熊海cms v1.0 完全代碼審計

很久以前寫的，寫這個東西更多的是爲了說明我自己的一個思路，即按照程序功能點進行代碼審計，

這樣經過一段時間訓練，熟悉了某種功能的正確和錯誤實現方法，遇到類似的代碼就可以很快看出是否有問題了

---

0 安裝功能
0.1 檢查是否存在鎖文件
沒問題，後面幾項只有在程序未安裝時進行
0.2 連接數據庫，導入sql文件
0.3 將數據庫連接信息寫入配置文件
* 代碼執行
```
$dbhost = $_POST['dbhost'];
$dbuser = $_POST['dbuser'];
$dbpwd = $_POST['dbpwd'];
$dbname = $_POST['dbname'];
...
$content = "<?php
\$DB_HOST='" . $dbhost . "';
\$DB_USER='" . $dbuser . "';
\$DB_PWD='" . $dbpwd . "';
\$DB_NAME='" . $dbname . "';
?>
";
$of = fopen('../inc/conn.info.php', 'w');
if ($of) {
fwrite($of, $content);
}
echo "MySQL數據庫連接配置成功!<br /><br />";
```
0.4 加入管理員
* sql 注入
```
$user = $_POST['user'];
$password = md5($_POST['password']);
...
$query = "UPDATE manage SET user='$user',password='$password',name='$user'";
@mysql_query($query) or die('修改錯誤：' . mysql_error());
```

1 默認訪問首頁
* 文件包含
```
$file = addslashes($_GET['r']); //接收文件名
$action = $file == '' ? 'index' : $file; //判斷爲空或者等於index
include 'files/' . $action . '.php'; //載入相應文件
```
1.1 顯示導航欄
1.2 顯示頭條
1.3 顯示三個分類
1.4 顯示最新下載
1.5 顯示友情鏈接

2 關於

3 查看分類
3.1 查詢文章
3.2 查看文章評論，時間等信息

4 查看文章
4.1 更新點擊數
* sql 注入
```
$id = addslashes($_GET['cid']);
...
$query = "UPDATE content SET hit = hit+1 WHERE id=$id";
@mysql_query($query) or die('修改錯誤：' . mysql_error());
```
4.2 顯示評論
* xss
```
<?php echo $pinglun['name'] ?>
插入的時候也沒有過濾
```
4.3 提交評論
4.3.1 檢查驗證碼
4.3.2 檢查輸入
4.3.3 根據郵箱查詢用戶頭像
* sql 注入
```
$mail = $_POST['mail'];
...
$query = "SELECT * FROM interaction WHERE( mail = '$mail')";
$result = mysql_query($query) or die('SQL語句有誤：' . mysql_error());
```
4.3.4 設置cookie
4.3.5 數據庫保存評論
* sql 注入
```
$name = $_POST['name'];
$mail = $_POST['mail'];
$url = $_POST['url'];
$content = $_POST['content'];
$cid = $_POST['cid'];
$ip = $_SERVER["REMOTE_ADDR"];
$tz = $_POST['tz'];
...
$query = "INSERT INTO interaction (
type,
xs,
cid,
name,
mail,
url,
touxiang,
shebei,
ip,
content,
tz,
date
) VALUES (
'$type',
'$xs',
'$cid',
'$name',
'$mail',
'$url',
'$touxiang',
'$shebei',
'$ip',
'$content',
'$tz',
now()
)";
```
4.3.6 檢查是否發送評論通知郵件

5 查看下載

6 查看軟件
6.1 增加瀏覽量
* sql 注入
```
$id = addslashes($_GET['cid']);
$query = "UPDATE download SET hit = hit+1 WHERE id=$id";
```
6.2 顯示軟件信息
6.3 顯示評論
* 同之前有xss
6.4 提交評論
* 同之前有sql 注入

7 聯繫
7.1 留言列表
* 同之前有xss
7.2 發表留言
* 同之前有sql 注入

8 後臺登陸
8.1 默認訪問admin/index.php
* 文件包含
```
$file=addslashes($_GET['r']); //接收文件名
$action=$file==''?'index':$file; //判斷爲空或者等於index
include('files/'.$action.'.php'); //載入相應文件
```
8.2 檢查是否已登陸，未登陸則跳到登陸界面
* 訪問控制實現錯誤
```
$user = $_COOKIE['user'];
if ($user == "") {
header("Location: ?r=login");
exit;
}
```
8.3 檢查用戶名密碼
* sql 注入
```
$user = $_POST['user'];
...
$query = "SELECT * FROM manage WHERE user='$user'";
$result = mysql_query($query) or die('SQL語句有誤：' . mysql_error());
```
8.4 記住我
* 會話管理實現錯誤
```
if ($checkbox == 1) {
setcookie('user', $user, time() + 3600 * 24 * 30, '/');
} else {
setcookie('user', $user, 0, '/');
}
```

