ThinkPHP代码审计与YAK-SSA工具使用指南<\/h1>

1. ThinkPHP代码审计基础<\/h2>

1.1 ThinkPHP请求处理机制<\/h3>
ThinkPHP框架封装了请求对象$request<\/code>，提供了多种参数获取方法：<\/p>


I()<\/code>方法：框架提供的输入过滤方法<\/p>

过滤行为依赖于config文件配置<\/li>
若未显式指定过滤参数且config未配置，则等同于传统参数获取方式<\/li>
审计要点：检查是否配置了默认过滤规则<\/li>
<\/ul>
<\/li>

常见可控变量来源：<\/p>
request<\/span>()
<\/span><\/span>input<\/span>()
<\/span><\/span>I<\/span>()
<\/span><\/span>*<\/span>request<\/span>.<\/span>get<\/span>()
<\/span><\/span>*<\/span>request<\/span>.<\/span>post<\/span>()
<\/span><\/span>*<\/span>input<\/span>()
<\/span><\/span>*<\/span>param<\/span>()
<\/span><\/span>*<\/span>post<\/span>()
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
1.2 数据库操作相关API<\/h3>
审计时需要重点关注的数据库操作方法：<\/p>
Db<\/span>::<\/span>table<\/span>()
<\/span><\/span>xx<\/span>-><\/span>insert<\/span>()
<\/span><\/span>xx<\/span>-><\/span>update<\/span>()
<\/span><\/span>xx<\/span>-><\/span>delete<\/span>()
<\/span><\/span>$model::<\/span>where<\/span>()
<\/span><\/span>Db<\/span>::<\/span>transaction<\/span>()
<\/span><\/span><\/code><\/pre>1.3 文件上传相关API<\/h3>
ThinkPHP中常见的文件上传辅助函数：<\/p>
$file-><\/span>move<\/span>()
<\/span><\/span>$file-><\/span>check<\/span>()
<\/span><\/span>$file-><\/span>save<\/span>()
<\/span><\/span>Filesystem<\/span>()
<\/span><\/span>$file-><\/span>error<\/span>()
<\/span><\/span>$file-><\/span>getError<\/span>()
<\/span><\/span><\/code><\/pre>2. YAK-SSA工具使用<\/h2>
2.1 SyntaxFlow基础语法<\/h3>
YAK-SSA的核心功能是SyntaxFlow语法：<\/p>


基本定义：<\/p>
$source #-> as $sink  \/\/ 顶级定义
<\/span><\/span><\/span><\/span>$source --><\/span> as<\/span> $sink  \/\/ 底级使用
<\/span><\/span><\/span><\/code><\/pre><\/li>

重要配置指令：<\/p>
include<\/span>:<\/span> 路径上有<\/span>(包含<\/span>)
<\/span><\/span>exclude<\/span>:<\/span> 路径上无<\/span>(排除<\/span>)
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
2.2 规则编写示例<\/h3>
示例1：基本控制流分析<\/h4>
$a =<\/span> 1<\/span>;
<\/span><\/span>if<\/span>($a){
<\/span><\/span>    $a =<\/span> filter<\/span>($a);
<\/span><\/span>}else<\/span>{
<\/span><\/span>    $a =<\/span> unsafe<\/span>($a);
<\/span><\/span>}
<\/span><\/span>eval<\/span>($a);
<\/span><\/span><\/code><\/pre>对应规则：<\/p>
\/\/ 寻找顶级定义的过程中，排除路径上filter的
<\/span><\/span><\/span><\/span>*<\/span>a<\/span> #{exclude: `*?{have: filter}`}-> as $sink
<\/span><\/span><\/span><\/code><\/pre>示例2：改进版规则（加入可控变量检查）<\/h4>
\/\/ 寻找顶级定义的过程中，路径上包含与_POST相交的点，并且排除filter
<\/span><\/span><\/span><\/span>_POST<\/span> as<\/span> $source
<\/span><\/span>*<\/span>a<\/span> #{exclude: <<<CODE
<\/span><\/span><\/span><\/span>*?<\/span>{have<\/span>:<\/span> filter<\/span>}
<\/span><\/span>CODE<\/span>,include<\/span>:<\/span> <<<<\/span>CODE<\/span>
<\/span><\/span>*<\/span> &<\/span> $source
<\/span><\/span>CODE<\/span>}-><\/span> as<\/span> $sink
<\/span><\/span><\/code><\/pre>2.3 实战审计流程<\/h3>


