BlueCMS代码审计
一、概括
Seay源代码审计系统扫描到306个漏洞,大概都看了看,很多都无法存在,特别是像un_client等文件夹直接拒绝访问,而且其他位置的文件所报告的漏洞都无法复现,不是有过滤就是变量不可控,工具只是简单的对人为制定的规则进行匹配,而且还无法扫描逻辑漏洞,所以扫描器和人工结合最好。 ![image.png](https://img-blog.csdnimg.cn/img_convert/e2596dbf17d264409956cdb753fa7445.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=600&id=uc06a1cbb&margin=[object Object]&name=image.png&originHeight=900&originWidth=1440&originalType=binary&ratio=1&rotation=0&showTitle=false&size=356648&status=done&style=none&taskId=ufa18ef64-f957-4541-a3ae-fa59c36e590&title=&width=960)
二、SQL注入漏洞(124个)
1、第一个SQL注入
(1)扫描器显示代码如下: ![image.png](https://img-blog.csdnimg.cn/img_convert/21f4b6c4250f7abbd542aa6ce88e5f66.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=478&id=u2a44d61c&margin=[object Object]&name=image.png&originHeight=717&originWidth=1149&originalType=binary&ratio=1&rotation=0&showTitle=false&size=152108&status=done&style=none&taskId=uace71447-d20c-49f2-b370-99f8dfd3bf2&title=&width=766) 这里trim函数是去空白的功能,参数用户可控,在代码中输入echo sql去前台验证一下: ![image.png](https://img-blog.csdnimg.cn/img_convert/4f312217c4a9409bd0427186bd6610d7.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=201&id=u1358a1e9&margin=[object Object]&name=image.png&originHeight=302&originWidth=952&originalType=binary&ratio=1&rotation=0&showTitle=false&size=27656&status=done&style=none&taskId=u85f4a71a-0a4a-4b14-9f31-213bcba8a2e&title=&width=634.6666666666666) 可以看出来单引号转义,使用sqlmap可以跑出来: ![image.png](https://img-blog.csdnimg.cn/img_convert/44c4a5b1d10a0d770321a3aa9293f6c5.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=511&id=u8da0e6bc&margin=[object Object]&name=image.png&originHeight=767&originWidth=1470&originalType=binary&ratio=1&rotation=0&showTitle=false&size=166660&status=done&style=none&taskId=u1aaba306-26ed-401b-9af3-9b253c82bc8&title=&width=980) 测试payload,可以发现确实执行了sleep(5) ![image.png](https://img-blog.csdnimg.cn/img_convert/c0fb46c229859424f44480e5045bbc54.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=890&id=u36276d0e&margin=[object Object]&name=image.png&originHeight=1335&originWidth=1037&originalType=binary&ratio=1&rotation=0&showTitle=false&size=67036&status=done&style=none&taskId=uef5fdbab-0312-4165-a7ba-6d702639685&title=&width=691.3333333333334)
源代码在./admin/ad.php 先在页面测试一下。
2、第二个SQL注入(不存在)
系统给的报告: ![image.png](https://img-blog.csdnimg.cn/img_convert/9779a1dde47259b2ff7b4812c3cd9524.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=457&id=u5b1ac44e&margin=[object Object]&name=image.png&originHeight=685&originWidth=1120&originalType=binary&ratio=1&rotation=0&showTitle=false&size=166317&status=done&style=none&taskId=u37b8c073-ed89-49d2-a1f3-400884b8a22&title=&width=746.6666666666666) 直接访问发现被拒绝: ![image.png](https://img-blog.csdnimg.cn/img_convert/84680cfe6b35885de718c05d7cbee970.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=223&id=ua580ca02&margin=[object Object]&name=image.png&originHeight=335&originWidth=810&originalType=binary&ratio=1&rotation=0&showTitle=false&size=32264&status=done&style=none&taskId=u328922b0-38d4-4cb7-9249-24da534dc26&title=&width=540) 查看源代码: ![image.png](https://img-blog.csdnimg.cn/img_convert/b55273358fcaf60bead045302a0ce9ae.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=59&id=u43aafe92&margin=[object Object]&name=image.png&originHeight=89&originWidth=521&originalType=binary&ratio=1&rotation=0&showTitle=false&size=7750&status=done&style=none&taskId=u5ac1bf06-d61e-4aee-a2b0-cd16ffcdbbc&title=&width=347.3333333333333) 发现是检查IN_UC常量是否存在,不存在则直接访问拒绝,删除试试。 页面空白而且sqlmap跑不出来,失败。
