mvc框架分析和漏洞集合

mvc框架分析/**

参数过滤，格式化

**/

functionformat_param($value=null,$int=0){

if($value==null){return'';}

switch($int){

case0://整数

return(int)$value;

case1://字符串

$value=htmlspecialchars(trim($value),ENT_QUOTES);

if(!get_magic_quotes_gpc())$value=addslashes($value);

return$value;

case2://数组

if($value=='')return'';

array_walk_recursive($value,"array_format");

return$value;

case3://浮点

return(float)$value;

case4:

if(!get_magic_quotes_gpc())$value=addslashes($value);

returntrim($value);

}

}核心文件过滤文件functionarray_format(&$item,$key)

{

$item=trim($item);

$item=htmlspecialchars($item,ENT_QUOTES);

if(!get_magic_quotes_gpc())$item=addslashes($item);

}if(!get_magic_quotes_gpc())$value=addslashes($value);

returntrim($value);mvc框架mode分析//查询一条

publicfunctionfind($where=null,$order=null,$fields=null,$limit=1)

{

if($record=$this->findAll($where,$order,$fields,1)){

returnarray_pop($record);

}else{

returnFALSE;

}

}

//查询所有

publicfunctionfindAll($conditions=null,$order=null,$fields=null,$limit=null)

{

$where='';

if(is_array($conditions)){

$join=array();

foreach($conditionsas$key=>$value){

$value='\''.$value.'\'';

$join[]="{$key}={$value}";

}

$where="WHERE".join("AND",$join);

}else{

if(null!=$conditions)$where="WHERE".$conditions;

}

if(is_array($order)){

$where.='ORDERBY';

$where.=implode(',',$order);

}else{

if($order!=null)$where.="ORDERBY".$order;

}

if(!empty($limit))$where.="LIMIT{$limit}";

$fields=empty($fields)?"*":$fields;

$table=self::$table;

$sql="SELECT{$fields}FROM{$table}{$where}";

return$this->db->getArray($sql);

}//执行SQL语句返回数组

publicfunctiongetArray($sql){

if(!$result=$this->query($sql))returnarray();

if(!$this->Statement->rowCount())returnarray();

$rows=array();

while($rows[]=$this->Statement->fetch(PDO::FETCH_ASSOC)){}

$this->Statement=null;

array_pop($rows);

return$rows;

}publicfunctionquery($sql){

$this->arrSql[]=$sql;

$this->Statement=$this->pdo->query($sql);

if($this->Statement){

return$this;

}else{

$msg=$this->pdo->errorInfo();

if($msg[2]){

Error_msg('数据库错误：'.$msg[2].end($this->arrSql));

}

}

}/**

系统内部错误提示

@infostring文字描述

**/

functionError_msg($msg,$url=null){

//检测是否定义了错误处理--2019/2/24by留恋风

$controller=APP_HOME.'\\'.HOME_CONTROLLER.'\\ErrorController';

if(!class_exists($controller)||!method_exists($controller,'index')){

$traces=debug_backtrace();

$bufferabove=ob_get_clean();

require_once(CORE_PATH.'/common/Error.php');

exit;

}else{

(new$controller('ErrorController','index'))->index($msg);

exit;

}

}functiontest(){

M('member')->find(['id'=>$_GET['id']]);

}前台的漏洞前台SQL注入Home\c\MypayController.phpfunctionalipay_return_pay(){

extendFile('pay/alipay/AlipayServiceCheck.php');

//支付宝公钥，账户中心->密钥管理->开放平台密钥，找到添加了支付功能的应用，根据你的加密类型，查看支付宝公钥

$alipayPublicKey=$this->webconf['alipay_public_key'];

$aliPay=new\AlipayServiceCheck($alipayPublicKey);

//验证签名

$result=$aliPay->rsaCheck($_GET,$_GET['sign_type']);

if($result===true){

//同步回调一般不处理业务逻辑，显示一个付款成功的页面，或者跳转到用户的财务记录页面即可。

//echo'<h1>付款成功</h1>';

$out_trade_no=htmlspecialchars($_GET['out_trade_no']);

$orderno=$out_trade_no;

$paytime=time();

$order=M('orders')->find(['orderno'=>$orderno]);

if(!$order){

Error('支付成功，但是系统内没有找到相应的订单！'.$orderno,get_domain());

}

if($order['ispay']==1){

//跳转对应查询详情

//Success('支付成功！',U('User/details',['id'=>$order['id']]));

$this->overpay($order['orderno']);

exit;

}

sqlmap验证前台注入二Home\c\MypayController.phpfunctionalipay_notify_pay(){

extendFile('pay/alipay/AlipayServiceCheck.php');