9 後臺首頁
9.1 查看各種統計信息
9.2 查看最新文章及搜索文章
9.3 查看熱門排行
9.4 查看最近評論
* xss
```
<?php echo $interaction['name'] ?>
```
9.5 管理員資料設置
* sql 注入
```
$user = $_POST['user'];
$name = $_POST['name'];
$password = $_POST['password'];
$password2 = $_POST['password2'];
$img = $_POST['img'];
$mail = $_POST['mail'];
$qq = $_POST['qq'];
...
$query = "UPDATE manage SET
user='$user',
name='$name',
$password
$images
mail='$mail',
qq='$qq',
date=now()";
```
9.6 退出後臺
10 發佈內容
10.1 發佈文章
10.1.0 訪問控制實現錯誤
* 同前
10.1.1 填寫文章信息
* sql 注入
```
$save = $_POST['save'];
$title = $_POST['title'];
$author = $_POST['author'];
$keywords = $_POST['keywords'];
$description = $_POST['description'];
$images = $_POST['images'];
$xs = $_POST['xs'];
if ($xs == "") {$xs = 1;}
$toutiao = $_POST['toutiao'];
...
$query = "INSERT INTO content (navclass,title,toutiao,author,keywords,description,xs,hit,images,content,date) VALUES ('$navclass','$title','$toutiao','$author','$keywords','$description','$xs','1','$filename','$content',now())";@mysql_query($query) or die('新增錯誤：' . mysql_error());
```
10.1.2 上傳圖片
10.1.3 使用ueditor填寫文章內容
* Ueditor 1.4.3 SSRF
```
private function saveRemote()
{
$imgUrl = htmlspecialchars($this->fileField);
$imgUrl = str_replace("&amp;", "&", $imgUrl);

//http開頭驗證
if (strpos($imgUrl, "http") !== 0) {
$this->stateInfo = $this->getStateInfo("ERROR_HTTP_LINK");
return;
}
//獲取請求頭並檢測死鏈
$heads = get_headers($imgUrl);
if (!(stristr($heads[0], "200") && stristr($heads[0], "OK"))) {
$this->stateInfo = $this->getStateInfo("ERROR_DEAD_LINK");
return;
}
//格式驗證(擴展名驗證和Content-Type驗證)
$fileType = strtolower(strrchr($imgUrl, '.'));
if (!in_array($fileType, $this->config['allowFiles']) || stristr($heads['Content-Type'], "image")) {
$this->stateInfo = $this->getStateInfo("ERROR_HTTP_CONTENTTYPE");
return;
}

//打開輸出緩衝區並獲取遠程圖片
ob_start();
$context = stream_context_create(
array('http' => array(
'follow_location' => false // don't follow redirects
))
);
```
10.2 發佈下載
10.2.1 訪問控制
* 同前
10.2.1 填寫文章信息
* sql 注入
```
$save = $_POST['save'];
$title = $_POST['title'];
$author = $_POST['author'];
$keywords = $_POST['keywords'];
$description = $_POST['description'];
$images = $_POST['images'];
$daxiao = $_POST['daxiao'];
$language = $_POST['language'];
$version = $_POST['version'];
$demo = $_POST['demo'];
$url = $_POST['url'];
$softadd = $_POST['softadd'];
$softadd2 = $_POST['softadd2'];
$content = $_POST['content'];
$xs = $_POST['xs'];
...
$query = "INSERT INTO download (
title,keywords,description,images,hit,xiazai,daxiao,language,version,author,demo,url,softadd,softadd2,xs,content,date
) VALUES(
'$title','$keywords','$description','$filename','1','0','$daxiao','$language','$version','$author','$demo','$url','$softadd','$softadd2','$xs','$content',now()
)";@mysql_query($query) or die('新增錯誤：' . mysql_error());
```

