SiteServer XSS+background uploading(the chicken help combination still very adorable)-vulnerability warning-the black bar safety net

2015-10-29T00:00:00
ID MYHACK58:62201568434
Type myhack58
Reporter 佚名
Modified 2015-10-29T00:00:00

Description

Siteserver XSS+background randomly generated webshell

Test version: SiteServer V3. 4. 3

1, The storage-typeXSS, www.xxx.com/UserCenter/main.aspx website content submission, click published,to edit click on the source->insert a periodXSSS,such as”><script>alert(2 2 2 2 2 2 2 2 2 2 2)</script>,click on Save,ok,submit to the administrator waiting for review,when the administrator logged in backend->contents of the audit->click to see the time of departurexss

2, into the background you can feel free to generate a webshell, display->template Manager->add a single page template or other add template->file extension to aspx,template file:T_xx00,write directly to the webshell,访问 www.xxx.com/Template/T_xx00.aspx

Haha, once again shows the chicken help the power of this than the last and more lethal, generally you upload the article Manager will review the published(why don't you post what xx00 and other jarring factors?, and so thisXSSto trigger the universality and usability is much greater, and the harm is also greater