$alipayPublicKey=$this->webconf['alipay_public_key'];

$aliPay=new\AlipayServiceCheck($alipayPublicKey);

//验证签名

$result=$aliPay->rsaCheck($_POST,$_POST['sign_type']);

//if($result===true){

if(true){

//处理你的逻辑，例如获取订单号$_POST['out_trade_no']，订单金额$_POST['total_amount']等

//程序执行完后必须打印输出“success”（不包含引号）。如果商户反馈给支付宝的字符不是success这7个字符，支付宝服务器会不断重发通知，直到超过24小时22分钟。一般情况下，25小时以内完成8次通知（通知的间隔频率一般是：4m,10m,10m,1h,2h,6h,15h）；

//echo'success';exit();

$out_trade_no=htmlspecialchars($_GET['out_trade_no']);

$orderno=$out_trade_no;

$paytime=time();

$order=M('orders')->find(['orderno'=>$orderno]);

if(!$order){

//Error('支付成功，但是系统内没有找到相应的订单！'.$orderno,get_domain());

exit;

}SQL注入三Homec\WechatController.phppublicfunctionresponseMsg(){

//getpostdata,Maybeduetothedifferentenvironments

//$postStr=$GLOBALS["HTTP_RAW_POST_DATA"];

$postStr=file_get_contents('php://input');

//extractpostdata

if(!empty($postStr)){

/*libxml_disable_entity_loaderistopreventXMLeXternalEntityInjection,

thebestwayistocheckthevalidityofxmlbyyourself*/

libxml_disable_entity_loader(true);

$postObj=simplexml_load_string($postStr,'SimpleXMLElement',LIBXML_NOCDATA);

$this->postObj=$postObj;

$fromUsername=$postObj->FromUserName;

$toUsername=$postObj->ToUserName;

$keyword=trim($postObj->Content);

$time=time();

$textTpl="<xml>

<ToUserName><![CDATA[%s]]></ToUserName>

<FromUserName><![CDATA[%s]]></FromUserName>

<CreateTime>%s</CreateTime>

<MsgType><![CDATA[%s]]></MsgType>

<Content><![CDATA[%s]]></Content>

<FuncFlag>0</FuncFlag>

</xml>";

if($postObj->MsgType=='event'){

switch($postObj->Event){

case'CLICK':

/*

if($postObj->EventKey=='xxx'){

}

*/

break;

case'subscribe':

//获取用户信息，并存入数据库

$openid=$fromUsername;

//查询是否已有账号

$islive=M('member')->find(array('openid'=>$openid));$postStr=file_get_contents('php://input');获取post过来的值没有任何过滤，就带入到数据库里面执行。post包POST/Wechat/responseMsgHTTP/1.1Host:User-Agent:Mozilla/5.0(WindowsNT10.0;Win64;x64;rv:75.0)Gecko/20100101Firefox/75.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language:zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2Accept-Encoding:gzip,deflateContent-Type:application/x-www-form-urlencodedContent-Length:11Origin:Connection:closeReferer:/login/index.htmlUpgrade-Insecure-Requests:1<xml><ToUserName><![CDATA[touser]]></ToUserName><FromUserName><![CDATA[fromUser']]></FromUserName><CreateTime>12345678</CreateTime><MsgType><![CDATA[event]]></MsgType><Content><![CDATA[content]]></Content><Event><![CDATA[subscribe]]></Event></xml>验证码可绕过publicfunctionindex(){

//检测是否已经设置过return_url,防止多次登录覆盖

if(!isset($_SESSION['return_url'])){

$referer=(!isset($_SERVER['HTTP_REFERER'])||$_SERVER['HTTP_REFERER']=='')?U('user/index'):$_SERVER['HTTP_REFERER'];

$_SESSION['return_url']=$referer;

}

if($_POST){

$data['username']=str_replace("'",'',$this->frparam('tel',1));//进行二次过滤校验

$data['password']=str_replace("'",'',$this->frparam('password',1));

if(!$this->frparam('vercode',1)||md5(md5($this->frparam('vercode',1)))!=$_SESSION['login_vercode']){

$xdata=array('code'=>1,'msg'=>'验证码错误！');

if($this->frparam('ajax')){

JsonReturn($xdata);

}

Error('验证码错误！');

}

if($data['username']==''||$data['password']==''){

$xdata=array('code'=>1,'msg'=>'账户密码不能为空！');

if($this->frparam('ajax')){

JsonReturn($xdata);

}

Error('账户密码不能为空！');

