_config);
<\/span><\/span>    return<\/span> $cls_file-><\/span> write<\/span>();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>利用方法<\/strong>：

通过控制tablepre<\/code>参数注入PHP代码：<\/p>
tablepre=dcr_qy_';?><?php phpinfo()?>
<\/code><\/pre>
影响<\/strong>：<\/p>

写入的配置文件会被所有页面包含，相当于后门<\/li>
可执行任意PHP代码<\/li>
<\/ul>
SQL注入漏洞<\/h2>
install_action.php<\/code>中存在直接拼接SQL语句：<\/p>
$db_table =<\/span> $_POST['table'<\/span>];
<\/span><\/span>$sql_db_exists =<\/span> "SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA WHERE SCHEMA_NAME='<\/span>$db_table<\/span>'"<\/span>;
<\/span><\/span><\/code><\/pre>风险<\/strong>：<\/p>

直接拼接用户输入到SQL语句，导致SQL注入<\/li>
<\/ul>
任意文件删除漏洞<\/h2>
漏洞1：文件管理功能<\/h3>
fmanage_action.php<\/code>中文件删除功能未过滤路径：<\/p>
action<\/span>=<\/span>del_file<\/span>&<\/span>cpath<\/span>=..\/..\/..\/..\/..\/..\/..\/<\/span>1.<\/span>txt<\/span>
<\/span><\/span><\/code><\/pre>利用方法<\/strong>：

通过控制cpath<\/code>参数删除任意文件<\/p>
漏洞2：cls_dir类中的删除功能<\/h3>
cache_clear.php<\/code>引用了cls_dir<\/code>类：<\/p>
$cls_dir =<\/span> new<\/span> cls_dir<\/span>();
<\/span><\/span>$cls_dir-><\/span> delete_dir<\/span>( WEB_CACHE<\/span>  .<\/span> "\/template\/<\/span>{<\/span>$tpl_dir}<\/span>"<\/span> );
<\/span><\/span><\/code><\/pre>利用方法<\/strong>：

通过控制tpl_dir<\/code>参数删除任意目录<\/p>
失败的审计尝试<\/h2>
数据库连接控制<\/h3>
db.class.php<\/code>中的构造函数：<\/p>
function<\/span> __construct( $db_type, $db_host, $db_name, $db_pass, $db_table, $db_ut ) {
<\/span><\/span>    $this-><\/span>db_type<\/span> =<\/span> $db_type;
<\/span><\/span>    $this-><\/span>host<\/span> =<\/span> $db_host;
<\/span><\/span>    $this-><\/span>name<\/span> =<\/span> $db_name;
<\/span><\/span>    $this-><\/span>pass<\/span> =<\/span> $db_pass;
<\/span><\/span>    $this-><\/span>table<\/span> =<\/span> $db_table;    
<\/span><\/span>    $this-><\/span>ut<\/span> =<\/span> $db_ut;
<\/span><\/span>    if<\/span>( !<\/span>$this-><\/span>conn<\/span> ) {
<\/span><\/span>        $this-><\/span>connect<\/span>();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>潜在利用思路<\/strong>：<\/p>

如果能控制类实例化参数，可控制数据库连接<\/li>
结合MySQL任意文件读取漏洞<\/li>
但审计发现实例化参数不可控<\/li>
<\/ul>
SMTP服务SSRF尝试<\/h3>
class.email.php<\/code>中的SMTP连接：<\/p>
function<\/span> smtp_ok<\/span>() {
<\/span><\/span>    $response =<\/span> str_replace<\/span>("<\/span>\r\n<\/span>"<\/span>, ""<\/span>, fgets<\/span>($this-><\/span>sock<\/span>, 512<\/span>));
<\/span><\/span>    if<\/span> (!<\/span>ereg<\/span>("^[23]"<\/span>, $response)) {
<\/span><\/span>        fputs<\/span>($this-><\/span>sock<\/span>, "QUIT<\/span>\r\n<\/span>"<\/span>);
<\/span><\/span>        fgets<\/span>($this-><\/span>sock<\/span>, 512<\/span>);
<\/span><\/span>        cls_app<\/span>::<\/span>log<\/span>("Error: Remote host returned <\/span>\"<\/span>"<\/span> .<\/span> $response .<\/span> "<\/span>\"\n<\/span>"<\/span>);
<\/span><\/span>        return<\/span> false<\/span>;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> true<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>限制<\/strong>：<\/p>

目标服务必须在连接时返回以2或3开头的响应<\/li>
大多数内网服务不满足此条件<\/li>
<\/ul>
总结与修复建议<\/h2>
高危漏洞总结<\/h3>


重安装漏洞导致Getshell<\/strong><\/p>

安装后未完全删除安装文件<\/li>
配置文件写入未过滤PHP代码<\/li>
<\/ul>
<\/li>

SQL注入<\/strong><\/p>

直接拼接用户输入到SQL语句<\/li>
<\/ul>
<\/li>

任意文件删除<\/strong><\/p>

两处未过滤的文件\/目录删除操作<\/li>
<\/ul>
<\/li>
<\/ol>
修复建议<\/h3>

安装完成后完全删除安装目录<\/li>
配置文件写入时过滤特殊字符或使用序列化存储<\/li>
所有SQL查询使用参数化查询<\/li>
文件操作前验证路径合法性<\/li>
禁用全局变量注册功能<\/li>
加强输入过滤，特别是文件路径相关操作<\/li>
<\/ol>
参考<\/h2>
CMS官网: http:\/\/www.dcrcms.com\/<\/p>

某开源企业站CMS安全审计报告分析<\/h1>

前言<\/h2> 本文对某国产开源企业级CMS系统进行了详细的安全审计，发现了多个高危漏洞，包括重安装漏洞导致Getshell、SQL注入、任意文件删除等。以下是详细的分析过程和利用方法。<\/p>

重安装漏洞(Getshell)<\/h2>

任意文件删除漏洞<\/h2>

总结与修复建议<\/h2>

参考<\/h2> CMS官网: http:\/\/www.dcrcms.com\/<\/p>

前言<\/h2>
本文对某国产开源企业级CMS系统进行了详细的安全审计，发现了多个高危漏洞，包括重安装漏洞导致Getshell、SQL注入、任意文件删除等。以下是详细的分析过程和利用方法。<\/p>

参考<\/h2>
CMS官网: http:\/\/www.dcrcms.com\/<\/p>