项目编译<\/strong>：<\/p>

大型PHP项目编译可能较慢<\/li>
可跳过非核心依赖（如imageutil、wechat等）以加快速度<\/li>
<\/ul>
<\/li>

存储型XSS审计规则<\/strong>：<\/p>
<\/li>
<\/ol>
request<\/span>() as<\/span> $source1
<\/span><\/span>input<\/span>() as<\/span> $source3
<\/span><\/span>i<\/span>() as<\/span> $source4
<\/span><\/span>*<\/span>request<\/span>.<\/span>get<\/span>() as<\/span> $source5
<\/span><\/span>*<\/span>request<\/span>.<\/span>post<\/span>() as<\/span> $source6
<\/span><\/span>.<\/span>input<\/span>() as<\/span> $source7
<\/span><\/span>.<\/span>param<\/span>() as<\/span> $source8
<\/span><\/span>.<\/span>post<\/span>() as<\/span> $source9
<\/span><\/span>$source1+<\/span>$source3+<\/span>$source4+<\/span>$source5+<\/span>$source6+<\/span>$source7+<\/span>$source8+<\/span>$source9 as<\/span> $source
<\/span><\/span>.<\/span>add<\/span>() as<\/span> $func5
<\/span><\/span>.<\/span>save<\/span>() as<\/span> $func6
<\/span><\/span>$func5 +<\/span>$func6 as<\/span> $func
<\/span><\/span>$func #{include: `* & $source`}-> as $sink
<\/span><\/span><\/span><\/code><\/pre>
漏洞验证<\/strong>：

定位到system.php等关键文件<\/li>
检查是否存在请求判断和未过滤的数据存储<\/li>
构造PoC请求验证：<\/li>
<\/ul>
<\/li>
<\/ol>
POST<\/span> \/index.php\/admin\/sys.Auth\/groupAdd HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> target.com<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span>
<\/span><\/span>
<\/span><\/span>title=<script>alert(1)<\/script>
<\/span><\/span><\/code><\/pre>2.4 文件上传审计<\/h3>

定位文件上传点：<\/li>
<\/ol>
.<\/span>request<\/span>().<\/span>file<\/span>() as<\/span> $source1
<\/span><\/span>request<\/span>().<\/span>file<\/span>() as<\/span> $source2
<\/span><\/span>$source1+<\/span>$source2 as<\/span> $source
<\/span><\/span>$source
<\/span><\/span><\/code><\/pre>
检查验证逻辑：

常见的ThinkPHP validate校验<\/li>
检查过滤器实现是否正确<\/li>
<\/ul>
<\/li>
<\/ol>
2.5 API签名校验绕过<\/h3>
常见问题模式：<\/p>

时间戳校验<\/li>
appid校验<\/li>
签名校验（基于输入计算MD5）<\/li>
数据库中存在默认的appid和appsecret<\/li>
<\/ul>
热加载Hook示例：<\/p>
\/\/ 使用标签 {{yak(handle|param)}} 可触发热加载调用
<\/span><\/span><\/span><\/span>handle<\/span> =<\/span> func<\/span>(param<\/span>) {
<\/span><\/span>    \/\/ 在这里可以直接返回一个字符串
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ beforeRequest 允许发送数据包前再做一次处理
<\/span><\/span><\/span><\/span>beforeRequest<\/span> =<\/span> func<\/span>(req<\/span>) {
<\/span><\/span>    params<\/span> =<\/span> poc<\/span>.<\/span>GetAllHTTPPacketPostParams<\/span>(req<\/span>)
<\/span><\/span>    params<\/span>.<\/span>Delete<\/span>("sign"<\/span>)
<\/span><\/span>    params<\/span>["key"<\/span>] =<\/span> "123456"<\/span>
<\/span><\/span>    
<\/span><\/span>    var<\/span> buildSign<\/span> =<\/span> ""<\/span>
<\/span><\/span>    for<\/span> k<\/span>,v<\/span> in<\/span> params<\/span>{
<\/span><\/span>        buildSign<\/span> =<\/span> buildSign<\/span>+<\/span>sprintf<\/span>("%s=%s"<\/span>, k<\/span>,v<\/span>)
<\/span><\/span>        buildSign<\/span> =<\/span> buildSign<\/span>+<\/span> "&"<\/span>
<\/span><\/span>    }
<\/span><\/span>    buildSign<\/span> =<\/span> buildSign<\/span>[:-<\/span>1<\/span>]
<\/span><\/span>    params<\/span>.<\/span>Set<\/span>("sign"<\/span>, codec<\/span>.<\/span>Md5<\/span>(buildSign<\/span>))
<\/span><\/span>    return<\/span> poc<\/span>.<\/span>ReplaceAllHTTPPacketPostParams<\/span>(req<\/span>, params<\/span>)
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. YAK官方资源<\/h2>


Yak语言官方教程：<\/p>

Yak:致力于安全能力融合的语言<\/a><\/li>
<\/ul>
<\/li>

GitHub仓库：<\/p>

yaklang\/yaklang<\/a><\/li>
<\/ul>
<\/li>

Yakit官网：<\/p>

https:\/\/yaklang.com\/<\/a><\/li>
<\/ul>
<\/li>
<\/ol>
4. 审计要点总结<\/h2>

重点检查ThinkPHP的I()方法是否配置了默认过滤<\/li>
关注路由参数绑定处的数据流向<\/li>
数据库操作和文件上传是高风险点<\/li>
使用YAK-SSA的SyntaxFlow可以高效定位漏洞链<\/li>
热加载功能可用于动态修改请求以绕过校验<\/li>
<\/ol>
通过结合ThinkPHP框架特性和YAK-SSA工具的强大分析能力，可以高效地进行PHP代码审计工作。<\/p>