}

验证码验证没有销毁会造成验证码重用导致可以穷举密码functionforget(){

if($_POST&&!isset($_POST['reset'])){

$username=$this->frparam('username',1);

$email=$this->frparam('email',1);

$vercode=$this->frparam('vercode',1);

if(!$username||!$email){

Error('请输入账号和邮箱！');

}

if($_SESSION['forget_code']!=md5(md5($vercode))){

Error('图形验证码错误！');

}

$user=M('member')->find(['username'=>$username,'email'=>$email]);

if($user){

//生成随机秘钥

$w['logintime']=time();

$w['token']=getRandChar(32);

M('member')->update(['id'=>$user['id']],$w);

//发送邮件

if($this->webconf['email_server']&&$this->webconf['email_port']&&$this->webconf['send_email']&&$this->webconf['send_pass']){

$title='找回密码-'.$this->webconf['web_name'];

$body='您的账号正在进行找回密码操作，如果确定是本人操作，请在10分钟内点击<ahref="'.U('login/forget',['token'=>$w['token'],'username'=>$username]).'"target="_blank">《立即找回密码》</a>，过期失效！';

send_mail($this->webconf['send_email'],$this->webconf['send_pass'],$this->webconf['send_name'],$user['email'],$title,$body);

if(!isset($_SESSION['forget_time'])){

$_SESSION['forget_time']=time();

$_SESSION['forget_num']=0;

}

if(($_SESSION['forget_time']+10*60)<time()){

$_SESSION['forget_num']=0;

}

$_SESSION['forget_num']++;

if($_SESSION['forget_num']>10&&($_SESSION['forget_time']+10*60)<time()){

//$this->error('您操作过于频繁，请10分钟后再尝试！');

if($this->frparam('ajax')){

JsonReturn(['code'=>0,'msg'=>'您操作过于频繁，请10分钟后再尝试！']);

}

Error('您操作过于频繁，请10分钟后再尝试！');

}

Success('找回密码邮件已发送，请到您的邮箱查看！',get_domain());

}else{

Error('邮箱服务器未配置，无法发送邮件，请联系管理员找回密码！');

}

}else{

Error('输入的信息有误！');

}

}

if(!isset($_POST['reset'])&&$this->frparam('token',1)&&$this->frparam('username',1)){

//检查token是否正确

if($this->frparam('token',1)!=''&&$this->frparam('username',1)!=''){

$user=M('member')->find(['token'=>$this->frparam('token',1),'username'=>$this->frparam('username',1)]);

if($user){

//检查是否已过期

$t=(time()-$user['logintime'])/60;

if($t>10){

Error('token已失效！',U('login/forget'));

}

$this->user=$user;

$this->display($this->template.'/user/reset_password');

exit;

}

}

}这个随机生成字符串是可以遍历出来的在十分钟里提交成功的就可以更改账号密码。/**

*随机生成字符串

*@paramint$length

*@returnnull|string

*/

functiongetRandChar($length=8){

$str=null;

$strPol="ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz";

$max=strlen($strPol)-1;

for($i=0;$i<$length;$i++){

$str.=$strPol[rand(0,$max)];//rand($min,$max)生成介于min和max两个数之间的一个随机整数

}

return$str;

}前台编辑器xss<iframesrc="javascript:alert(1)"></iframe>越权漏洞任意订单查看Homec\c\UserController.phpfunctionorderdetails(){

$orderno=$this->frparam('orderno',1);

$order=M('orders')->find(['orderno'=>$orderno]);

if($orderno&&$order){

/*

if($order['isshow']!=1){

//超时或者已支付

if($order['isshow']==0){

$msg='订单已删除';

}

if($order['isshow']==3){

$msg='订单已过期，不可支付！';

}

if($order['isshow']==2){

$msg='订单已支付，请勿重复操作！';

}

if($this->frparam('ajax')){

JsonReturn(['code'=>1,'msg'=>$msg]);

}

Error($msg);

}

*/

$carts=explode('||',$order['body']);

$new=[];

foreach($cartsas$k=>$v){

$d=explode('-',$v);

if($d[0]!=''){

//兼容多模块化

if(isset($this->classtypedata[$d[0]])){

$type=$this->classtypedata[$d[0]];

$res=M($type['molds'])->find(['id'=>$d[1]]);

$new[]=['info'=>$res,'num'=>$d[2],'tid'=>$d[0],'id'=>$d[1],'price'=>$d[3]];

}else{

$new[]=['info'=>false,'num'=>$d[2],'tid'=>$d[0],'id'=>$d[1],'price'=>$d[3]];

}

}

}

$this->carts=$new;

