熊海cms v1.0 完全代码审计

很久以前写的，写这个东西更多的是为了说明我自己的一个思路，即按照程序功能点进行代码审计，

这样经过一段时间训练，熟悉了某种功能的正确和错误实现方法，遇到类似的代码就可以很快看出是否有问题了

---

0 安装功能
0.1 检查是否存在锁文件
没问题，后面几项只有在程序未安装时进行
0.2 连接数据库，导入sql文件
0.3 将数据库连接信息写入配置文件
* 代码执行
```
$dbhost = $_POST['dbhost'];
$dbuser = $_POST['dbuser'];
$dbpwd = $_POST['dbpwd'];
$dbname = $_POST['dbname'];
...
$content = "<?php
\$DB_HOST='" . $dbhost . "';
\$DB_USER='" . $dbuser . "';
\$DB_PWD='" . $dbpwd . "';
\$DB_NAME='" . $dbname . "';
?>
";
$of = fopen('../inc/conn.info.php', 'w');
if ($of) {
fwrite($of, $content);
}
echo "MySQL数据库连接配置成功!<br /><br />";
```
0.4 加入管理员
* sql 注入
```
$user = $_POST['user'];
$password = md5($_POST['password']);
...
$query = "UPDATE manage SET user='$user',password='$password',name='$user'";
@mysql_query($query) or die('修改错误：' . mysql_error());
```

1 默认访问首页
* 文件包含
```
$file = addslashes($_GET['r']); //接收文件名
$action = $file == '' ? 'index' : $file; //判断为空或者等于index
include 'files/' . $action . '.php'; //载入相应文件
```
1.1 显示导航栏
1.2 显示头条
1.3 显示三个分类
1.4 显示最新下载
1.5 显示友情链接

2 关于

3 查看分类
3.1 查询文章
3.2 查看文章评论，时间等信息

4 查看文章
4.1 更新点击数
* sql 注入
```
$id = addslashes($_GET['cid']);
...
$query = "UPDATE content SET hit = hit+1 WHERE id=$id";
@mysql_query($query) or die('修改错误：' . mysql_error());
```
4.2 显示评论
* xss
```
<?php echo $pinglun['name'] ?>
插入的时候也没有过滤
```
4.3 提交评论
4.3.1 检查验证码
4.3.2 检查输入
4.3.3 根据邮箱查询用户头像
* sql 注入
```
$mail = $_POST['mail'];
...
$query = "SELECT * FROM interaction WHERE( mail = '$mail')";
$result = mysql_query($query) or die('SQL语句有误：' . mysql_error());
```
4.3.4 设置cookie
4.3.5 数据库保存评论
* sql 注入
```
$name = $_POST['name'];
$mail = $_POST['mail'];
$url = $_POST['url'];
$content = $_POST['content'];
$cid = $_POST['cid'];
$ip = $_SERVER["REMOTE_ADDR"];
$tz = $_POST['tz'];
...
$query = "INSERT INTO interaction (
type,
xs,
cid,
name,
mail,
url,
touxiang,
shebei,
ip,
content,
tz,
date
) VALUES (
'$type',
'$xs',
'$cid',
'$name',
'$mail',
'$url',
'$touxiang',
'$shebei',
'$ip',
'$content',
'$tz',
now()
)";
```
4.3.6 检查是否发送评论通知邮件

5 查看下载

6 查看软件
6.1 增加浏览量
* sql 注入
```
$id = addslashes($_GET['cid']);
$query = "UPDATE download SET hit = hit+1 WHERE id=$id";
```
6.2 显示软件信息
6.3 显示评论
* 同之前有xss
6.4 提交评论
* 同之前有sql 注入

7 联系
7.1 留言列表
* 同之前有xss
7.2 发表留言
* 同之前有sql 注入

8 后台登陆
8.1 默认访问admin/index.php
* 文件包含
```
$file=addslashes($_GET['r']); //接收文件名
$action=$file==''?'index':$file; //判断为空或者等于index
include('files/'.$action.'.php'); //载入相应文件
```
8.2 检查是否已登陆，未登陆则跳到登陆界面
* 访问控制实现错误
```
$user = $_COOKIE['user'];
if ($user == "") {
header("Location: ?r=login");
exit;
}
```
8.3 检查用户名密码
* sql 注入
```
$user = $_POST['user'];
...
$query = "SELECT * FROM manage WHERE user='$user'";
$result = mysql_query($query) or die('SQL语句有误：' . mysql_error());
```
8.4 记住我
* 会话管理实现错误
```
if ($checkbox == 1) {
setcookie('user', $user, time() + 3600 * 24 * 30, '/');
} else {
setcookie('user', $user, 0, '/');
}
```

