• 生命在于折腾——某国外cms代码审计


    该国外CMS,使用Seay源代码审计系统扫描后扫出64个漏洞,其中SQL注入20个,文件包含4个,代码执行2个,任意文件读取/删除/修改/写入35个,变量覆盖1个,XSS2个。
    但经过人工审计和核查,

    一、员工扣除工资增加—XSS漏洞

    1、漏洞url

    “E:\phpstudy_pro\WWW\aps\admin\deduction_add.php”

    2、漏洞源代码

    ![image.png](https://img-blog.csdnimg.cn/img_convert/8b471b42ea33d8933aee400ca9600e08.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=474&id=u24c335f0&margin=[object Object]&name=image.png&originHeight=711&originWidth=1257&originalType=binary&ratio=1&rotation=0&showTitle=false&size=110974&status=done&style=none&taskId=u2e7f1574-aa4b-4592-aa9c-691ac8634e7&title=&width=838)

    3、漏洞产生原因

    对前端传入的参数没有进行过滤和验证。

    4、漏洞复现

    (1)进入后台
    ![image.png](https://img-blog.csdnimg.cn/img_convert/ec4b5a1e550f86077188e08bef6d2685.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=447&id=u99ff800b&margin=[object Object]&name=image.png&originHeight=671&originWidth=862&originalType=binary&ratio=1&rotation=0&showTitle=false&size=70079&status=done&style=none&taskId=ufc9e9473-f261-4ef3-8b38-04a8814af9c&title=&width=574.6666666666666)
    (2)进入Deductions页面
    ![image.png](https://img-blog.csdnimg.cn/img_convert/dbe9e4c1ced7b14a20571b4afd970b79.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=424&id=u121a0957&margin=[object Object]&name=image.png&originHeight=636&originWidth=782&originalType=binary&ratio=1&rotation=0&showTitle=false&size=59318&status=done&style=none&taskId=ua8b5fa57-d520-4675-a5af-0a8bd6778cc&title=&width=521.3333333333334)
    (3)新增一个员工扣除情况
    ![image.png](https://img-blog.csdnimg.cn/img_convert/68ef6f0b98e629098ea5e2758d6fbf99.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=327&id=ue290535f&margin=[object Object]&name=image.png&originHeight=491&originWidth=939&originalType=binary&ratio=1&rotation=0&showTitle=false&size=32054&status=done&style=none&taskId=u17b987ed-a50d-41c7-b33a-2213d8e0908&title=&width=626)
    (4)输入
    ![image.png](https://img-blog.csdnimg.cn/img_convert/e8174d1394ce8227461e462cc3ac1165.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=197&id=u3e7392ce&margin=[object Object]&name=image.png&originHeight=296&originWidth=657&originalType=binary&ratio=1&rotation=0&showTitle=false&size=14463&status=done&style=none&taskId=ud44c4d0e-e807-4200-af41-2cadd7b83e5&title=&width=438)
    (5)弹出XSS漏洞
    ![image.png](https://img-blog.csdnimg.cn/img_convert/b01b58939ca77de54755f315bcffd766.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=165&id=ue9e59d65&margin=[object Object]&name=image.png&originHeight=247&originWidth=994&originalType=binary&ratio=1&rotation=0&showTitle=false&size=20097&status=done&style=none&taskId=u991a1d83-8570-4264-a530-e0b922b26c8&title=&width=662.6666666666666)

    二、员工添加页面存在—XSS漏洞

    1、漏洞url

    “E:\phpstudy_pro\WWW\aps\admin\employee_add.php”

    2、漏洞源代码

    ![image.png](https://img-blog.csdnimg.cn/img_convert/b048eee91507c8573f22c8935ad0221f.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=813&id=u8f997244&margin=[object Object]&name=image.png&originHeight=1219&originWidth=2273&originalType=binary&ratio=1&rotation=0&showTitle=false&size=215736&status=done&style=none&taskId=u4568faba-ef98-4c6e-8abb-db11c451572&title=&width=1515.3333333333333)