$this->order=$order;

$this->display($this->template.'/user/orderdetails');

}

}在查找$order=M('orders')->find(['orderno'=>$orderno]);订单的时候没有加上id的限制就会造成订单任意查询oon123@123456退出登录访问订单/user/orderdetails/orderno/No20200416111632.html越权漏洞任意订单删除漏洞Homec\c\UserController.phpfunctionorderdel(){$this->checklogin();$orderno=$this->frparam('orderno',1);if(!$orderno){Error('缺少订单号！');}$order=M('orders')->find("orderno='".$orderno."'andisshow!=0");if(!$order){Error('订单号错误！');}//軟刪除$r=M('orders')->update(['orderno'=>$orderno],['isshow'=>0]);if($r){Success('删除成功！',U('user/orders'));}else{Error('删除失败！');新版已经修复了后台的漏洞后台验证码可重用A\c\LoginController.phppublicfunctionindex(){

if($_POST){

//$data=$this->frparam();//去除全局获取

$data['username']=str_replace("'",'',$this->frparam('username',1));//进行二次过滤校验

$data['password']=str_replace("'",'',$this->frparam('password',1));

if($data['username']==''||$data['password']==''){

$xdata=array('code'=>1,'msg'=>'账户密码不能为空！');

JsonReturn($xdata);

}

if(md5(md5($this->frparam('vercode',1)))!=$_SESSION['frcode']){

$xdata=array('code'=>1,'msg'=>'验证码错误！');

JsonReturn($xdata);

}

$where['pass']=md5(md5($data['password']).'YF');

$where['name']=$data['username'];

$res1=M('level')->find($where);

unset($where['name']);

$where['tel']=$data['username'];

$res2=M('level')->find($where);

unset($where['tel']);

$where['email']=$data['username'];

$res3=M('level')->find($where);

if($res1||$res2||$res3){

$res=($res1)?$res1:($res2?$res2:$res3);

unset($res['pass']);

if($res['status']==0){

$data=array('code'=>1,'msg'=>'该账户已被封禁！');

}else{

$group=M('level_group')->find(array('id'=>$res['gid']));

if($group['isagree']==0){

$data=array('code'=>1,'msg'=>'该账户已被封禁！');

}else{

unset($group['id']);

$group['group_name']=$group['name'];

unset($group['name']);

$_SESSION['admin']=array_merge($res,$group);

M('level')->update(array('id'=>$res['id']),array('logintime'=>time()));

//写入日志

if(!StopLog){

$log['user']=$_SESSION['admin']['name'];

$log['userid']=$_SESSION['admin']['id'];

register_log($_SESSION['admin'],'login');

}

$data=array('code'=>0,'msg'=>'登录成功！');

}

}

}else{

$data=array('code'=>1,'msg'=>'账户密码错误！');

}

JsonReturn($data);

}验证码判断成功之后没有销毁导致可以重复使用。后台白名单任意上传漏洞A\c\CommonController.phpfunctionuploads(){

if($_FILES["file"]["error"]>0){

$data['error']="Error:".$_FILES["file"]["error"];

$data['code']=1000;

}else{

//echo"Upload:".$_FILES["file"]["name"]."<br/>";

//echo"Type:".$_FILES["file"]["type"]."<br/>";

//echo"Size:".($_FILES["file"]["size"]/1024)."Kb<br/>";

//echo"Storedin:".$_FILES["file"]["tmp_name"];

$pix=explode('.',$_FILES['file']['name']);

$pix=end($pix);

$fileType=$this->webconf['fileType'];

if(strpos($fileType,strtolower($pix))===false){

$data['error']="Error:文件类型不允许上传！";

$data['code']=1002;

JsonReturn($data);

}

$fileSize=(int)webConf('fileSize');

if($fileSize!=0&&$_FILES["file"]["size"]/(1024*1024)>$fileSize){

$data['error']="Error:文件大小超过网站内部限制！";

$data['code']=1003;

JsonReturn($data);

}

$filename='Public/Admin/'.date('Ymd').rand(1000,9999).'.'.$pix;

$filename_x='Public/Admin/'.date('Ymd').rand(1000,9999).'.'.$pix;

if(move_uploaded_file($_FILES["file"]['tmp_name'],$filename)){

if((strtolower($pix)=='png'&&$this->webconf['ispngcompress']==1)||strtolower($pix)=='jpg'||strtolower($pix)=='jpeg'){

$imagequlity=(int)$this->webconf['imagequlity'];

if($imagequlity!=100){

$image=new\compressimage($filename);

$image->percent=1;

$image->ispngcompress=$this->webconf['ispngcompress'];

