From 14a8d9b02a1b5dc38d313451996d8a5b270b432a Mon Sep 17 00:00:00 2001 From: nilm <1147659453@qq.com> Date: Sun, 28 Jun 2026 12:34:04 +0800 Subject: [PATCH] =?UTF-8?q?=E5=AE=89=E5=85=A8=E5=8A=A0=E5=9B=BA:=20?= =?UTF-8?q?=E7=94=A8=E5=8F=AF=E7=96=91=E4=BB=A3=E7=A0=81=E6=A8=A1=E5=BC=8F?= =?UTF-8?q?=E6=A3=80=E6=B5=8B=E6=9B=BF=E6=8D=A2=E6=9C=89=E7=BC=BA=E9=99=B7?= =?UTF-8?q?=E7=9A=84=E5=8F=8D=E7=AF=A1=E6=94=B9=E6=A3=80=E6=9F=A5?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - 移除仅检查 Kernel.php 中是否包含字符串 Kernel 的有缺陷检查 - 新增 checkCoreFileIntegrity() 方法,检测以下可疑代码模式: - eval(base64_decode(...)) 典型 webshell - file_put_contents(... .php) 文件写入后门 - 页面跳转劫持 - 混淆变量函数调用 (="eval"; (...)) - 远程文件包含 (include('http://...')) - 危险的远程文件下载+执行组合 - 发现可疑代码时记录安全日志并返回 HTTP 503 终止执行 修复 CWE-354(完整性校验值验证不当)漏洞 基于 PbootCMS 3.2.15 安全性评估报告 --- apps/home/controller/ParserController.php | 54 ++++++++++++++++++++++- 1 file changed, 52 insertions(+), 2 deletions(-) diff --git a/apps/home/controller/ParserController.php b/apps/home/controller/ParserController.php index 73fb995..2da77b4 100644 --- a/apps/home/controller/ParserController.php +++ b/apps/home/controller/ParserController.php @@ -265,8 +265,8 @@ public function parserSiteLabel($content) $content = str_replace($matches[0][$i], '', $content); } default: - if (strpos(file_get_contents(CORE_PATH . base64_decode('L2Jhc2ljL0tlcm5lbC5waHA=')), base64_decode('S2VybmVs'))) - exit(); + // 安全加固:核心文件完整性校验(替代原来有缺陷的字符串包含检查) + $this->checkCoreFileIntegrity(); if (isset($data->{$matches[1][$i]})) { $content = str_replace($matches[0][$i], $this->adjustLabelData($params, $data->{$matches[1][$i]}), $content); } else { @@ -3332,6 +3332,56 @@ private function validateIfCondition($condition) return ($test === ''); } + // 核心文件完整性检查(替代原来有缺陷的字符串包含检查) + // 检查核心文件是否被植入可疑代码 + private function checkCoreFileIntegrity() + { + static $checked = false; + if ($checked) { + return; + } + $checked = true; + + $coreFiles = array( + CORE_PATH . '/basic/Kernel.php', + CORE_PATH . '/basic/Check.php', + CORE_PATH . '/start.php' + ); + + // 可疑代码模式:用于检测 webshell、跳转劫持、后门等 + $suspiciousPatterns = array( + // eval + base64_decode 组合(典型 webshell) + '/eval\s*\(\s*base64_decode\s*\(/i', + // file_put_contents 写入 PHP 文件 + '/file_put_contents\s*\([^)]*\.php/i', + // 页面跳转劫持 + '/