    3、漏洞产生原因

    对前端传入的信息不进行过滤和验证,直接插入到数据库中。

    4、漏洞复现

    (1)登录后台
    ![image.png](https://img-blog.csdnimg.cn/img_convert/e627ef6dcba57fbbeb4aee7e8e6428b6.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=459&id=ub70841e4&margin=[object Object]&name=image.png&originHeight=689&originWidth=958&originalType=binary&ratio=1&rotation=0&showTitle=false&size=75069&status=done&style=none&taskId=u4a0fe53f-611f-4df5-93bb-4e60bf61329&title=&width=638.6666666666666)
    (2)进入员工列表,点击添加
    ![image.png](https://img-blog.csdnimg.cn/img_convert/5a45f4e37a9ed2aae6b16242a3926536.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=113&id=ue9cd3a17&margin=[object Object]&name=image.png&originHeight=169&originWidth=414&originalType=binary&ratio=1&rotation=0&showTitle=false&size=12604&status=done&style=none&taskId=ubf7d11d1-ae67-47a0-8a61-bec3a6332fe&title=&width=276)
    (3)输入框输入后保存
    ![image.png](https://img-blog.csdnimg.cn/img_convert/ef4c7791762b87d9ac6c09a0af9aff6c.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=399&id=u4d70e1d3&margin=[object Object]&name=image.png&originHeight=598&originWidth=607&originalType=binary&ratio=1&rotation=0&showTitle=false&size=40771&status=done&style=none&taskId=u8750aa07-47ae-42b3-8acc-873cf374241&title=&width=404.6666666666667)
    (4)弹出XSS漏洞,而且每次进入该页面都会弹出,所以为存储型XSS漏洞
    ![image.png](https://img-blog.csdnimg.cn/img_convert/8a3de822e6643d32f2116f72490dcf43.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=153&id=u84278942&margin=[object Object]&name=image.png&originHeight=230&originWidth=953&originalType=binary&ratio=1&rotation=0&showTitle=false&size=19326&status=done&style=none&taskId=u8c111487-aa65-4ccc-94d9-86a32913dba&title=&width=635.3333333333334)

    三、员工编辑页面存在—XSS漏洞

    1、漏洞url

    “E:\phpstudy_pro\WWW\aps\admin\employee_edit.php”

    2、漏洞源代码

    ![image.png](https://img-blog.csdnimg.cn/img_convert/5116a55152bdbe05a569799b25559094.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=574&id=u71dc397d&margin=[object Object]&name=image.png&originHeight=861&originWidth=2285&originalType=binary&ratio=1&rotation=0&showTitle=false&size=150800&status=done&style=none&taskId=uad0126b5-109e-494f-bebe-e158dd2cb74&title=&width=1523.3333333333333)

    3、漏洞产生原因

    对前端传入的数值不进行过滤和验证,直接插入数据库

    4、漏洞复现

    (1)进入后台
    ![image.png](https://img-blog.csdnimg.cn/img_convert/e627ef6dcba57fbbeb4aee7e8e6428b6.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=459&id=DlIPz&margin=[object Object]&name=image.png&originHeight=689&originWidth=958&originalType=binary&ratio=1&rotation=0&showTitle=false&size=75069&status=done&style=none&taskId=u4a0fe53f-611f-4df5-93bb-4e60bf61329&title=&width=638.6666666666666)
    (2)进入员工列表
    ![image.png](https://img-blog.csdnimg.cn/img_convert/1a3a68a6202820755dfeace31ed43724.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=382&id=ue886c3ea&margin=[object Object]&name=image.png&originHeight=573&originWidth=803&originalType=binary&ratio=1&rotation=0&showTitle=false&size=66471&status=done&style=none&taskId=u89f0259a-7950-41c8-8e66-b739596b27d&title=&width=535.3333333333334)
    (3)编辑员工信息,在Firstname中输入后保存
    ![image.png](https://img-blog.csdnimg.cn/img_convert/7bee1b645a1dd4c81b43ee287c3df881.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=392&id=u375a4f09&margin=[object Object]&name=image.png&originHeight=588&originWidth=612&originalType=binary&ratio=1&rotation=0&showTitle=false&size=35665&status=done&style=none&taskId=u071189bf-a9f7-423a-8010-a4b2074e937&title=&width=408)
    (4)弹出XSS漏洞
    ![image.png](https://img-blog.csdnimg.cn/img_convert/7fd0a769024808c70c67932c3e8f8776.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=172&id=u1369c769&margin=[object Object]&name=image.png&originHeight=258&originWidth=983&originalType=binary&ratio=1&rotation=0&showTitle=false&size=20249&status=done&style=none&taskId=u27ae4848-443f-43b2-a941-0df23c59b71&title=&width=655.3333333333334)

    四、员工编辑照片页面—文件上传

    1、漏洞url

    “E:\phpstudy_pro\WWW\aps\admin\employee_edit_photo.php”

    2、漏洞源代码

    ![image.png](https://img-blog.csdnimg.cn/img_convert/301d7b2e64d69966a5f1caddf49ed64c.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=517&id=uc88e219e&margin=[object Object]&name=image.png&originHeight=775&originWidth=1109&originalType=binary&ratio=1&rotation=0&showTitle=false&size=106151&status=done&style=none&taskId=u8bcb35c9-f8a0-4063-861a-cc6e5ae43e3&title=&width=739.3333333333334)