9 后台首页
9.1 查看各种统计信息
9.2 查看最新文章及搜索文章
9.3 查看热门排行
9.4 查看最近评论
* xss
```
<?php echo $interaction['name'] ?>
```
9.5 管理员资料设置
* sql 注入
```
$user = $_POST['user'];
$name = $_POST['name'];
$password = $_POST['password'];
$password2 = $_POST['password2'];
$img = $_POST['img'];
$mail = $_POST['mail'];
$qq = $_POST['qq'];
...
$query = "UPDATE manage SET
user='$user',
name='$name',
$password
$images
mail='$mail',
qq='$qq',
date=now()";
```
9.6 退出后台
10 发布内容
10.1 发布文章
10.1.0 访问控制实现错误
* 同前
10.1.1 填写文章信息
* sql 注入
```
$save = $_POST['save'];
$title = $_POST['title'];
$author = $_POST['author'];
$keywords = $_POST['keywords'];
$description = $_POST['description'];
$images = $_POST['images'];
$xs = $_POST['xs'];
if ($xs == "") {$xs = 1;}
$toutiao = $_POST['toutiao'];
...
$query = "INSERT INTO content (navclass,title,toutiao,author,keywords,description,xs,hit,images,content,date) VALUES ('$navclass','$title','$toutiao','$author','$keywords','$description','$xs','1','$filename','$content',now())";@mysql_query($query) or die('新增错误：' . mysql_error());
```
10.1.2 上传图片
10.1.3 使用ueditor填写文章内容
* Ueditor 1.4.3 SSRF
```
private function saveRemote()
{
$imgUrl = htmlspecialchars($this->fileField);
$imgUrl = str_replace("&", "&", $imgUrl);

//http开头验证
if (strpos($imgUrl, "http") !== 0) {
$this->stateInfo = $this->getStateInfo("ERROR_HTTP_LINK");
return;
}
//获取请求头并检测死链
$heads = get_headers($imgUrl);
if (!(stristr($heads[0], "200") && stristr($heads[0], "OK"))) {
$this->stateInfo = $this->getStateInfo("ERROR_DEAD_LINK");
return;
}
//格式验证(扩展名验证和Content-Type验证)
$fileType = strtolower(strrchr($imgUrl, '.'));
if (!in_array($fileType, $this->config['allowFiles']) || stristr($heads['Content-Type'], "image")) {
$this->stateInfo = $this->getStateInfo("ERROR_HTTP_CONTENTTYPE");
return;
}

//打开输出缓冲区并获取远程图片
ob_start();
$context = stream_context_create(
array('http' => array(
'follow_location' => false // don't follow redirects
))
);
```
10.2 发布下载
10.2.1 访问控制
* 同前
10.2.1 填写文章信息
* sql 注入
```
$save = $_POST['save'];
$title = $_POST['title'];
$author = $_POST['author'];
$keywords = $_POST['keywords'];
$description = $_POST['description'];
$images = $_POST['images'];
$daxiao = $_POST['daxiao'];
$language = $_POST['language'];
$version = $_POST['version'];
$demo = $_POST['demo'];
$url = $_POST['url'];
$softadd = $_POST['softadd'];
$softadd2 = $_POST['softadd2'];
$content = $_POST['content'];
$xs = $_POST['xs'];
...
$query = "INSERT INTO download (
title,keywords,description,images,hit,xiazai,daxiao,language,version,author,demo,url,softadd,softadd2,xs,content,date
) VALUES(
'$title','$keywords','$description','$filename','1','0','$daxiao','$language','$version','$author','$demo','$url','$softadd','$softadd2','$xs','$content',now()
)";@mysql_query($query) or die('新增错误：' . mysql_error());
```