三、任意文件读取/删除/修改/写入(98个)
1、第一个任意文件读取
Seay给出的报告 ![image.png](https://img-blog.csdnimg.cn/img_convert/ec5b5a6af8871ca32880d91822c849ce.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=430&id=ue6c36d60&margin=[object Object]&name=image.png&originHeight=645&originWidth=1045&originalType=binary&ratio=1&rotation=0&showTitle=false&size=211160&status=done&style=none&taskId=u9f8bb8c7-2d1f-45f4-b2fb-3ef3546c2f1&title=&width=696.6666666666666)
![image.png](https://img-blog.csdnimg.cn/img_convert/52d59fcaadb5bcbcafee32bbdf2b819d.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=712&id=u45a59933&margin=[object Object]&name=image.png&originHeight=1068&originWidth=1379&originalType=binary&ratio=1&rotation=0&showTitle=false&size=102084&status=done&style=none&taskId=ufcfec43e-2a2f-41f4-8617-86b2420b2cd&title=&width=919.3333333333334) 构造payload:http://blue.com/admin/tpl_manage.php?act=edit&tpl_name=…/…/data/config.php 可以读取到该文件,但不能跨盘符读取。 ![image.png](https://img-blog.csdnimg.cn/img_convert/a7120af2a128329092f2a5ed3365310e.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=907&id=u8feb0580&margin=[object Object]&name=image.png&originHeight=1360&originWidth=1136&originalType=binary&ratio=1&rotation=0&showTitle=false&size=113888&status=done&style=none&taskId=ua74a3a69-4b7b-4c12-8bb9-e181f6213d4&title=&width=757.3333333333334)
2、第二个任意文件读取(不存在)
系统给的报告: ![image.png](https://img-blog.csdnimg.cn/img_convert/95e56ff0ee23dfe177f9b0575cfdbd0c.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=378&id=u5e7d4bcb&margin=[object Object]&name=image.png&originHeight=567&originWidth=803&originalType=binary&ratio=1&rotation=0&showTitle=false&size=168364&status=done&style=none&taskId=uce19599a-dc69-425b-ab0d-82bce76e6fa&title=&width=535.3333333333334) ![image.png](https://img-blog.csdnimg.cn/img_convert/64b97e9c80a8b84d43c6a6dda476f54b.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=251&id=u1e2ccd6d&margin=[object Object]&name=image.png&originHeight=376&originWidth=423&originalType=binary&ratio=1&rotation=0&showTitle=false&size=56336&status=done&style=none&taskId=u1a1c96c8-5d22-47db-9895-5673950d0a1&title=&width=282) 直接访问页面: ![image.png](https://img-blog.csdnimg.cn/img_convert/d7b7ec15b47e51d4a1dd0e3866beccd8.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=453&id=uc48a94ea&margin=[object Object]&name=image.png&originHeight=679&originWidth=1449&originalType=binary&ratio=1&rotation=0&showTitle=false&size=134023&status=done&style=none&taskId=ua958b7c6-fe0f-4000-957f-4554d11cd3e&title=&width=966) 查看源代码: ![image.png](https://img-blog.csdnimg.cn/img_convert/c313769f80fadf5a0645be012a2c22b6.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=199&id=u0bcbf7df&margin=[object Object]&name=image.png&originHeight=298&originWidth=580&originalType=binary&ratio=1&rotation=0&showTitle=false&size=27753&status=done&style=none&taskId=ufca862c9-cbc2-43a7-8440-76113eb0cb6&title=&width=386.6666666666667) 看起来只是删除图片的代码,不存在。
四、文件包含漏洞(27个)
1、第一个文件包含(不存在)
