0x00 前言
从今天开始审计一些小的cms,一周内至少审计一种,中间可能会写点别的有趣的东西
0x01
安装好后,看到登陆框,用万能密码打一发,无果,尝试重装,可以重装。有robots.txt
看user.php,跟进
include/common.inc.php
if(!get_magic_quotes_gpc())
{
$_POST = deep_addslashes($_POST);
$_GET = deep_addslashes($_GET);
$_COOKIES = deep_addslashes($_COOKIES);
$_REQUEST = deep_addslashes($_REQUEST);
}
发现一个过滤规则,这里先记一下,特定情况下绕过方法还是不少
有一个点记下
$sql = "INSERT INTO ".table('user')." (user_id,user_name,pwd,email,reg_time) VALUES ('','$username',md5('$password'),'$email','$timestamp')";
这里没看到过滤,直觉有点问题,继续看login.php,里面就是常规验证
require_once(dirname(__FILE__) . '/include/common.inc.php');
跟进,
require_once(BLUE_ROOT."data/config.php");
require_once(BLUE_ROOT."include/cache.fun.php");
require_once(BLUE_ROOT."include/common.fun.php");
require_once(BLUE_ROOT."include/cat.fun.php");
require_once(BLUE_ROOT."include/user.fun.php");
require_once(BLUE_ROOT."include/page.class.php");
require_once(dirname(__FILE__)."/common.fun.php");