bluecms_v_1.6sp1 code audit

bluecms_v_1.6sp1 code audit

cms profile

bluecms v1.6 sp1 is a relatively old cms, and the directory structure is relatively simple. The main protection of the website is in the /include/common.inc.php file, and the deep_addslashes() function is used to filter the $_GET, $_POST, $_COOKIES, $_REQUEST. $_SERVER, the deep_addslashes function uses the addslashes function to escape the predefined characters in the input value

Code audit

Put the code into the seay source code audit system for automatic auditing, first audit the places where the suspected loopholes are scanned, and then audit the key functions or files.

1. Reload vulnerability

When setting up the experimental environment, but the webpage is displayed blank when the installation reaches the last step, but in fact, the website can be accessed normally after the installation (remember to modify the php.ini file to reduce its error sensitivity when setting up the environment, Otherwise, some irrelevant errors will be reported).

At this time, re-visit the transfer file, you can still enter the transfer step

The construction is completed and can be used normally

Access the transfer file, you can enter the transfer interface to reinstall

Generally, after the cms installation is completed, a file similar to install.lock will be generated to detect that the cms has been installed.

Here, after the transfer is completed, an install.lock file will be generated in the data directory, but after entering the installation program, check whether there is such a file to determine whether it has been installed

Here the install.lock file is not generated after the security is improved

The test found that the reason is that the index.php file includes the /include/common.inc.php file at the beginning and end, and the inc file calls the smarty class file, which causes repeated calls, require errors, and will not continue to execute the code. The install.lock file will not be generated. The solution is to change require to require_once. If it has been included, it will not be included again.



2. SQL injection vulnerability

  • ad_js.phpSQL injection

    Use the seay source code audit system to automatically audit, manual inspection found that the $ad_id parameter in ad_js.php was directly spliced into the SQL statement without filtering

follow up getone function

Except that the deep_addslashes function in common.inc.php escapes the predefined characters, there is no filtering, it is executed directly and returns the result. And here because there is no quotation marks, the deep_addslashes function does not work and can be used directly.

Note that the injection results here will not be displayed on the page, you can see it by viewing the source code of the web page

Check all table names

  • user.php wide byte injection

The database uses the gbk encoding format when connecting, and deep_addslashes will escape the input parameter value, so wide byte injection can be used

There are two places that can be injected here, one is the website user login, and the other is the website user registration office.


Enter ? and the escaped \ before the quotation marks on the user name on the website user login page, collectively known as the gbk character . It is not acceptable to directly enter ?’ in the login box, because ? is a special character, and the % sign in it will be url-encoded once.

Take a look at the output injection statement

  • admin/login.php wide byte injection

The same problem exists at the webmaster login

Follow up check_admin function

Use wide byte injection to achieve the purpose of universal password login

  • xf injection

Because the deep_addslashes function does not filter $_SERVER, you can find places with X-Forwarded-For or CLIENT-IP, forge ip SQL injection

Find the SQL statement related to ip

The guest_book.php message found that the ip will be written into the database

follow $online_ip

Follow up getip() function

You can forge X-Forwarded-For or CLIENT-IP to achieve injection

The result is displayed in the message

Another injection is in the news message of the website, similar to the above

But be careful, the xf construct here

X-Forwarded-For: 127.0.0.1','1'),('', '1', '1', '1', '6\ ', (select concat(admin_name,0x3e,pwd) from blue_admin), '1656396250', '127.0.0.1', '1')#


This structure is equivalent to inserting two messages at once, bypassing the detection of message content

**Note: **The inserted data must be consistent with the previous one (user id and the like), otherwise an error will be reported, or it will not be displayed

  • Multiple sql injections in the background

There are more operations on the database in the background than in the foreground, most of which are caused by wide-byte injection caused by the database setting gbk encoding and some unfiltered direct splicing without quotation mark protection. Not listed here

3. XSS vulnerability

  • guest_book.php stored XSS

The sql injection can be constructed above. The principle is to insert the injection statement into the statement written in the database. In fact, it replaces the message content and writes it into the database, and displays the result in the message on the page. If the injection statement is replaced with an XSS statement, it can cause stored XSS, which also bypasses the program’s anti-XSS measures for encoding the html entity of the message.

Forge XF information and insert XSS statements

success popup

  • Stored XSS in website news message

Same as above, here is still using ip forgery in XF

success popup

  • user.php stored XSS

1. Incomplete filtering of user registration mailboxes leads to stored XSS

Similarly, the user_name parameter can also be used here, but there is a length limit, while email has no length limit. This parameter is only to remove the leading and trailing blanks and predefined characters by escaping predefined characters and trim function.

These two parameters can be injected or written into XSS, but it should be noted that the browser submission will be automatically encoded, so it is best to modify after capturing the package

Log in as aaaa user to pop up the box

2. Stored XSS at the press release

News content, filtered by filter_data

Follow up filter_data function

The img tag is missing here, you can use the img tag. You can also mix uppercase and lowercase letters directly to bypass


There is also a summary of the articles in the editorial news, where the length is only limited and there is no filtering


Pop-up box directly on the homepage of the website

4. The file contains

In user.php, the user chooses the payment method to select the corresponding folder to include

The path needs to be truncated here

Add files before and after $_POST['pay'], you can use ../ for directory traversal, followed by /index.php If the php version is lower than 5.3.4 and magic_quotes_gpc=off, you can use \0 to truncate, resulting in any file Include. You can also use the . number to truncate the path length. The maximum length of the directory under Windows is 256 bytes, and the maximum length of the directory under Linux is 4096 bytes

The measured point number . can be successfully truncated in php5.2 in phpstudy

successfully contained

5. ssrf vulnerability

I saw that someone mentioned that uesr.php has an SSRF vulnerability when analyzing bluecms, let’s analyze it here

In the website user modification data here, you can customize the path of uploading pictures

The code logic here is not allowed to contain http:// or https:// should use !==, but he used !=, according to the php weak type strpos() the return value of 0 is equal to false, so it can bypass the SSRF vulnerability

== compares whether the values on both sides are equal, and automatically converts the type; === strictly compares whether the types are the same, and returns false directly if the types are not the same. For example: '123' === 123 // => false

!= is the opposite of ==, and !== is the opposite of ===. In the same way:

0 != false // => false
0 !== false // => true

But only the relative path of this site is supported here. In fact, the cms source code only supports the relative path of this site. There is no function processing like file_get_contents

6. Arbitrary file deletion vulnerability

  • user.php site user update personal information

The parameter face_pic3 is externally controllable, and any file can be deleted, and face_pic1 needs to be empty.

Create a new aaa.php file in the cms folder

Successfully deleted

  • Delete any file in the classification information after submitting edits

The parameter lit_pic is controllable, and any file can be deleted

7. Summary

This is a relatively old cms, which can be said to be devastated, more like a shooting range. The above loopholes are mainly foreground. There are also similar or unwritten vulnerabilities in the background. Due to my limited technology, I will stop here.