bluecms代码审计复现

1.ad_js.php(ad_id存在sql注入因为拼接无单引号，可以绕过魔术引号转译)

声明

$ad_id = !empty($GET['ad_id']) ? trim($GET['ad_id']) : '';

语句

$ad = $db->getone("SELECT * FROM ".table('ad')." WHERE ad_id =".$ad_id);

2.article.php(act=del时，id存在sql注入因为第一次未过滤)

elseif($act == 'del'){ $article = $db->getone("SELECT cid, lit_pic FROM ".table('article')." WHERE id=".$_GET['id']); $sql = "DELETE FROM ".table('article')." WHERE id=".intval($_GET['id']); $db->query($sql); if (file_exists(BLUE_ROOT.$article['lit_pic'])) { @unlink(BLUE_ROOT.$article['list_pic']); }

3.common.fun.php(多处存在sql注入)

函数

getenv(搜索 name 所指向的环境字符串，并返回相关的值给字符串)

语句

function getip() { if (getenv('HTTP_CLIENT_IP')) { $ip = getenv('HTTP_CLIENT_IP'); } elseif (getenv('HTTP_X_FORWARDED_FOR')) { //????????????????????????????ip ??? $ip = getenv('HTTP_X_FORWARDED_FOR'); } elseif (getenv('HTTP_X_FORWARDED')) { $ip = getenv('HTTP_X_FORWARDED'); } elseif (getenv('HTTP_FORWARDED_FOR')) { $ip = getenv('HTTP_FORWARDED_FOR'); } elseif (getenv('HTTP_FORWARDED')) { $ip = getenv('HTTP_FORWARDED'); } else { $ip = $_SERVER['REMOTE_ADDR']; } return $ip; }

4.admin/tpl_manage.php(tpl_name存在任意文件读取/修改)

语句

elseif($act == 'edit'){ $file = $_GET['tpl_name']; if(!$handle = @fopen(BLUE_ROOT.'templates/default/'.$file, 'rb')){ showmsg('打开目标模板文件失败'); } $tpl['content'] = fread($handle, filesize(BLUE_ROOT.'templates/default/'.$file)); $tpl['content'] = htmlentities($tpl['content'], ENT_QUOTES, GB2312); fclose($handle); $tpl['name'] = $file; template_assign(array('current_act', 'tpl'), array('编辑模板', $tpl)); $smarty->display('tpl_info.htm'); } elseif($act == 'do_edit'){ $tpl_name = !empty($POST['tpl_name']) ? trim($POST['tpl_name']) : ''; $tpl_content = !empty($POST['tpl_content']) ? deep_stripslashes($POST['tpl_content']) : ''; if(empty($tpl_name)){ return false; } $tpl = BLUE_ROOT.'templates/default/'.$tpl_name; if(!$handle = @fopen($tpl, 'wb')){ showmsg("打开目标模版文件 $tpl 失败"); } if(fwrite($handle, $tpl_content) === false){ showmsg('写入目标 $tpl 失败'); } fclose($handle); showmsg('编辑模板成功', 'tpl_manage.php'); }

5.user.php(act=pay，pay存在文件包含;act=do_login，from存在文件包含)

语句

elseif ($act == 'pay'){ include 'data/pay.cache.php'; $price = $POST['price']; $id = $POST['id']; $name = $POST['name']; if (empty($POST['pay'])) { showmsg('�Բ�����û��ѡ��֧����ʽ'); } include 'include/payment/'.$_POST['pay']."/index.php"; }

elseif($act == 'do_login'){ $user_name = !empty($POST['user_name']) ? trim($POST['user_name']) : ''; $pwd = !empty($POST['pwd']) ? trim($POST['pwd']) : ''; $safecode = !empty($POST['safecode']) ? trim($POST['safecode']) : ''; $useful_time = intval($_POST['useful_time']); $from = !empty($from) ? base64_decode($from) : 'user.php';

6.user.php(email、msn等变量存在xss因为trim只过滤头尾空格)

函数

htmlspecialchars()[将特殊字符转换为 HTML 实体] trim()[去除头尾空格]

mb_substr("字符串", 开始位, 结束位)[按开始-结束取字符串]

function filter_data($str)[img src onerror或大小写或重写绕过xss]

{

$str = preg_replace("/<(\/?)(script|i?frame|meta|link)(\s)<>/", "", $str);

return $str;

}

语句

elseif($act == 'edit_user_info'){ $user_id = intval($SESSION['user_id']); if(empty($user_id)){ return false; } $birthday = trim($POST['birthday']); $sex = intval($POST['sex']); $email = !empty($POST['email']) ? trim($POST['email']) : ''; $msn = !empty($POST['msn']) ? trim($POST['msn']) : ''; $qq = !empty($POST['qq']) ? trim($POST['qq']) : ''; $mobile_phone = !empty($POST['mobile_phone']) ? trim($POST['mobile_phone']) : ''; $office_phone = !empty($POST['office_phone']) ? trim($POST['office_phone']) : ''; $home_phone = !empty($POST['home_phone']) ? trim($POST['home_phone']) : ''; $address = !empty($POST['address']) ? htmlspecialchars($_POST['address']) : '';

$content = !empty($POST['content']) ? filter_data($POST['content']) : ''; $descript = !empty($POST['descript']) ? mb_substr($POST['descript'], 0, 90) : mb_substr(html2text($_POST['content']),0, 90);

7./admin/login.php(宽字节注入[数据库编码为gbk，且用preg_replace()把单引号转换成'或自带函数addslashes()进行转义，易发生宽字节注入])

数据处理

require_once(dirname(__FILE__ ) . '/include/common.inc.php');

/include/common.inc.php中二次包含mysql,class.php,跟进 require_once(BLUE_ROOT.'include/mysql.class.php'); mysql.class.php[数据库为gbk]

function mysql($dbhost, $dbuser, $dbpw, $dbname = '', $dbcharset = 'gbk', $connect=1){ $func = empty($connect) ? 'mysql_pconnect' : 'mysql_connect'; if(!$this->linkid = @$func($dbhost, $dbuser, $dbpw, true)){ $this->dbshow('Can not connect to Mysql!'); } else { if($this->dbversion() > '4.1'){ mysql_query( "SET NAMES gbk"); if($this->dbversion() > '5.0.1'){ mysql_query("SET sql_mode = ''",$this->linkid); }

语句

require_once(dirname(__FILE__) . '/include/common.inc.php'); $act = !empty($REQUEST['act']) ? trim($REQUEST['act']) : 'login'; if($act == 'login'){ if($SESSION['admin_id']){ showmsg('您已登录，不用再次登录', 'index.php'); } template_assign('current_act', '登录'); $smarty->display('login.htm'); } elseif($act == 'do_login'){ $admin_name = isset($POST['admin_name']) ? trim($POST['admin_name']) : ''; $admin_pwd = isset($POST['admin_pwd']) ? trim($POST['admin_pwd']) : ''; $remember = isset($POST) ? intval($_POST['rememberme']) : 0;