YCCMS V3.4 安全审计报告与漏洞分析<\/h1>

1. 系统概述<\/h2>
YCCMS V3.4 是一个基于PHP开发的内容管理系统，版本号为"Ver 3.4"。该系统采用单入口设计模式，通过Factory类动态加载控制器。<\/p>

2. 漏洞分析<\/h2>

2.1 远程代码执行漏洞(RCE)<\/h3>

漏洞文件<\/strong>: \/public\/class\/Factory.class.php<\/code><\/p>

漏洞代码<\/strong>:<\/p>

class<\/span> Factory<\/span> {
<\/span><\/span>    static<\/span> private<\/span> $_obj =<\/span> null<\/span>;
<\/span><\/span>    
<\/span><\/span>    static<\/span> public<\/span> function<\/span> setAction<\/span>(){
<\/span><\/span>        $_a =<\/span> self<\/span>::<\/span>getA<\/span>();
<\/span><\/span>        if<\/span> (in_array<\/span>($_a, array<\/span>('admin'<\/span>, 'nav'<\/span>, 'article'<\/span>,'backup'<\/span>,'html'<\/span>,'link'<\/span>,'pic'<\/span>,'search'<\/span>,'system'<\/span>,'xml'<\/span>,'online'<\/span>))) {
<\/span><\/span>            if<\/span> (!<\/span>isset<\/span>($_SESSION['admin'<\/span>])) {
<\/span><\/span>                header<\/span>('Location:'<\/span>.<\/span>'?a=login'<\/span>);
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>        if<\/span> (!<\/span>file_exists<\/span>(ROOT_PATH<\/span>.<\/span>'\/controller\/'<\/span>.<\/span>ucfirst<\/span>($_a).<\/span>'Action.class.php'<\/span>)) 
<\/span><\/span>            $_a =<\/span> 'Login'<\/span>;
<\/span><\/span>        eval<\/span>('self::$_obj = new '<\/span>.<\/span>ucfirst<\/span>($_a).<\/span>'Action();'<\/span>);
<\/span><\/span>        return<\/span> self<\/span>::<\/span>$_obj;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞原理<\/strong>:<\/p>

系统通过$_a<\/code>参数动态加载控制器类<\/li>
file_exists()<\/code>函数检查控制器文件是否存在<\/li>
使用eval()<\/code>函数动态实例化控制器类<\/li>
攻击者可以通过目录遍历技巧绕过file_exists()<\/code>检查<\/li>
<\/ol>
绕过技巧<\/strong>:<\/p>

file_exists()<\/code>函数允许目录中存在特殊字符<\/li>
\/..\/<\/code>会将前面的内容当作目录处理，并返回上级目录<\/li>
构造如Factory();phpinfo()<\/code>的payload：

Factory<\/code>用于闭合前面的实例化对象<\/li>
phpinfo()<\/code>是插入的恶意代码<\/li>
最后返回上级目录满足目录存在检查<\/li>
<\/ul>
<\/li>
<\/ul>
触发点<\/strong>:<\/p>

config\/run.inc.php<\/code>文件包含以下代码：
Factory<\/span>::<\/span>setAction<\/span>()-><\/span>run<\/span>();
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
可利用入口点<\/strong>:<\/p>

\/admin\/index.php<\/code> (可简化为\/admin<\/code>)<\/li>
\/search\/index.php<\/code> (可简化为\/search<\/code>)<\/li>
\/config\/count.php<\/code><\/li>
<\/ol>
有效攻击向量<\/strong>:<\/p>
\/admin?a=Factory();phpinfo()
\/search?a=Factory();phpinfo()
\/config\/count.php?a=Factory();phpinfo()
<\/code><\/pre>
无效攻击向量<\/strong>:<\/p>
\/config?a=Factory();phpinfo()  \/\/ 无index.php或处理逻辑
<\/code><\/pre>
2.2 未授权管理员密码修改漏洞<\/h3>
漏洞文件<\/strong>: controller\/AdminAction.class.php<\/code><\/p>
漏洞代码<\/strong>:<\/p>
public<\/span> function<\/span> update<\/span>(){
<\/span><\/span>    if<\/span>(isset<\/span>($_POST['send'<\/span>])){
<\/span><\/span>        if<\/span>(validate<\/span>::<\/span>isNullString<\/span>($_POST['username'<\/span>])) 
<\/span><\/span>            Tool<\/span>::<\/span>t_back<\/span>('用户名不能为空'<\/span>,'?a=admin&m=update'<\/span>);
<\/span><\/span>        \/\/ 其他密码修改逻辑...
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞原理<\/strong>:<\/p>