11 内容管理
11.1 文章列表
11.1.0 访问控制
* 实现错误
11.1.1 查看文章列表
11.1.2 修改文章
* sql 注入
```
$id = $_GET['id'];
$query = "SELECT * FROM content WHERE id='$id'";
```
* sql 注入
```
$save = $_POST['save'];
$title = $_POST['title'];
$author = $_POST['author'];
$keywords = $_POST['keywords'];
$description = $_POST['description'];
$images = $_POST['images'];
$xs = $_POST['xs'];
...
$query = "UPDATE content SET
navclass='$navclass',
title='$title',
toutiao='$toutiao',
author='$author',
keywords='$keywords',
description='$description',
xs='$xs',
$images
content='$content',
editdate=now()
WHERE id='$id'";
@mysql_query($query) or die('修改错误：' . mysql_error());
echo "<script>alert('亲爱的，文章," . $imgsms . "成功修改。');location.href='?r=wzlist'</script>";
exit;
```
11.1.3 删除文章
* sql 注入
```
$delete = $_GET['delete'];
if ($delete != "") {
$query = "DELETE FROM content WHERE id='$delete'";
$result = mysql_query($query) or die('SQL语句有误：' . mysql_error());
echo "<script>alert('亲，ID为" . $delete . "的内容已经成功删除！');location.href='?r=wzlist'</script>";
exit;
}
```
11.2 下载列表
11.2.0 访问控制
* 实现错误
11.2.1 查看下载列表
11.2.2 修改下载
* 同上
11.2.3 删除下载
* 同上

12 栏目管理
12.1 新建单页
12.1 访问控制
* 实现错误
12.2 填写信息
* sql 注入
```
$save = $_POST['save'];
$name = $_POST['name'];
$keywords = $_POST['keywords'];
$description = $_POST['description'];
$px = $_POST['px'];
$xs = $_POST['xs'];
...
$query = "INSERT INTO nav (
name,keywords,description,xs,px,link,type,content,date
) VALUES (
'$name','$keywords','$description','$xs','$px','pages','5','$content',now()
)";@mysql_query($query) or die('新增错误：' . mysql_error());
echo "<script>alert('亲爱的，一级单页已经成功添加。');location.href='?r=columnlist'</script>";
exit;
}
```
12.3 ueditor 填写内容
* 同上
12.2 新建分类
* 同上
12.3 栏目列表
12.3.1 访问控制
* 同上
12.3.2 修改栏目
* sql 注入
```
$id = $_GET['id'];
$type = $_GET['type'];

if ($type == 1) {
$query = "SELECT * FROM nav WHERE id='$id'";
$resul = mysql_query($query) or die('SQL语句有误：' . mysql_error());
$nav = mysql_fetch_array($resul);
}
```
* sql 注入
```
$save = $_POST['save'];
$name = $_POST['name'];
$keywords = $_POST['keywords'];
$description = $_POST['description'];
$px = $_POST['px'];
$xs = $_POST['xs'];
...
$query = "UPDATE nav SET
name='$name',
keywords='$keywords',
description='$description',
xs='$xs',
px='$px',
content='$content',
date=now()
WHERE id='$id'";
@mysql_query($query) or die('修改错误：' . mysql_error());
```
12.3.3 删除栏目
* sql 注入
```
$delete = $_GET['delete'];

$delete2 = $_GET['delete2'];

if ($delete != "") {
$query = "DELETE FROM nav WHERE id='$delete'";
$result = mysql_query($query) or die('SQL语句有误：' . mysql_error());
echo "<script>alert('亲，ID为" . $delete . "的栏目已经成功删除！');location.href='?r=columnlist'</script>";
exit;
}
if ($delete2 != "") {
$query = "DELETE FROM navclass WHERE id='$delete2'";
$result = mysql_query($query) or die('SQL语句有误：' . mysql_error());
echo "<script>alert('亲，ID为" . $delete2 . "的二级栏目已经成功删除！');location.href='?r=columnlist'</script>";
exit;
}
```

13 友情链接
13.1 添加链接
13.1.1 访问控制
* 同上
13.1.2 提交信息
* sql 注入
```
$save = $_POST['save'];
$name = $_POST['name'];
$url = $_POST['url'];
$mail = $_POST['mail'];
$jieshao = $_POST['jieshao'];
$xs = $_POST['xs'];
...
$query = "INSERT INTO link (name,url,mail,jieshao,xs,date) VALUES ('$name','$url','$mail','jieshao','xs',now())";
```
13.2 链接列表
* 同上

14 互动
* 同上
14.1 评论列表
14.2 留言列表
14.3 下载列表

15 设置
15.1 基本设置
* 访问控制实现错误
* sql 注入
15.2 高级设置
* 访问控制实现错误
* sql 注入
15.3 图片设置
* 访问控制实现错误
* sql 注入
15.4 广告设置

熊海cms v1.0 完全代码审计

猜你喜欢