    3、漏洞产生原因

    没有对上传的文件设置白名单或黑名单,根本没有过滤

    4、漏洞复现

    (1)登入后台
    ![image.png](https://img-blog.csdnimg.cn/img_convert/7eca93732da9f1ba54cbc664ef19cd07.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=337&id=ue068384a&margin=[object Object]&name=image.png&originHeight=506&originWidth=723&originalType=binary&ratio=1&rotation=0&showTitle=false&size=57645&status=done&style=none&taskId=u87a891f9-656b-44e6-b239-850a314fe81&title=&width=482)
    (2)点开员工列表
    ![image.png](https://img-blog.csdnimg.cn/img_convert/e9a44c1c63e8c85b56f080768b855fdd.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=401&id=uc6b962ed&margin=[object Object]&name=image.png&originHeight=602&originWidth=606&originalType=binary&ratio=1&rotation=0&showTitle=false&size=65982&status=done&style=none&taskId=ua9cf3ccb-6642-4b57-9cca-fd5d987c8bb&title=&width=404)
    (3)修改员工照片
    ![image.png](https://img-blog.csdnimg.cn/img_convert/c7e6e22991d1e9f48d1b1ee7e4d374f4.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=224&id=u063bc320&margin=[object Object]&name=image.png&originHeight=336&originWidth=699&originalType=binary&ratio=1&rotation=0&showTitle=false&size=27744&status=done&style=none&taskId=u4d39afd6-63ec-4881-a7cb-2fae8754317&title=&width=466)
    (4)上传phpinfo
    ![image.png](https://img-blog.csdnimg.cn/img_convert/fd783208f786be9a9ab4eaef1bc763d1.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=347&id=u2a49fb2b&margin=[object Object]&name=image.png&originHeight=520&originWidth=874&originalType=binary&ratio=1&rotation=0&showTitle=false&size=51469&status=done&style=none&taskId=u6c194157-3cd1-4f2b-bbb6-bff56d8ed94&title=&width=582.6666666666666)
    ![image.png](https://img-blog.csdnimg.cn/img_convert/b3a39d135dc9b26b3ce7d05c5a71bc7a.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=229&id=ub0438891&margin=[object Object]&name=image.png&originHeight=343&originWidth=308&originalType=binary&ratio=1&rotation=0&showTitle=false&size=18845&status=done&style=none&taskId=ub5b3837f-698a-486b-9786-8c1aae0d66a&title=&width=205.33333333333334)
    ![image.png](https://img-blog.csdnimg.cn/img_convert/4a1ed916760b9fc2ff8195ec26e7ce70.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=292&id=u28c3b43e&margin=[object Object]&name=image.png&originHeight=438&originWidth=616&originalType=binary&ratio=1&rotation=0&showTitle=false&size=37968&status=done&style=none&taskId=u78fbba42-9c76-4a0a-89a1-c6cf9a90536&title=&width=410.6666666666667)

    五、员工扣除工资编辑—XSS漏洞

    1、漏洞url

    “E:\phpstudy_pro\WWW\aps\admin\deduction_edit.php”

    2、漏洞源代码

    ![image.png](https://img-blog.csdnimg.cn/img_convert/97178e4f0bf18d43703dbea22250dd98.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=466&id=udaca69ff&margin=[object Object]&name=image.png&originHeight=699&originWidth=1318&originalType=binary&ratio=1&rotation=0&showTitle=false&size=93777&status=done&style=none&taskId=ufd09ff88-868f-4ef7-b69f-45ab5d1a375&title=&width=878.6666666666666)

    3、漏洞产生原因

    没有对前端传入的参数进行严格的过滤

    4、漏洞复现

    (1)进入后台
    ![image.png](https://img-blog.csdnimg.cn/img_convert/ec4b5a1e550f86077188e08bef6d2685.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=447&id=nOMcE&margin=[object Object]&name=image.png&originHeight=671&originWidth=862&originalType=binary&ratio=1&rotation=0&showTitle=false&size=70079&status=done&style=none&taskId=ufc9e9473-f261-4ef3-8b38-04a8814af9c&title=&width=574.6666666666666)
    (2)进入Deductions页面
    ![image.png](https://img-blog.csdnimg.cn/img_convert/dbe9e4c1ced7b14a20571b4afd970b79.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=424&id=Ljqfm&margin=[object Object]&name=image.png&originHeight=636&originWidth=782&originalType=binary&ratio=1&rotation=0&showTitle=false&size=59318&status=done&style=none&taskId=ua8b5fa57-d520-4675-a5af-0a8bd6778cc&title=&width=521.3333333333334)
    (3)点击编辑员工信息
    ![image.png](https://img-blog.csdnimg.cn/img_convert/1fcfeca6d79ba4811ad9b01cda444386.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=403&id=u2af5483d&margin=[object Object]&name=image.png&originHeight=604&originWidth=931&originalType=binary&ratio=1&rotation=0&showTitle=false&size=43124&status=done&style=none&taskId=u6813fed8-38bb-44c8-b713-3d21136918a&title=&width=620.6666666666666)
    (4)将描述改为
    ![image.png](https://img-blog.csdnimg.cn/img_convert/d14408cc4c8f04a277d3e59b3045db28.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=330&id=u1dad97a9&margin=[object Object]&name=image.png&originHeight=495&originWidth=916&originalType=binary&ratio=1&rotation=0&showTitle=false&size=39099&status=done&style=none&taskId=uac591424-d250-435b-b868-b803daf5b52&title=&width=610.6666666666666)
    (5)弹出XSS漏洞
    ![image.png](https://img-blog.csdnimg.cn/img_convert/1bc4827e09c16894450d08770aaea1b8.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=179&id=u8909cf9e&margin=[object Object]&name=image.png&originHeight=269&originWidth=997&originalType=binary&ratio=1&rotation=0&showTitle=false&size=20403&status=done&style=none&taskId=u4adec691-9472-4fe7-a615-6893d97fc7e&title=&width=664.6666666666666)

