BlueCMS - PHP local portal system 0day large collection of-vulnerability warning-the black bar safety net

2012-08-31T00:00:00
ID MYHACK58:62201234782
Type myhack58
Reporter 佚名
Modified 2012-08-31T00:00:00

Description

Bluecms is from a company tutorial to see the cms, and then thought, since there, used to do tutorials, I'll dig this set of cms vulnerabilities, I did not dig deep end, also failed to adhere to the code to see finished. It has been found that a lot of problems. Can actually get a shell on it.

! BlueCMS - PHP local portal system 0day big collection

0x01. Injection

client_ip forged injection

Look at the code right, here's the getip function is to obtain an Ip, because, client_ip and x_forwarded_for can be faked.

In include/common.fun.php 1 0 line 6

function getip() { if (getenv('HTTP_CLIENT_IP')) { $ip = getenv('HTTP_CLIENT_IP'); } elseif (getenv('HTTP_X_FORWARDED_FOR')) { //get the client to use the proxy server when accessing the real ip address $ip = getenv('HTTP_X_FORWARDED_FOR'); } elseif (getenv('HTTP_X_FORWARDED')) { $ip = getenv('HTTP_X_FORWARDED'); } elseif (getenv('HTTP_FORWARDED_FOR')) { $ip = getenv('HTTP_FORWARDED_FOR'); } elseif (getenv('HTTP_FORWARDED')) { $ip = getenv('HTTP_FORWARDED'); } else { $ip = $_SERVER['REMOTE_ADDR']; } return $ip; }

We continue to track about the getip()function of the application.

comment. in php 1 1 3 line

$sql = "INSERT INTO ". table('comment')." (com_id, post_id, user_id, type, mood, content, pub_date, ip, is_check) VALUES (", '$id', '$user_id', '$type', '$mood', '$content', '$timestamp', '". getip()."', '$is_check')"; $db->query($sql);

Here we forged under the ip test.

! BlueCMS - PHP local portal system 0day big collection

! BlueCMS - PHP local portal system 0day big collection

Look at the results

! BlueCMS - PHP local portal system 0day big collection

You can see that?

[1] [2] [3] next