From 14a8d9b02a1b5dc38d313451996d8a5b270b432a Mon Sep 17 00:00:00 2001
From: nilm <1147659453@qq.com>
Date: Sun, 28 Jun 2026 12:34:04 +0800
Subject: [PATCH] =?UTF-8?q?=E5=AE=89=E5=85=A8=E5=8A=A0=E5=9B=BA:=20?=
=?UTF-8?q?=E7=94=A8=E5=8F=AF=E7=96=91=E4=BB=A3=E7=A0=81=E6=A8=A1=E5=BC=8F?=
=?UTF-8?q?=E6=A3=80=E6=B5=8B=E6=9B=BF=E6=8D=A2=E6=9C=89=E7=BC=BA=E9=99=B7?=
=?UTF-8?q?=E7=9A=84=E5=8F=8D=E7=AF=A1=E6=94=B9=E6=A3=80=E6=9F=A5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- 移除仅检查 Kernel.php 中是否包含字符串 Kernel 的有缺陷检查
- 新增 checkCoreFileIntegrity() 方法,检测以下可疑代码模式:
- eval(base64_decode(...)) 典型 webshell
- file_put_contents(... .php) 文件写入后门
- 页面跳转劫持
- 混淆变量函数调用 (="eval"; (...))
- 远程文件包含 (include('http://...'))
- 危险的远程文件下载+执行组合
- 发现可疑代码时记录安全日志并返回 HTTP 503 终止执行
修复 CWE-354(完整性校验值验证不当)漏洞
基于 PbootCMS 3.2.15 安全性评估报告
---
apps/home/controller/ParserController.php | 54 ++++++++++++++++++++++-
1 file changed, 52 insertions(+), 2 deletions(-)
diff --git a/apps/home/controller/ParserController.php b/apps/home/controller/ParserController.php
index 73fb995..2da77b4 100644
--- a/apps/home/controller/ParserController.php
+++ b/apps/home/controller/ParserController.php
@@ -265,8 +265,8 @@ public function parserSiteLabel($content)
$content = str_replace($matches[0][$i], '', $content);
}
default:
- if (strpos(file_get_contents(CORE_PATH . base64_decode('L2Jhc2ljL0tlcm5lbC5waHA=')), base64_decode('S2VybmVs')))
- exit();
+ // 安全加固:核心文件完整性校验(替代原来有缺陷的字符串包含检查)
+ $this->checkCoreFileIntegrity();
if (isset($data->{$matches[1][$i]})) {
$content = str_replace($matches[0][$i], $this->adjustLabelData($params, $data->{$matches[1][$i]}), $content);
} else {
@@ -3332,6 +3332,56 @@ private function validateIfCondition($condition)
return ($test === '');
}
+ // 核心文件完整性检查(替代原来有缺陷的字符串包含检查)
+ // 检查核心文件是否被植入可疑代码
+ private function checkCoreFileIntegrity()
+ {
+ static $checked = false;
+ if ($checked) {
+ return;
+ }
+ $checked = true;
+
+ $coreFiles = array(
+ CORE_PATH . '/basic/Kernel.php',
+ CORE_PATH . '/basic/Check.php',
+ CORE_PATH . '/start.php'
+ );
+
+ // 可疑代码模式:用于检测 webshell、跳转劫持、后门等
+ $suspiciousPatterns = array(
+ // eval + base64_decode 组合(典型 webshell)
+ '/eval\s*\(\s*base64_decode\s*\(/i',
+ // file_put_contents 写入 PHP 文件
+ '/file_put_contents\s*\([^)]*\.php/i',
+ // 页面跳转劫持
+ '/