    六、员工位置添加存在—XSS漏洞

    1、漏洞url

    “E:\phpstudy_pro\WWW\aps\admin\position_add.php”

    2、漏洞源代码

    ![image.png](https://img-blog.csdnimg.cn/img_convert/ba81ba005ca9aa8b3f719b7698d76b02.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=449&id=uce8424e0&margin=[object Object]&name=image.png&originHeight=674&originWidth=1136&originalType=binary&ratio=1&rotation=0&showTitle=false&size=87201&status=done&style=none&taskId=u7164b092-9f76-450c-8e3c-2c9e6a0df41&title=&width=757.3333333333334)

    3、漏洞产生原因

    没有对前端传入的参数进行验证和过滤

    4、漏洞复现

    (1)进入后台
    ![image.png](https://img-blog.csdnimg.cn/img_convert/23c26c5d1bef41986c4b0bca592b8577.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=393&id=u3d8298e0&margin=[object Object]&name=image.png&originHeight=589&originWidth=778&originalType=binary&ratio=1&rotation=0&showTitle=false&size=62652&status=done&style=none&taskId=u630c854c-5cc1-4566-ae79-e280fc1910d&title=&width=518.6666666666666)
    (2)进入positions界面
    ![image.png](https://img-blog.csdnimg.cn/img_convert/36e20fc32d0ad85526972bf60f3af3df.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=401&id=ub52596d5&margin=[object Object]&name=image.png&originHeight=601&originWidth=808&originalType=binary&ratio=1&rotation=0&showTitle=false&size=57329&status=done&style=none&taskId=ucb2ffc97-b4ac-4bca-9edf-1a970c79adb&title=&width=538.6666666666666)
    (3)添加一个信息
    ![image.png](https://img-blog.csdnimg.cn/img_convert/48f0f9b765fdc1736da094661bb2aeb5.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=249&id=u3c631eb8&margin=[object Object]&name=image.png&originHeight=373&originWidth=914&originalType=binary&ratio=1&rotation=0&showTitle=false&size=23911&status=done&style=none&taskId=u92bfad19-58cb-427d-b53b-67d4b5619d5&title=&width=609.3333333333334)
    (4)输入
    ![image.png](https://img-blog.csdnimg.cn/img_convert/782702f2dd582428abe20a208cf52ce4.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=184&id=ud8cb9b07&margin=[object Object]&name=image.png&originHeight=276&originWidth=619&originalType=binary&ratio=1&rotation=0&showTitle=false&size=14116&status=done&style=none&taskId=ubb2f942e-c935-4fdf-b1a0-f768ad33d30&title=&width=412.6666666666667)
    (5)弹出XSS漏洞
    ![image.png](https://img-blog.csdnimg.cn/img_convert/b1de1785b201551153d2789cdbc4068a.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=171&id=u5526bf8c&margin=[object Object]&name=image.png&originHeight=257&originWidth=934&originalType=binary&ratio=1&rotation=0&showTitle=false&size=18585&status=done&style=none&taskId=u0c1d1be9-3d3f-4190-9ad7-964fb838941&title=&width=622.6666666666666)

    七、员工位置编辑存在—XSS漏洞

    1、漏洞url

    “E:\phpstudy_pro\WWW\aps\admin\position_edit.php”

    2、漏洞源代码

    ![image.png](https://img-blog.csdnimg.cn/img_convert/aa4c3a6ed6bae3c644c7f933e6e71b5a.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=467&id=u236aa8bb&margin=[object Object]&name=image.png&originHeight=701&originWidth=1282&originalType=binary&ratio=1&rotation=0&showTitle=false&size=89199&status=done&style=none&taskId=uac14d551-8294-4f96-9192-e2773db1731&title=&width=854.6666666666666)