密码修改功能未进行充分的权限验证<\/li>
仅检查了用户名是否为空，未验证当前会话权限<\/li>
攻击者可以直接提交修改请求更改管理员密码<\/li>
<\/ol>
3. 漏洞复现步骤<\/h2>
3.1 RCE漏洞复现<\/h3>

访问以下URL之一：
http:\/\/target\/admin?a=Factory();phpinfo()
http:\/\/target\/search?a=Factory();phpinfo()
http:\/\/target\/config\/count.php?a=Factory();phpinfo()
<\/code><\/pre>
<\/li>
观察是否执行了phpinfo()<\/code>函数<\/li>
<\/ol>
3.2 未授权密码修改复现<\/h3>

构造POST请求到?a=admin&m=update<\/code><\/li>
提交包含管理员用户名和新密码的表单<\/li>
观察密码是否被修改<\/li>
<\/ol>
4. 修复建议<\/h2>
4.1 RCE漏洞修复<\/h3>

修改Factory.class.php<\/code>中的setAction<\/code>方法：
static<\/span> public<\/span> function<\/span> setAction<\/span>(){
<\/span><\/span>    $_a =<\/span> self<\/span>::<\/span>getA<\/span>();
<\/span><\/span>    \/\/ 白名单验证
<\/span><\/span><\/span><\/span>    $allowedActions =<\/span> array<\/span>('admin'<\/span>, 'nav'<\/span>, 'article'<\/span>, 'backup'<\/span>, 'html'<\/span>, 'link'<\/span>, 'pic'<\/span>, 'search'<\/span>, 'system'<\/span>, 'xml'<\/span>, 'online'<\/span>, 'login'<\/span>);
<\/span><\/span>
<\/span><\/span>    if<\/span> (!<\/span>in_array<\/span>($_a, $allowedActions)) {
<\/span><\/span>        $_a =<\/span> 'Login'<\/span>;
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    $controllerFile =<\/span> ROOT_PATH<\/span>.<\/span>'\/controller\/'<\/span>.<\/span>ucfirst<\/span>($_a).<\/span>'Action.class.php'<\/span>;
<\/span><\/span>    if<\/span> (!<\/span>file_exists<\/span>($controllerFile) ||<\/span> strpos<\/span>($_a, '\/'<\/span>) !==<\/span> false<\/span> ||<\/span> strpos<\/span>($_a, '..'<\/span>) !==<\/span> false<\/span>) {
<\/span><\/span>        $_a =<\/span> 'Login'<\/span>;
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    $className =<\/span> ucfirst<\/span>($_a).<\/span>'Action'<\/span>;
<\/span><\/span>    if<\/span> (class_exists<\/span>($className)) {
<\/span><\/span>        self<\/span>::<\/span>$_obj =<\/span> new<\/span> $className();
<\/span><\/span>        return<\/span> self<\/span>::<\/span>$_obj;
<\/span><\/span>    }
<\/span><\/span>    throw<\/span> new<\/span> Exception<\/span>('Invalid action'<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
4.2 未授权密码修改修复<\/h3>

在update<\/code>方法中添加权限验证：
public<\/span> function<\/span> update<\/span>(){
<\/span><\/span>    if<\/span> (!<\/span>isset<\/span>($_SESSION['admin'<\/span>])) {
<\/span><\/span>        Tool<\/span>::<\/span>t_back<\/span>('无权访问'<\/span>,'?a=login'<\/span>);
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    if<\/span>(isset<\/span>($_POST['send'<\/span>])){
<\/span><\/span>        if<\/span>(validate<\/span>::<\/span>isNullString<\/span>($_POST['username'<\/span>])) 
<\/span><\/span>            Tool<\/span>::<\/span>t_back<\/span>('用户名不能为空'<\/span>,'?a=admin&m=update'<\/span>);
<\/span><\/span>        \/\/ 其他逻辑...
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
5. 总结<\/h2>
YCCMS V3.4存在两个严重安全漏洞：<\/p>

远程代码执行漏洞：由于不安全的动态类加载和eval使用导致<\/li>
未授权管理员密码修改：由于缺乏权限验证导致<\/li>
<\/ol>
建议用户立即升级或应用修复补丁，避免系统被攻击者利用。<\/p>

YCCMS V3.4 安全审计报告与漏洞分析<\/h1>

1. 系统概述<\/h2> YCCMS V3.4 是一个基于PHP开发的内容管理系统，版本号为"Ver 3.4"。该系统采用单入口设计模式，通过Factory类动态加载控制器。<\/p>

2. 漏洞分析<\/h2>

3. 漏洞复现步骤<\/h2>

4. 修复建议<\/h2>

1. 系统概述<\/h2>
YCCMS V3.4 是一个基于PHP开发的内容管理系统，版本号为"Ver 3.4"。该系统采用单入口设计模式，通过Factory类动态加载控制器。<\/p>