1. 漏洞概述漏洞类型:XSS存储类型漏洞危险等级:漏洞文件:/admin/article.php影响版本:v.1.8版本以前
漏洞位置分析1.1 漏洞代码定位// 文件路径:/admin/article.php
// 漏洞函数
$sql = "INSERT INTO " . $dou->table('article') . " (id, cat_id, title, defined, content, image, keywords, description, sort, add_time)" . " VALUES (NULL, '$_POST[cat_id]', '$_POST[title]', '$_POST[defined]', '$_POST[content]', '$image', '$_POST[keywords]', '$_POST[description]', '$_POST[sort]', '$add_time')";
// 防火墙拦截函数
function dou_magic_quotes() {
if (PHP_VERSION >= 6 || !@get_magic_quotes_gpc()) {
$_GET = $_GET ? $this->addslashes_deep($_GET) : '';
$_POST = $_POST ? $this->addslashes_deep($_POST) : '';
$_COOKIE = $this->addslashes_deep($_COOKIE);
$_REQUEST = $this->addslashes_deep($_REQUEST);
}
}
1.2 漏洞触发路径文章列表(添加文章) -> $_POST[description] -> 未过滤 -> 拼接至代码中储存 -> 前端访问执行
攻击向量构造示例:
POST /admin/article.php?rec=insert
------WebKitFormBoundarygQvZl8tVbwzPnA8I
Content-Disposition: form-data; name="description"
------WebKitFormBoundarygQvZl8tVbwzPnA8I
2. 漏洞成因分析2.1 漏洞原理首先从入口POST /admin/article.php?rec=insert分析,
admin/article.php --->[require (dirname(FILE) . '/include/init.php');]-->
admin/include/init.php ---> [$firewall->dou_firewall();] --->
[$this->dou_magic_quotes();]
function dou_magic_quotes() {
if (PHP_VERSION >= 6 || !@get_magic_quotes_gpc()) {
$_GET = $_GET ? $this->addslashes_deep($_GET) : '';
$_POST = $_POST ? $this->addslashes_deep($_POST) : '';
$_COOKIE = $this->addslashes_deep($_COOKIE);
$_REQUEST = $this->addslashes_deep($_REQUEST);
}
}
通过以上的逻辑链可知,POST请求包会在firewall.class.php文件中的dou_magic_quotes函数中进行转义操作,函数中使用addslashes_deep 方法对每一个元素使用addslashes()函数,在' " \ NUL前添加反斜杠转义,防止SQL注入(但实际效果有限)。
输入点从$rec == 'insert'进入$dou->query($sql);执行,无拦截XSS代码
3. 漏洞验证与利用3.1 验证POCPOST /admin/article.php?rec=insert HTTP/1.1
Host: 127.0.0.1:8094
Content-Length: 1296
Cache-Control: max-age=0
sec-ch-ua: "Not/A)Brand";v="8", "Chromium";v="126"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Accept-Language: zh-CN
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1:8094
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygQvZl8tVbwzPnA8I
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1:8094/admin/article.php?rec=add
Accept-Encoding: gzip, deflate, br
Cookie: PHPSESSID=v1k6flarkli5qhe6n3hpfqj593
Connection: keep-alive
------WebKitFormBoundarygQvZl8tVbwzPnA8I
Content-Disposition: form-data; name="title"
test
------WebKitFormBoundarygQvZl8tVbwzPnA8I
Content-Disposition: form-data; name="cat_id"
1
------WebKitFormBoundarygQvZl8tVbwzPnA8I
Content-Disposition: form-data; name="image"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundarygQvZl8tVbwzPnA8I
Content-Disposition: form-data; name="add_time"
2025-02-18 18:52
------WebKitFormBoundarygQvZl8tVbwzPnA8I
Content-Disposition: form-data; name="keywords"
XSStest
------WebKitFormBoundarygQvZl8tVbwzPnA8I
Content-Disposition: form-data; name="description"
------WebKitFormBoundarygQvZl8tVbwzPnA8I
Content-Disposition: form-data; name="sort"
50
------WebKitFormBoundarygQvZl8tVbwzPnA8I
Content-Disposition: form-data; name="token"
014abb9c
------WebKitFormBoundarygQvZl8tVbwzPnA8I
Content-Disposition: form-data; name="image"
------WebKitFormBoundarygQvZl8tVbwzPnA8I
Content-Disposition: form-data; name="id"
------WebKitFormBoundarygQvZl8tVbwzPnA8I
Content-Disposition: form-data; name="submit"
提交
------WebKitFormBoundarygQvZl8tVbwzPnA8I
Content-Disposition: form-data; name="content"
sdaskjdvaskjhasdjhaslidhsag
------WebKitFormBoundarygQvZl8tVbwzPnA8I--
访问后直接前端访问
4. 漏洞修复方案4.1 安全编码修复elseif ($rec == 'insert') {
......
......
// 对description进行XSS过滤
$_POST['description'] = htmlspecialchars(trim($_POST['description']), ENT_QUOTES, 'UTF-8');
......
......
$sql = "INSERT INTO " . $dou->table('article') . " (id, cat_id, title, defined, content, image, keywords, description, sort, add_time)" . " VALUES (NULL, '$_POST[cat_id]', '$_POST[title]', '$_POST[defined]', '$_POST[content]', '$image', '$_POST[keywords]', '$_POST[description]', '$_POST[sort]', '$add_time')";
$dou->query($sql);
其他代码不变
4.2 加固建议1. 输入验证在接收用户输入时,应进行严格的白名单验证,确保数据符合预期格式。例如,限制输入只能包含字母、数字或特定字符。
2. 数据存储前的转义即使进行了输入验证,仍需对数据进行适当的转义处理,以防止意外遗漏的恶意输入。
3. 输出时的转义在将数据从数据库读取并输出到HTML页面时,必须再次对数据进行转义,确保不会被浏览器解析为可执行的脚本。附录:漏洞利用检测脚本
后台漏洞,无脚本
注:本报告中的技术细节仅供授权测试使用,严禁用于非法用途。