bluecms v1.6 sp1 code audit learning

Posted by punzalan at 2020-04-14

Officially start the study of code audit, broaden their knowledge. The driving force of code audit learning is also from Master Wang Tanzhi in the team, learning from Master Wang Tanzhi.

Here we refer to the experience of some predecessors, masters and bluecms audit



Build up

Seay automatic audit


742-751 elements

Post is directly included here

Here we register a user first

Account test password test123, enter the user.php page

Trace the act variable

Some operation modes corresponding to act, such as login, delete, modify personal data, and corresponding modes. Buy a convenience card here and choose to pay. Grab a bag

Here we can control the path contained in the file through the post parameter pay, but the / index.php is spliced later

There are two ways to truncate:

Method 1:

Method 2:

Here, you can use pay =.. / phpi. TXT......... (omitted.) to bypass. You can try to create a test.txt......... (omitted.) locally in windows. You can find whether the last file name is test.txt

Here, you can use the path feature of windows to truncate the path of = windows, which cannot exceed 256 characters

And here for verification, I put the phpi.txt file in the root directory

Found not included, truncation failed

According to joychou's article, it is found that there are version restrictions.

Phpstudy changed to 5.3.29 to try again = still not available. Continue to downgrade to 5.2.17

At this time, it can be successfully included.

You can upload your avatar in your profile

View lower path

File contains picture horse

Another way to read the master's article is to rewrite a horse

Because the shell contained in this way is managed with a kitchen knife or an ant sword, the parameters are troublesome, so it's better to directly include the operation of writing horses. I learned.

Release news

Black box test, personal data, there is a local news, can release news and manage news.

But we can't choose the news classification here. We use the administrator to enter / Admin background to publish the next column classification

Check the news and find that there is no pop-up box. Edit the HTML element to check. It has been escaped and materialized

Through burp and white box audit

Here we can start from content, that is, news content. Locate the filter_data function

Filtered script, iframe, frame, meta, link, etc

Here you can bypass it with a, IMG tags, etc

It's necessary to grab the bag here. It's automatically escaped here. Change to original

Click on the link, pop-up box. And it's storage type

Change the payload to

Let's see if the comment function exists

After the escape.

User registration

After writing, I went to audit the records of many masters and found that XSS existed in the account registration.

No filtering for direct access

There is a length limit for the user name. You can store XSS by typing in the mailbox


12-19 elements

There's no quotation mark protection here. It's brought in directly. There's no filtering except trim to remove the spaces on both sides.

Query can be carried in directly

$DB trace from included / include /

A sentence of establishing database connection

Getone is a method in MySQL class, simple query

And in mysq.class.php, which defines the MySQL class

GBK code set

And there is echo. This is how the output works

For the output ad_content, see where the ad_content is. For the end_time, it may be assigned as exp_content field or content. We log in with phpMyAdmin to check it

Insert injection data in columns 6 and 7

User registration

After reading master Xiawang's blog, I found that not only XSS but also insert into can be used for wide byte injection.

Backstage landing

There is also wide byte injection in background login. In / admin / login.php, there is check_admin to check whether it is a function of admin

Directly brought in, but contains / admin / include /

Here is escaped, and open GBK, there is a wide byte injection. Inject in / admin / login.php

'is escaped automatically, which can prove the existence of wide byte injection

Right payload:

Message board (XFF head injection)


We trace the getip function in full

It is found that there is inserted data. Here, as above, there is an IP address inserted into the database in comment.php.

Check if there is any place to call the online IP


Guest_book.php is a list of comments, while comment.php is a comment under the news

Here is the experiment guest book.php

Closed 'and)

There are also some unfiltered direct splicing in the admin page, in the background. Let's not go into details here. You can read Master Wang sigh's blog.


Face pic1 is the user's Avatar, and face pic3 is a hidden form value. Call unlink to delete any file

For example, delete robots.txt

Packet modification

Continue to find the unlink function in the user.php page

It is found in the experiment that it is not allowed because there is a database query operation, and the deletion is based on the path saved in the database.

Continue to view

Arbitrary file deletion vulnerability found in Act = do? Info? Edit

Phpi.txt has been deleted

You can see the same operation in / admin / article, which is also arbitrary file deletion.

There are a lot of things that haven't been written out. I won't list them one by one here. You can find a lot of vulnerability tips with Seay, but you still need to verify them one by one.

Let's talk about how to audit the next CMS: 1. First of all, we should not blindly remember the nature of Web vulnerabilities: when there is user input, we should focus on the page with input points, then go to the file to find the relevant code, and constantly backtrack to see whether there are controllable variables in the code and whether the filtering is rigorous. 2: You can search the dangerous functions globally, such as: unlink, include, move uploaded file functions, etc. to find related vulnerabilities, you can find keywords, such as SQL injection: search the keywords such as SELECT, UPDATE, INSERT, DELETE, etc. globally to see if there are precompiled keywords before inserting into the data base. For example, upload, you can search upload to see its filtering rules. Summarize more, reflect more, read online articles after auditing first, see how other teachers audit, and learn from it constantly.