PHP代码审计：关于PHP_SELF的安全利用分析<\/h1>

漏洞概述<\/h2>
本文分析了基于`$_SERVER['PHP_SELF']<\/code>变量的安全漏洞，这种漏洞可能导致SQL注入攻击。漏洞存在于ImpressCMS等系统中，通过精心构造的URL可以触发时间延迟型SQL注入。<\/p>`

漏洞复现<\/h2>

安装ImpressCMS系统<\/li>
访问以下URL触发漏洞：
http:\/\/127.0.0.1:81\/admin.php\/modules\/system' and sleep(2) and '1
<\/code><\/pre>
<\/li>
观察响应时间，如果出现3秒左右的延迟，则证明漏洞存在<\/li>
<\/ol>
漏洞分析<\/h2>
漏洞核心位于\htdocs\libraries\icms\module\Handler.php<\/code>文件的service<\/code>函数：<\/p>
static<\/span> public<\/span> function<\/span> service<\/span>($inAdmin =<\/span> FALSE<\/span>) {
<\/span><\/span>    if<\/span> ($inAdmin ||<\/span> ...<\/span> ) {
<\/span><\/span>        $url_arr =<\/span> explode<\/span>('\/'<\/span>, strstr<\/span>($_SERVER['PHP_SELF'<\/span>], '\/modules\/'<\/span>));
<\/span><\/span>        if<\/span> (isset<\/span>($url_arr[2<\/span>])) {
<\/span><\/span>            $module =<\/span> icms<\/span>::<\/span>handler<\/span>("icms_module"<\/span>)-><\/span>getByDirname<\/span>($url_arr[2<\/span>], TRUE<\/span>);
<\/span><\/span><\/code><\/pre>关键点：<\/p>

使用$_SERVER['PHP_SELF']<\/code>获取当前脚本路径<\/li>
以\/modules\/<\/code>为分隔符分割URL<\/li>
将分割后的第二部分直接传入getByDirname<\/code>函数<\/li>
<\/ol>
getByDirname<\/code>函数实现（存在SQL注入）：<\/p>
public<\/span> function<\/span> getByDirname<\/span>($dirname, $loadConfig =<\/span> FALSE<\/span>) {
<\/span><\/span>    if<\/span> (!<\/span>empty<\/span>($this-><\/span>_cachedModule<\/span>[$dirname]) &&<\/span>
<\/span><\/span>        $this-><\/span>_cachedModule<\/span>[$dirname]-><\/span>getVar<\/span>('dirname'<\/span>) ==<\/span> $dirname
<\/span><\/span>    ) {
<\/span><\/span>        ...<\/span>
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        $sql =<\/span> "SELECT * FROM "<\/span> .<\/span> $this-><\/span>db<\/span>-><\/span>prefix<\/span>('modules'<\/span>) .<\/span> " WHERE dirname = '"<\/span> .<\/span> trim<\/span>($dirname) .<\/span> "'"<\/span>;
<\/span><\/span>        \/\/执行sql
<\/span><\/span><\/span><\/code><\/pre>扩展思考<\/h2>
其他类似漏洞模式<\/h3>


文件后缀检查绕过：<\/p>
$tmp =<\/span> strtolower<\/span>(substr<\/span>($uri,-<\/span>4<\/span>));
<\/span><\/span>if<\/span>(in_array<\/span>($tmp,array<\/span>('.jpg'<\/span>,'.gif'<\/span>,'.png'<\/span>,'jpeg'<\/span>)) &&<\/span> substr<\/span>($uri,0<\/span>,11<\/span>) ==<\/span> 'res\/_cache\/'<\/span>){
<\/span><\/span>    $tmp =<\/span> substr<\/span>($uri,11<\/span>);
<\/span><\/span>    $tmp =<\/span> explode<\/span>("\/"<\/span>,$tmp);
<\/span><\/span>    get_one<\/span>($tmp[0<\/span>]);
<\/span><\/span><\/code><\/pre>攻击payload：<\/p>
index.php\/res\/_cache\/a'-sleep(3)-'\/test\/test.jpg
<\/code><\/pre>
<\/li>

REQUEST_URI<\/code>的路径遍历：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>print_r<\/span>($_SERVER['REQUEST_URI'<\/span>]);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>修改请求为：<\/p>
\/abc'd\/..\/test\/test.php
<\/code><\/pre>
虽然实际访问的是test.php，但REQUEST_URI<\/code>会输出修改后的路径<\/p>
<\/li>
<\/ol>
安全风险<\/h3>

直接输出PHP_SELF<\/code>或REQUEST_URI<\/code>可能导致反射型XSS<\/li>
$_SERVER<\/code>数组中多个变量可能被恶意利用，需要谨慎处理<\/li>
<\/ol>
防御建议<\/h2>

对从$_SERVER<\/code>获取的所有数据进行严格过滤和转义<\/li>
使用预处理语句处理数据库查询<\/li>
实施白名单机制验证文件路径和扩展名<\/li>
对输出到页面的URL进行HTML编码<\/li>
避免直接拼接用户输入到SQL查询中<\/li>
<\/ol>
总结<\/h2>
PHP_SELF<\/code>和REQUEST_URI<\/code>等服务器变量如果处理不当，可能导致SQL注入、XSS等安全漏洞。开发人员应始终验证和清理来自$_SERVER<\/code>数组的所有输入，并采用安全的编码实践来防止此类漏洞。<\/p>

PHP代码审计：关于PHP_SELF的安全利用分析<\/h1>

漏洞概述<\/h2> 本文分析了基于$_SERVER['PHP_SELF']<\/code>变量的安全漏洞，这种漏洞可能导致SQL注入攻击。漏洞存在于ImpressCMS等系统中，通过精心构造的URL可以触发时间延迟型SQL注入。<\/p>

扩展思考<\/h2>

总结<\/h2> PHP_SELF<\/code>和REQUEST_URI<\/code>等服务器变量如果处理不当，可能导致SQL注入、XSS等安全漏洞。开发人员应始终验证和清理来自$_SERVER<\/code>数组的所有输入，并采用安全的编码实践来防止此类漏洞。<\/p>

漏洞概述<\/h2>
本文分析了基于`$_SERVER['PHP_SELF']<\/code>变量的安全漏洞，这种漏洞可能导致SQL注入攻击。漏洞存在于ImpressCMS等系统中，通过精心构造的URL可以触发时间延迟型SQL注入。<\/p>`

总结<\/h2>
`PHP_SELF<\/code>和REQUEST_URI<\/code>等服务器变量如果处理不当，可能导致SQL注入、XSS等安全漏洞。开发人员应始终验证和清理来自$_SERVER<\/code>数组的所有输入，并采用安全的编码实践来防止此类漏洞。<\/p>`