bluecms gray box test
Idea: Find function points
\
We install bluecms
1. Repeat installation vulnerability
We directly visit install again
Found that the installation can be repeated!
1. This means that we can destroy the website
. 2. You can enter the background.
We can implement the separation of the site and the library. We didn’t need to change the administrator’s account password and the database connection address.
The website, the internal network is weaker than the external network, and the background is weaker than the front desk.
We know that it can be executed above php5.5 . If this appears in double quotation marks, **${}** will be executed as code. For
example:
<?php
echo "${phpinfo()}";
?>
When we install the database name,
we will pass the Trojan horse in one sentence. We enter KaTeX parse error: Expected'}', got'EOF' at end of input: {
_REQUEST[a]}
Since I didn’t install other high-level php environment locally, it was like this
front end
1.
Where we are registered
Can blast out all usernames
We are using burp to capture the packet and insert it in the mailbox
<script>alert(1)</script>
Found to be a stored XSS
2.
We found that there was SQL injection when registering: as shown in the figure
2020/5/28 12:54 INSERT INTO blue_user (user_id, user_name, pwd, email, reg_time, last_login_time) VALUES ('', '98798798', md5('98798798'), '[email protected]', '1590641655', '1590641655')
We use the database monitoring in the source code audit tool and found that we can try SQL injection
2020/5/28 12:54 INSERT INTO blue_user (user_id, user_name, pwd, email, reg_time, last_login_time) VALUES ('', '98798798', md5('98798798'), '98798798' or updatexml(1,concat(0x7e,(select database())),1),1,1)#@qq.com', '1590641655', '1590641655')
Executed in the database and found that the execution was successful.
We are capturing packets and changing data.
We immediately try to capture the packet directly and try to inject
We opened the audit tool and found that there were magic quotation marks, and escaped our '
2020/5/28 13:29 INSERT INTO blue_user (user_id, user_name, pwd, email, reg_time, last_login_time) VALUES ('', 'admin175', md5('admin175'), 'ad\' or updatexml(1,concat(0x7e,(select database())),1),1,1)#@[email protected]', '1590643772', '1590643772')
We use the wide-byte method and found that the error is reported and cannot be inserted.
If we use blind injection, it is really a headache. We have to register a large number of accounts and need to enter a verification code.
We use another Sao operation to try to enter multiple pieces of data for insertion. Because there are magic quotation marks, our username can only be encoded in hexadecimal.
INSERT INTO blue_user (user_id, user_name, pwd, email, reg_time, last_login_time) VALUES ('', 'asdasd', md5('98798798'), '98798798' ,1,1),(100,0x6c696261696c69626169,md5(123456),(select database()),1,1)#@qq.com', '1590641655', '1590641655')
3.
We tried to log in with a universal password, but the
login was successful
4.
Generally speaking, if there is a loophole in one place, there will be similar loopholes in other places as well.
We enter the background to try the universal password login
The username field does not exist,
what about the password field?
Successful login
Backstage
1.
We can directly back up the file, and then search for the file locally, and directly access it externally, and find that we can directly access the backup file
front end
1.
We think that magic quotation marks will affect GET, POST, COOKIE parameters, but $_SERVER will not be affected, we want to whether there is header injection in this cms, such as X-Forwarded-For, or the following
$_SERVER[‘HTTP_REFERER’]
$_SERVER[“HTTP_USER_AGENT”]
$_SERVER[“REMOTE_ADDR”]
We check again
We found that the Master’s audit system could not read Chinese. We directly checked the source file and found that it was a comment page. We visited the past and
we directly visited the past and it was blank. We published a news item, re-engaged and found that Comment system The
first thing we think about is whether there will be XSS.
Let’s insert
We right check
Found that <> has been materialized
We check the source code and find that there is a **htmlspecialchars()** function
We try to use event trigger
It seems that there is no xss injection.
It’s okay, we already know
Here is directly spliced into the database without any processing. We try to see if header injection can be carried out. For
example, X-Forwarded-For
we directly capture the package and change the package, and use sqlmap to run the package.
When we are splicing, remember to make up for the latter value, and then pass the parameter
Very happy, I ran out.
We mainly need to increase the level-level 3
python sqlmap.py -r 1.txt --level 3
2. File contains vulnerabilities
We modify local files
Directly output this thing to see what it is, and then capture the package to view, it is a path, the path that the file contains, and the parameters in the middle of this path can be controlled. We can truncate this file to achieve the effect of any file inclusion