11 內容管理
11.1 文章列表
11.1.0 訪問控制
* 實現錯誤
11.1.1 查看文章列表
11.1.2 修改文章
* sql 注入
```
$id = $_GET['id'];
$query = "SELECT * FROM content WHERE id='$id'";
```
* sql 注入
```
$save = $_POST['save'];
$title = $_POST['title'];
$author = $_POST['author'];
$keywords = $_POST['keywords'];
$description = $_POST['description'];
$images = $_POST['images'];
$xs = $_POST['xs'];
...
$query = "UPDATE content SET
navclass='$navclass',
title='$title',
toutiao='$toutiao',
author='$author',
keywords='$keywords',
description='$description',
xs='$xs',
$images
content='$content',
editdate=now()
WHERE id='$id'";
@mysql_query($query) or die('修改錯誤：' . mysql_error());
echo "<script>alert('親愛的，文章," . $imgsms . "成功修改。');location.href='?r=wzlist'</script>";
exit;
```
11.1.3 刪除文章
* sql 注入
```
$delete = $_GET['delete'];
if ($delete != "") {
$query = "DELETE FROM content WHERE id='$delete'";
$result = mysql_query($query) or die('SQL語句有誤：' . mysql_error());
echo "<script>alert('親，ID爲" . $delete . "的內容已經成功刪除！');location.href='?r=wzlist'</script>";
exit;
}
```
11.2 下載列表
11.2.0 訪問控制
* 實現錯誤
11.2.1 查看下載列表
11.2.2 修改下載
* 同上
11.2.3 刪除下載
* 同上

12 欄目管理
12.1 新建單頁
12.1 訪問控制
* 實現錯誤
12.2 填寫信息
* sql 注入
```
$save = $_POST['save'];
$name = $_POST['name'];
$keywords = $_POST['keywords'];
$description = $_POST['description'];
$px = $_POST['px'];
$xs = $_POST['xs'];
...
$query = "INSERT INTO nav (
name,keywords,description,xs,px,link,type,content,date
) VALUES (
'$name','$keywords','$description','$xs','$px','pages','5','$content',now()
)";@mysql_query($query) or die('新增錯誤：' . mysql_error());
echo "<script>alert('親愛的，一級單頁已經成功添加。');location.href='?r=columnlist'</script>";
exit;
}
```
12.3 ueditor 填寫內容
* 同上
12.2 新建分類
* 同上
12.3 欄目列表
12.3.1 訪問控制
* 同上
12.3.2 修改欄目
* sql 注入
```
$id = $_GET['id'];
$type = $_GET['type'];

if ($type == 1) {
$query = "SELECT * FROM nav WHERE id='$id'";
$resul = mysql_query($query) or die('SQL語句有誤：' . mysql_error());
$nav = mysql_fetch_array($resul);
}
```
* sql 注入
```
$save = $_POST['save'];
$name = $_POST['name'];
$keywords = $_POST['keywords'];
$description = $_POST['description'];
$px = $_POST['px'];
$xs = $_POST['xs'];
...
$query = "UPDATE nav SET
name='$name',
keywords='$keywords',
description='$description',
xs='$xs',
px='$px',
content='$content',
date=now()
WHERE id='$id'";
@mysql_query($query) or die('修改錯誤：' . mysql_error());
```
12.3.3 刪除欄目
* sql 注入
```
$delete = $_GET['delete'];

$delete2 = $_GET['delete2'];

if ($delete != "") {
$query = "DELETE FROM nav WHERE id='$delete'";
$result = mysql_query($query) or die('SQL語句有誤：' . mysql_error());
echo "<script>alert('親，ID爲" . $delete . "的欄目已經成功刪除！');location.href='?r=columnlist'</script>";
exit;
}
if ($delete2 != "") {
$query = "DELETE FROM navclass WHERE id='$delete2'";
$result = mysql_query($query) or die('SQL語句有誤：' . mysql_error());
echo "<script>alert('親，ID爲" . $delete2 . "的二級欄目已經成功刪除！');location.href='?r=columnlist'</script>";
exit;
}
```

13 友情鏈接
13.1 添加鏈接
13.1.1 訪問控制
* 同上
13.1.2 提交信息
* sql 注入
```
$save = $_POST['save'];
$name = $_POST['name'];
$url = $_POST['url'];
$mail = $_POST['mail'];
$jieshao = $_POST['jieshao'];
$xs = $_POST['xs'];
...
$query = "INSERT INTO link (name,url,mail,jieshao,xs,date) VALUES ('$name','$url','$mail','jieshao','xs',now())";
```
13.2 鏈接列表
* 同上

14 互動
* 同上
14.1 評論列表
14.2 留言列表
14.3 下載列表

15 設置
15.1 基本設置
* 訪問控制實現錯誤
* sql 注入
15.2 高級設置
* 訪問控制實現錯誤
* sql 注入
15.3 圖片設置
* 訪問控制實現錯誤
* sql 注入
15.4 廣告設置