    3、漏洞产生原因

    没有对前端传入的参数进行验证和过滤

    4、漏洞复现

    (1)进入后台
    ![image.png](https://img-blog.csdnimg.cn/img_convert/23c26c5d1bef41986c4b0bca592b8577.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=393&id=ENdjX&margin=[object Object]&name=image.png&originHeight=589&originWidth=778&originalType=binary&ratio=1&rotation=0&showTitle=false&size=62652&status=done&style=none&taskId=u630c854c-5cc1-4566-ae79-e280fc1910d&title=&width=518.6666666666666)
    (2)进入positions界面
    ![image.png](https://img-blog.csdnimg.cn/img_convert/4e332bde22186ea36fa5bd6382efe465.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=401&id=cE9ae&margin=[object Object]&name=image.png&originHeight=601&originWidth=808&originalType=binary&ratio=1&rotation=0&showTitle=false&size=57329&status=done&style=none&taskId=ucb2ffc97-b4ac-4bca-9edf-1a970c79adb&title=&width=538.6666666666666)
    (3)编辑一个信息
    ![image.png](https://img-blog.csdnimg.cn/img_convert/40128fefaf7b730995ed4a3363946a6c.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=317&id=ub877e303&margin=[object Object]&name=image.png&originHeight=476&originWidth=864&originalType=binary&ratio=1&rotation=0&showTitle=false&size=35346&status=done&style=none&taskId=u1781eb2c-72f9-4371-8c99-b93e82cdae2&title=&width=576)
    (4)输入
    ![image.png](https://img-blog.csdnimg.cn/img_convert/03870669a764286c77dbd887e8f74eb7.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=247&id=ud00ad765&margin=[object Object]&name=image.png&originHeight=370&originWidth=656&originalType=binary&ratio=1&rotation=0&showTitle=false&size=19278&status=done&style=none&taskId=u92ca3bb6-2a71-43ef-b3ad-a183cd16d44&title=&width=437.3333333333333)
    (5)弹出XSS漏洞
    ![image.png](https://img-blog.csdnimg.cn/img_convert/929788996d7362ef73b29e950ca74124.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=175&id=uef484b80&margin=[object Object]&name=image.png&originHeight=263&originWidth=922&originalType=binary&ratio=1&rotation=0&showTitle=false&size=18175&status=done&style=none&taskId=uc5f596f3-2fce-404c-9ef1-54dbca24ea0&title=&width=614.6666666666666)

    八、Admin Profile有—XSS漏洞

    1、漏洞url

    “E:\phpstudy_pro\WWW\aps\admin\profile_update.php”

    2、漏洞源代码

    ![image.png](https://img-blog.csdnimg.cn/img_convert/9be20563b5d2362a123d3a6ccd8a9336.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=785&id=u8baaae39&margin=[object Object]&name=image.png&originHeight=1177&originWidth=1616&originalType=binary&ratio=1&rotation=0&showTitle=false&size=171837&status=done&style=none&taskId=uf8117bb0-2ec9-40c5-822a-53ebf130805&title=&width=1077.3333333333333)

    3、漏洞产生原因

    没有对输入的数值进行严格的过滤和验证

    4、漏洞复现

    (1)进入后台
    ![image.png](https://img-blog.csdnimg.cn/img_convert/fad4a76cadf935e88d1adfb212341e37.png#clientId=u83535c0f-85f3-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=377&id=ub515e318&margin=[object Object]&name=image.png&originHeight=565&originWidth=1112&originalType=binary&ratio=1&rotation=0&showTitle=false&size=78700&status=done&style=none&taskId=u1a07e2b6-03cc-4a79-9e01-29c629e7a4f&title=&width=741.3333333333334)
    (2)右上角点击管理员头像
    ![image.png](https://img-blog.csdnimg.cn/img_convert/12c12b0bb3f458c8aa0fa69d904a3e88.png#clientId=u83535c0f-85f3-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=212&id=u4aae9256&margin=[object Object]&name=image.png&originHeight=318&originWidth=339&originalType=binary&ratio=1&rotation=0&showTitle=false&size=26713&status=done&style=none&taskId=ufaf28d0b-d493-4510-ada2-3210283e797&title=&width=226)
    (3)点击update
    ![image.png](https://img-blog.csdnimg.cn/img_convert/545b84971a9d69006a6a9389cdf17abf.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=347&id=u3ba241a8&margin=[object Object]&name=image.png&originHeight=521&originWidth=714&originalType=binary&ratio=1&rotation=0&showTitle=false&size=31768&status=done&style=none&taskId=u35b6612d-d388-428e-9aa4-da75fe1f923&title=&width=476)
    (4)在名字地方输入
    ![image.png](https://img-blog.csdnimg.cn/img_convert/08890605f0c2aae6179c99fa0ccf6673.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=324&id=u93e4d727&margin=[object Object]&name=image.png&originHeight=486&originWidth=621&originalType=binary&ratio=1&rotation=0&showTitle=false&size=31667&status=done&style=none&taskId=u1cd96c81-e175-4636-92b7-92715bf374d&title=&width=414)
    (5)弹出XSS
    ![image.png](https://img-blog.csdnimg.cn/img_convert/2f8f4330850228e28c562e013460d962.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=149&id=u5894ff0a&margin=[object Object]&name=image.png&originHeight=223&originWidth=941&originalType=binary&ratio=1&rotation=0&showTitle=false&size=19283&status=done&style=none&taskId=u3b0ac086-0deb-4718-9ef6-15cbfec0f7c&title=&width=627.3333333333334)