系统给出的报告: ![image.png](https://img-blog.csdnimg.cn/img_convert/8df61f97a5c5cce6f5f0623cbb16ef1a.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=439&id=u78fc4854&margin=[object Object]&name=image.png&originHeight=658&originWidth=1101&originalType=binary&ratio=1&rotation=0&showTitle=false&size=228713&status=done&style=none&taskId=uf4ffca87-ad81-40df-8283-a71f23f1aaf&title=&width=734) 直接访问网页: ![image.png](https://img-blog.csdnimg.cn/img_convert/0b62c562797abfde5b70a9d50242d226.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=330&id=u9857687d&margin=[object Object]&name=image.png&originHeight=495&originWidth=888&originalType=binary&ratio=1&rotation=0&showTitle=false&size=33136&status=done&style=none&taskId=ucad217a6-bd14-4798-972c-be8e1418cca&title=&width=592) 查看源代码: ![image.png](https://img-blog.csdnimg.cn/img_convert/10f42f1e2c8c08704f237a3256212f49.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=139&id=u8fd1e0fd&margin=[object Object]&name=image.png&originHeight=209&originWidth=934&originalType=binary&ratio=1&rotation=0&showTitle=false&size=35160&status=done&style=none&taskId=ua2c8dc68-79d1-4a4e-86ae-d8a20f595de&title=&width=622.6666666666666) 可以发现这里的文件是写死的,不允许用户进行更改,不存在。
2、第二个文件包含
系统给出的报告: ![image.png](https://img-blog.csdnimg.cn/img_convert/74824d182dcb5b9f5810bae68bf7f58a.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=338&id=u8140e261&margin=[object Object]&name=image.png&originHeight=507&originWidth=999&originalType=binary&ratio=1&rotation=0&showTitle=false&size=145325&status=done&style=none&taskId=ufac37036-8752-45f2-a3fc-83eaf731247&title=&width=666) 访问页面,找到pay的变量: ![image.png](https://img-blog.csdnimg.cn/img_convert/491fb33d824be6841b3581a44439e6e2.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=502&id=u043d5b56&margin=[object Object]&name=image.png&originHeight=753&originWidth=1509&originalType=binary&ratio=1&rotation=0&showTitle=false&size=37531&status=done&style=none&taskId=ue1ac2bff-c6ac-46fa-a1ba-98cbeeaf76c&title=&width=1006) 开启抓包,发送到重发器,更改包内容,发送:(贴个图,这里没出来)![image.png](https://img-blog.csdnimg.cn/img_convert/4a00c4549709339b31c119f88acc6627.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=544&id=u34515f31&margin=[object Object]&name=image.png&originHeight=816&originWidth=932&originalType=binary&ratio=1&rotation=0&showTitle=false&size=256268&status=done&style=none&taskId=u1290f7aa-6dcb-4eb0-acd2-2a1d377669d&title=&width=621.3333333333334)
五、代码执行漏洞(22个)
1、第一个代码执行漏洞(不存在)
系统给出的报告: ![image.png](https://img-blog.csdnimg.cn/img_convert/aff4a9572aab45a3ecb8b1f6e5fcb696.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=383&id=u418b2551&margin=[object Object]&name=image.png&originHeight=574&originWidth=989&originalType=binary&ratio=1&rotation=0&showTitle=false&size=150057&status=done&style=none&taskId=u2a2690ff-ce67-4e26-b0b7-30f7953fcba&title=&width=659.3333333333334) 访问页面: ![image.png](https://img-blog.csdnimg.cn/img_convert/fd3ab85a4b445f4cfb827503ce05af96.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=272&id=u89c53676&margin=[object Object]&name=image.png&originHeight=408&originWidth=947&originalType=binary&ratio=1&rotation=0&showTitle=false&size=35006&status=done&style=none&taskId=ue1c2bf5f-5f0f-4c73-949f-a02a1d8cc3b&title=&width=631.3333333333334) 发现被拒绝,查看代码: ![image.png](https://img-blog.csdnimg.cn/img_convert/e9a589b0776147792ecfa44f8de09cdb.