PHP Blog Program c-blog2.0 Vulnerability test Disclosure (Figure) _ Vulnerability Research

Source: Internet
Author: User
Tags php database
c-blog2.1 Test Notes
Friends bought space to support PHP but there is no MySQL database, said that the space provider is mainly supporting ASP script. Hey, can't you play PHP? Hey hei can use php+access PHP program AH. Baidu has found the C-blog this program, it has a php+access version of the. Down a look, there is the results of this test.

1. The physical path of the explosion
After reading this blog, found that he wrote to the no too big bug, the file is relatively small and simple knot. Its description reads as follows:
./include contains the Common class library editor configuration file
-->/configs/Configuration file Directory
-->begin.cfg.php macro definitions of some constants, such as paths and databases
-->db.cfg.php Database configuration file
-->init.cfg.php import some class libraries and make some common initialization
-->end.cfg.php program End call file completion program follow-up
And each file calls the Require_once (... /include/configs/begin.cfg.php);
That's our point. After reading the code, I found
Results access to init.cfg.php and end.cfg.php can burst the physical path of the site.
Figure 1

450) {this.resized=true this.width=450;} "border=0 resized=" true >


Figure 2

450) {this.resized=true this.width=450;} "border=0 resized=" true >

http://127.0.0.1/cblog/include/configs/init.cfg.php
http://127.0.0.1/cblog/include/configs/end.cfg.php

2. Cross-Station vulnerability
The user name in C-blog is not strictly filtered to cause a cross-site vulnerability
When you log in to the background, you find that there is an option in the admin option that has a login record in the background log. Look what he wrote in the code, OH, hey.

The user name entered in the background login process has not been processed.
Then we'll test it.
User: Password: Test
And then use the admin to go backstage to view login log Figure 3


450) {this.resized=true this.width=450;} "border=0 resized=" true >


C-blog User name pairs; ,/etc special characters are forced to be/; /, \ So the construction below is not possible
Another cross station is very dangerous, at the front desk has a "message to me," the convenience of visitors to the blog owner message function but unfortunately c-blog to the user name does not strictly filter if we

This user message so the effect is very obvious not only harm the administrator of other people browsing the blog can also be attacked. Figure 4


450) {this.resized=true this.width=450;} "border=0 resized=" true >


If some boring people write malicious websites on the C-blog, then it becomes a horse-mounted attack. Ah, fear.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.