    九、 员工打卡前台页面—SQL注入

    1、漏洞url

    “E:\phpstudy_pro\WWW\aps\attendance.php”

    2、漏洞源代码

    ![image.png](https://img-blog.csdnimg.cn/img_convert/277bafbc50f22a279151dd23607f4f02.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=224&id=ufe06d540&margin=[object Object]&name=image.png&originHeight=336&originWidth=1517&originalType=binary&ratio=1&rotation=0&showTitle=false&size=52821&status=done&style=none&taskId=u2dd237e1-c72e-4da8-8e1a-0f7c4aa08e0&title=&width=1011.3333333333334)

    3、漏洞产生原因

    ID用户可控,而且没有对用户输入的值进行过滤和验证

    4、漏洞复现

    (1)前台输入一位员工的ID
    ![image.png](https://img-blog.csdnimg.cn/img_convert/6a7e1a00a2f275779b18218f81d14250.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=237&id=u773ad358&margin=[object Object]&name=image.png&originHeight=356&originWidth=429&originalType=binary&ratio=1&rotation=0&showTitle=false&size=12917&status=done&style=none&taskId=u27f1a616-40d9-480b-8218-6542516d2d4&title=&width=286)
    (2)开启抓包,点sign in,抓到包
    ![image.png](https://img-blog.csdnimg.cn/img_convert/f542d5011981e4207afc63c5cd6fb5ce.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=355&id=u8d34535e&margin=[object Object]&name=image.png&originHeight=533&originWidth=1269&originalType=binary&ratio=1&rotation=0&showTitle=false&size=30050&status=done&style=none&taskId=u5a539cb3-143c-417a-ac80-ad47de74ddc&title=&width=846)
    (3)发送到重发器,点发送,发现正常显示
    ![image.png](https://img-blog.csdnimg.cn/img_convert/4fe649cd5d93fd5d11815f91454748c6.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=332&id=ua79041c7&margin=[object Object]&name=image.png&originHeight=498&originWidth=1911&originalType=binary&ratio=1&rotation=0&showTitle=false&size=35005&status=done&style=none&taskId=u763e3d0f-8005-456d-a8bc-b61d0f191d5&title=&width=1274)
    (4)ID后面加上单引号,提示没有该ID:
    ![image.png](https://img-blog.csdnimg.cn/img_convert/1c123695c2db8502aacbc9f842412ee0.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=429&id=u2f09013d&margin=[object Object]&name=image.png&originHeight=644&originWidth=1905&originalType=binary&ratio=1&rotation=0&showTitle=false&size=40253&status=done&style=none&taskId=u43efc05e-bea6-48f9-bdf0-5917fecef55&title=&width=1270)
    (5)后面加上and ‘1’='1 发现正常显示,所以存在SQL注入
    ![image.png](https://img-blog.csdnimg.cn/img_convert/ff86b70487a864ff2c70efe0c44b1c35.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=385&id=u4c971400&margin=[object Object]&name=image.png&originHeight=578&originWidth=1898&originalType=binary&ratio=1&rotation=0&showTitle=false&size=37287&status=done&style=none&taskId=ueac845e0-9662-4714-a7ec-2b6dcdb991c&title=&width=1265.3333333333333)

    十、后台管理登录页面—SQL注入

    1、漏洞url

    “E:\phpstudy_pro\WWW\aps\admin\login.php”

    2、漏洞源代码

    ![image.png](https://img-blog.csdnimg.cn/img_convert/8af3cf96f65ceac308c197093e21b300.png#clientId=u83535c0f-85f3-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=602&id=u95939eab&margin=[object Object]&name=image.png&originHeight=903&originWidth=982&originalType=binary&ratio=1&rotation=0&showTitle=false&size=104587&status=done&style=none&taskId=u2a508945-2e5b-4cf1-9973-364e1dcf883&title=&width=654.6666666666666)