$image->quality=$imagequlity==''?75:$imagequlity;

$image->openImage();

$image->thumpImage();

//$image->showImage();

unlink($filename);

$image->saveImage($filename_x);

$filename=$filename_x;

}

}

if((strtolower($pix)=='png'||strtolower($pix)=='jpg'||strtolower($pix)=='jpeg')&&$this->webconf['iswatermark']==1&&$this->webconf['watermark_file']!=''&&!empty($this->webconf['watermark_file'])){

if(file_exists(APP_PATH.$this->webconf['watermark_file'])){

watermark($filename,APP_PATH.$this->webconf['watermark_file'],$this->webconf['watermark_t'],$this->webconf['watermark_tm']);

}

}

$data['url']='/'.$filename;

$data['code']=0;

$filesize=round(filesize(APP_PATH.$filename)/1024,2);

M('pictures')->add(['litpic'=>'/'.$filename,'addtime'=>time(),'userid'=>$_SESSION['admin']['id'],'size'=>$filesize,'filetype'=>strtolower($pix),'tid'=>$this->frparam('tid',0,0),'molds'=>$this->frparam('molds',1,null)]);

}else{

$data['error']="Error:请检查目录[Public/Admin]写入权限";

$data['code']=1001;

}

}

JsonReturn($data);

}过程后台编辑器xss漏洞$this->frparam(,4)当接收的值数值等于4的时候如果带入到数据里就会造成xxs漏洞A\c\ProductController.php.phpfunctionaddproduct(){

$this->fields_biaoshi='product';

if($this->frparam('go',1)==1){

$data=$this->frparam();

$data['addtime']=strtotime($data['addtime']);

$data['body']=$this->frparam('body',4);

$data['price']=$this->frparam('price',3);

$data['userid']=$_SESSION['admin']['id'];

$data['description']=($this->frparam('description',1)=='')?newstr(strip_tags($data['body']),200):$this->frparam('description',1);

if($this->frparam('litpic',1)==''){

$pattern='/<img.+src=\"?(.+\.(jpg|gif|bmp|bnp|PNG))\"?.+>/i';

if($this->frparam('body',1)!=''){

preg_match_all($pattern,$_POST['body'],$matchContent);

if(isset($matchContent[1][0])){

$data['litpic']=$matchContent[1][0];

}else{

$data['litpic']='';

}

}else{

$data['litpic']='';

}

}

if(array_key_exists('pictures_urls',$data)&&$data['pictures_urls']!=''){

$data['pictures']=implode('||',format_param($data['pictures_urls'],2));

}else{

$data['pictures']='';

}

$pclass=get_info_table('classtype',array('id'=>$data['tid']));

$data['molds']=$pclass['molds'];

$data['htmlurl']=$pclass['htmlurl'];

$data['istop']=$this->frparam('istop',0,0);

$data['ishot']=$this->frparam('ishot',0,0);

$data['istuijian']=$this->frparam('istuijian',0,0);

$data=get_fields_data($data,'product');

if($data['tags']!=''){

$data['tags']=','.$data['tags'].',';

}

if(M('product')->add($data)){publicfunctioneditproduct(){

$this->fields_biaoshi='product';

if($this->frparam('go',1)==1){

$data=$this->frparam();

$data['addtime']=strtotime($data['addtime']);

$data['body']=$this->frparam('body',4);

$data['price']=$this->frparam('price',3);

$data['description']=($this->frparam('description',1)=='')?newstr(strip_tags($data['body']),200):$this->frparam('description',1);

if($this->frparam('litpic',1)==''){

$pattern='/<img.+src=\"?(.+\.(jpg|gif|bmp|bnp|PNG))\"?.+>/i';

if($this->frparam('body',1)!=''){

preg_match_all($pattern,$_POST['body'],$matchContent);

if(isset($matchContent[1][0])){

$data['litpic']=$matchContent[1][0];

}else{

$data['litpic']='';

}

}else{

$data['litpic']='';

}

}

if(array_key_exists('pictures_urls',$data)&&$data['pictures_urls']!=''){

$data['pictures']=implode('||',format_param($data['pictures_urls'],2));

}else{

$data['pictures']='';

}

$pclass=get_info_table('classtype',array('id'=>$data['tid']));

$data['molds']=$pclass['molds'];

$data['htmlurl']=$pclass['htmlurl'];

$data['istop']=$this->frparam('istop',0,0);

$data['ishot']=$this->frparam('ishot',0,0);

$data['istuijian']=$this->frparam('istuijian',0,0);

$data=get_fields_data($data,'product');

if($data['tags']!=