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=49&id=uce97a97e&margin=[object Object]&name=image.png&originHeight=74&originWidth=533&originalType=binary&ratio=1&rotation=0&showTitle=false&size=7721&status=done&style=none&taskId=u9a8edbd4-5b73-4f78-a697-d4fa7d15870&title=&width=355.3333333333333) 同样有判断,先注释掉试试。 ![image.png](https://img-blog.csdnimg.cn/img_convert/e77904681a0c60c408a9f18a1b4fbbc7.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=364&id=uce23b0f0&margin=[object Object]&name=image.png&originHeight=546&originWidth=777&originalType=binary&ratio=1&rotation=0&showTitle=false&size=46241&status=done&style=none&taskId=u246d0f23-eb5b-41c9-ac10-b5bc6f8b68a&title=&width=518) 无论如何传值都不可以,不存在。
2、第二个代码执行(不存在)
系统给出的报告: ![image.png](https://img-blog.csdnimg.cn/img_convert/0a367e141841224466f85907b183c765.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=371&id=u6224945d&margin=[object Object]&name=image.png&originHeight=556&originWidth=690&originalType=binary&ratio=1&rotation=0&showTitle=false&size=120828&status=done&style=none&taskId=u9758ba7b-d15a-4d3d-9355-a2a79382619&title=&width=460) 访问页面为空白页,直接试试: ![image.png](https://img-blog.csdnimg.cn/img_convert/53717455db6048dd32c5ffcbe6603768.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=993&id=u1b0599e0&margin=[object Object]&name=image.png&originHeight=1489&originWidth=887&originalType=binary&ratio=1&rotation=0&showTitle=false&size=71626&status=done&style=none&taskId=u61c661f4-4c44-428a-983f-583da414cb4&title=&width=591.3333333333334) 没有反应,不存在。
五、XSS漏洞(1个)
1、唯一一个XSS
系统给出的报告: ![image.png](https://img-blog.csdnimg.cn/img_convert/d4c70af9738cb280dfceaa4300ca86a0.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=379&id=u95c0e17b&margin=[object Object]&name=image.png&originHeight=568&originWidth=856&originalType=binary&ratio=1&rotation=0&showTitle=false&size=184896&status=done&style=none&taskId=u16489e0a-5263-483a-90e6-997c92ad9f0&title=&width=570.6666666666666) 访问网页: ![image.png](https://img-blog.csdnimg.cn/img_convert/9101ff0469ced75248b330f9ba8257c8.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=732&id=u47a3a68a&margin=[object Object]&name=image.png&originHeight=1098&originWidth=1671&originalType=binary&ratio=1&rotation=0&showTitle=false&size=144362&status=done&style=none&taskId=ud57b254d-2ad5-45ca-9ce8-dc60e1cc087&title=&width=1114) 查看源代码:
![image.png](https://img-blog.csdnimg.cn/img_convert/6f682331fbaebf4a826d821701a9de9e.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=453&id=uf0712067&margin=[object Object]&name=image.png&originHeight=679&originWidth=1124&originalType=binary&ratio=1&rotation=0&showTitle=false&size=127179&status=done&style=none&taskId=u4084285f-c6e1-4674-bb27-6f956f98b40&title=&width=749.3333333333334) 直接输入script代码,即可弹出,存在XSS漏洞。 ![image.png](https://img-blog.csdnimg.cn/img_convert/8809adc2680ebbc739f145bf46ba03d0.png#clientId=u95940a0c-81f6-4&crop=0&crop=0&crop=1&crop=1&from=paste&height=241&id=u89e8796b&margin=[object Object]&name=image.png&originHeight=362&originWidth=1656&originalType=binary&ratio=1&rotation=0&showTitle=false&size=29998&status=done&style=none&taskId=u7ea0b78c-032f-45c4-a6de-19a0093c48f&title=&width=1104)
|