    3、漏洞产生原因

    没有对前端传入的参数进行过滤和验证。

    4、漏洞复现

    (1)进入后台登录界面,输入正确用户名和密码:
    ![image.png](https://img-blog.csdnimg.cn/img_convert/91acc0027f2a802bda3bf27fbae84bf7.png#clientId=u83535c0f-85f3-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=217&id=u62c47526&margin=[object Object]&name=image.png&originHeight=326&originWidth=479&originalType=binary&ratio=1&rotation=0&showTitle=false&size=11254&status=done&style=none&taskId=ube779103-ac60-4cd7-baaf-dbfc5e98acd&title=&width=319.3333333333333)
    (2)开启抓包,点击sign in抓到包:
    ![image.png](https://img-blog.csdnimg.cn/img_convert/e3c795e3dbc61bb8e3348a8ecf86ff71.png#clientId=u83535c0f-85f3-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=357&id=u95e37116&margin=[object Object]&name=image.png&originHeight=535&originWidth=1341&originalType=binary&ratio=1&rotation=0&showTitle=false&size=30473&status=done&style=none&taskId=u9bb5eb30-050b-4410-89ab-9a2551eda63&title=&width=894)
    (3)在用户名后加上’ and ‘1’ = '1 发送
    ![image.png](https://img-blog.csdnimg.cn/img_convert/c27ae4c9e300c901e54ad839fc205a09.png#clientId=u83535c0f-85f3-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=381&id=ud28f5c06&margin=[object Object]&name=image.png&originHeight=571&originWidth=1223&originalType=binary&ratio=1&rotation=0&showTitle=false&size=32217&status=done&style=none&taskId=u5bddea17-e65b-4b6e-a1d0-5426e2d934b&title=&width=815.3333333333334)
    (4)发现依然可以成功登录,存在SQL注入
    ![image.png](https://img-blog.csdnimg.cn/img_convert/4e45d501dae68c35108eb93d07a9c9af.png#clientId=u83535c0f-85f3-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=335&id=u50f1a617&margin=[object Object]&name=image.png&originHeight=502&originWidth=1364&originalType=binary&ratio=1&rotation=0&showTitle=false&size=73394&status=done&style=none&taskId=u536719f1-f2cb-4a4c-8a2f-440caef9384&title=&width=909.3333333333334)

    十一、Admin Profile有—文件上传漏洞

    1、漏洞URL

    “E:\phpstudy_pro\WWW\aps\admin\profile_update.php”

    2、漏洞源代码

    ![image.png](https://img-blog.csdnimg.cn/img_convert/9be20563b5d2362a123d3a6ccd8a9336.png#clientId=ud62479e9-ef0c-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=785&id=AI7mS&margin=[object Object]&name=image.png&originHeight=1177&originWidth=1616&originalType=binary&ratio=1&rotation=0&showTitle=false&size=171837&status=done&style=none&taskId=uf8117bb0-2ec9-40c5-822a-53ebf130805&title=&width=1077.3333333333333)

    3、漏洞原因

    对上传的文件没有验证和过滤

    4、漏洞复现

    (1)进入后台
    ![image.png](https://img-blog.csdnimg.cn/img_convert/fad4a76cadf935e88d1adfb212341e37.png#clientId=u83535c0f-85f3-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=377&id=XtPY3&margin=[object Object]&name=image.png&originHeight=565&originWidth=1112&originalType=binary&ratio=1&rotation=0&showTitle=false&size=78700&status=done&style=none&taskId=u1a07e2b6-03cc-4a79-9e01-29c629e7a4f&title=&width=741.3333333333334)
    (2)右上角点击管理员头像
    ![image.png](https://img-blog.csdnimg.cn/img_convert/12c12b0bb3f458c8aa0fa69d904a3e88.png#clientId=u83535c0f-85f3-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=212&id=vMAyx&margin=[object Object]&name=image.png&originHeight=318&originWidth=339&originalType=binary&ratio=1&rotation=0&showTitle=false&size=26713&status=done&style=none&taskId=ufaf28d0b-d493-4510-ada2-3210283e797&title=&width=226)
    (3)点击update后选择文件,上传phpinfo:
    ![image.png](https://img-blog.csdnimg.cn/img_convert/6f0b3a5d110aa7ece6e9bbe8d7ddb99b.png#clientId=u83535c0f-85f3-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=300&id=ufc23aa48&margin=[object Object]&name=image.png&originHeight=450&originWidth=587&originalType=binary&ratio=1&rotation=0&showTitle=false&size=22076&status=done&style=none&taskId=ua12b171c-b796-46d4-bc09-20f1a794511&title=&width=391.3333333333333)
    (4)更改后右键打开管理员头像:
    ![image.png](https://img-blog.csdnimg.cn/img_convert/ad3241fc80ba5c1b9c217b3509770933.png#clientId=u83535c0f-85f3-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=67&id=ue287308f&margin=[object Object]&name=image.png&originHeight=101&originWidth=269&originalType=binary&ratio=1&rotation=0&showTitle=false&size=5599&status=done&style=none&taskId=ubfa59b36-5955-472f-a1cb-bbdef2e166d&title=&width=179.33333333333334)

    十二、attendance存在—水平越权,任意删除

    注:此CMS仅存在一个admin,如果存在多个admin,则更好利用。

    1、漏洞URL

    “E:\phpstudy_pro\WWW\aps\admin\attendance_delete.php”

    2、漏洞源代码

    ![image.png](https://img-blog.csdnimg.cn/img_convert/41596097b21e65061b32f18ef6576734.png#clientId=u83535c0f-85f3-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=402&id=uc92646fb&margin=[object Object]&name=image.png&originHeight=603&originWidth=895&originalType=binary&ratio=1&rotation=0&showTitle=false&size=74270&status=done&style=none&taskId=u1c6030a4-72e3-4615-bf65-f3caa7783f6&title=&width=596.6666666666666)

