Table of Contents

前言

代码审计之路正式开启,从入门级的bluecms分析开始。

开始审计

目录结构

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/3fdefa87-4911-4d02-bcd6-232fdb044d44/rId23.png

重点文件

几乎所有文件都包含了/include/common.inc.php,基本的函数在/include/common.fun.php

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/0080606a-85c0-4276-ba23-dcbdae601b21/rId25.png

/common.inc.php对输入都经过了addslashes过滤,但遗漏了$_SERVER,getip()未经任何过滤,存在十分大的安全隐患。

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/6242ae5c-fc91-4a78-9594-a83aef87f3ea/rId26.png

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/7652883f-b5ba-43b3-a1d1-19246d9fddbf/rId27.png

SQL注入

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/0471229c-9c55-480c-a291-ec7f58cd27d7/rId29.png

这里的$ad_id没有引号闭合,所以addslashes函数对其无效,造成注入。

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/9063617c-764d-45b7-a361-588b7e980050/rId30.png

同理:在/admin/ad.php

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/f4ea6b8b-cfe4-4b16-b763-09275ff00238/rId31.png

https://s3-us-west-2.amazonaws.com/secure.notion-static.com/e5a9e3c9-26eb-4607-97e1-934c70dbcca8/rId32.png

在/uploads/comment.php