代码审计之bluecms1.6后台SQL注入
bluecm1.6版本后台存在SQL注入
漏洞点链接:
http://127.0.0.1/bluecms_v1.6_sp1/uploads/admin/nav.php?act=edit&navid=1
代码:
elseif($act=='edit')
{
$sql = "select * from ".table('navigate')." where navid = ".$_GET['navid'];
$nav = $db->getone($sql);
...
...
}
就是当cat参数为edit是,执行sql语句:
select * from ".table('navigate')." where navid = ".$_GET['navid']
参数navid是用户可控的,没有做任何的过滤,直接拼接在SQL语句后面,所以就造成了SQL注入
本地测试:
order by 6是正常的
order by 7报错
正常字段有六个