    3、漏洞原因

    没有对当前用户身份以及删除的ID进行核验,导致随意更改ID并删除

    4、漏洞复现

    (1)后台管理界面,attendance,点击一个信息删除:
    ![image.png](https://img-blog.csdnimg.cn/img_convert/7486990809e5eac58123fa3df2cdb1e9.png#clientId=u83535c0f-85f3-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=220&id=u1d5c9aec&margin=[object Object]&name=image.png&originHeight=330&originWidth=1318&originalType=binary&ratio=1&rotation=0&showTitle=false&size=51881&status=done&style=none&taskId=u784f1f22-9c05-4df1-a056-6581fad9d24&title=&width=878.6666666666666)
    (2)抓包可以抓到:
    ![image.png](https://img-blog.csdnimg.cn/img_convert/27714ffeb6cae3c2032fc0d186687dad.png#clientId=u83535c0f-85f3-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=388&id=ucc3dd1f2&margin=[object Object]&name=image.png&originHeight=582&originWidth=1553&originalType=binary&ratio=1&rotation=0&showTitle=false&size=30788&status=done&style=none&taskId=u8ce16c27-5ab8-4a13-b645-1b44fc5ac59&title=&width=1035.3333333333333)
    (3)更改ID为82,发送,可以看到刚刚选中的第一条没被删掉,第二条被删掉了:
    ![image.png](https://img-blog.csdnimg.cn/img_convert/200123870cb53cd94192afd90f2d6511.png#clientId=u83535c0f-85f3-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=260&id=u399e6835&margin=[object Object]&name=image.png&originHeight=390&originWidth=1105&originalType=binary&ratio=1&rotation=0&showTitle=false&size=38337&status=done&style=none&taskId=ud25c090c-bc31-46b2-82a4-a8f6b2d6391&title=&width=736.6666666666666)

    十三、同理:Attendance页面也存在任意编辑

    修改id即可任意编辑
    ![image.png](https://img-blog.csdnimg.cn/img_convert/bf015c52a2f701bffe8ade93592b5908.png#clientId=u83535c0f-85f3-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=415&id=u120273c4&margin=[object Object]&name=image.png&originHeight=623&originWidth=1416&originalType=binary&ratio=1&rotation=0&showTitle=false&size=37749&status=done&style=none&taskId=u38437bad-8014-4b96-821b-624c01f8d08&title=&width=944)

    十四、员工列表也存在同样的问题

    任意删除,任意编辑
    ![image.png](https://img-blog.csdnimg.cn/img_convert/dfa97a972a7458e1e09585ab9c5f85cc.png#clientId=u83535c0f-85f3-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=358&id=u9ba41af4&margin=[object Object]&name=image.png&originHeight=537&originWidth=1407&originalType=binary&ratio=1&rotation=0&showTitle=false&size=31631&status=done&style=none&taskId=u69f8875b-cf47-4f99-8258-b8ac799a0af&title=&width=938)

    十五、Cash Advance同理,不复现了,修改ID即可

    ![image.png](https://img-blog.csdnimg.cn/img_convert/c6a64878824ce607202197557f266655.png#clientId=u83535c0f-85f3-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=146&id=uc9e4f72d&margin=[object Object]&name=image.png&originHeight=219&originWidth=1051&originalType=binary&ratio=1&rotation=0&showTitle=false&size=27808&status=done&style=none&taskId=u4e026b46-62ed-480e-b6a8-4e42e7b86b3&title=&width=700.6666666666666)
    ![image.png](https://img-blog.csdnimg.cn/img_convert/5daf03db60e48ec22232bc73f9e3058c.png#clientId=u83535c0f-85f3-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=296&id=u96187e03&margin=[object Object]&name=image.png&originHeight=444&originWidth=1275&originalType=binary&ratio=1&rotation=0&showTitle=false&size=23431&status=done&style=none&taskId=ufff2c17a-ee42-4179-bc0c-97535019aea&title=&width=850)

    十六、Positions同理,不复现了,修改ID即可

  • 相关阅读:
    面试被问:Mysql的InnoDB下RR是如何解决幻读问题的
    PyInstaller库—Python第三方库—程序打包
    unity简单数字拼图小游戏(源码)
    JAVA注解_概述、内置注解、Retention、Target、Documented、Inherited
    jmeter-接口关联
    centos7中MySQL的卸载
    Connor学Android - Drawable
    bug记录——timm安装失败!
    【Rust日报】2022-08-12 用 Rust 为 Linux 编写新的 Apple Silicon GPU 驱动程序
    RawNet 1-3 介绍
  • 原文地址:https://blog.csdn.net/qq_15131581/article/details/127139728