Skip to content

Commit

Permalink
[ADD] DedeCMS_v5.7_shops_delivery_存储型XSS
Browse files Browse the repository at this point in the history
  • Loading branch information
@Evi1CLAY
Evi1CLAY committed Jul 23, 2017
1 parent 0bf40f9 commit a596f87
Show file tree
Hide file tree
Showing 5 changed files with 53 additions and 4 deletions.
32 changes: 32 additions & 0 deletions DedeCMS/DedeCMS_v5.7_shops_delivery_存储型XSS/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
# DedeCMS_v5.7_shops_delivery_存储型XSS

## Affected Version

DedeCMS-V5.7-UTF8-SP2 ( 发布日期 2017-03-15 )

下载地址: 链接: https://pan.baidu.com/s/1bprjPx1 密码: mwdq


## PoC

该漏洞比较鸡肋,需要登录 管理员后台通过 添加配送方式 功能 才能触发, 添加后在前后台都会触发 存储型 XSS。

之所以会触发是因为在系统对 管理员输入的 配送方式-描述字段(des)在入库前只进行了 addslashes 转义特殊字符处理,其实这没毛病。

重要的是取出数据库的数据输出到页面前没进行 HTML 实体编码处理直接输出导致最终的 XSS。

测试:

1. 后台添加 配送方式

![](add_delivery.png)

2. 添加成功后直接展示配送方式列表,触发 XSS

![](show_delivery.png)

此外,这个 XSS 在前台用户购买东西选择配送方式的时候也会触发。

## References

1. https://www.seebug.org/vuldb/ssvid-92863
Binary file added DedeCMS/DedeCMS_v5.7_shops_delivery_存储型XSS/add_delivery.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
13 changes: 13 additions & 0 deletions DedeCMS/DedeCMS_v5.7_shops_delivery_存储型XSS/local/record.txt
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
���Ի��� DedeCMS-V5.7-UTF8-SP2�� 2017-03-15 ������

��ʾ�������� ����ͨ�� /data/admin/ver.txt �鿴



���ֹٷ������ṩ��ʷ�汾���أ� ׼��������� ©���汾


0315 �汾 admin-admin



Binary file added DedeCMS/DedeCMS_v5.7_shops_delivery_存储型XSS/show_delivery.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
12 changes: 8 additions & 4 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,26 +10,30 @@ Content Management System Vulnerability Hunter

### CMS 漏洞列表

#### DedeCMS

- [DedeCMS_v5.7_shops_delivery_存储型XSS](DedeCMS/DedeCMS_v5.7_shops_delivery_存储型XSS)

#### Struts

- [S2-048(CVE-CVE-2017-9791)](Struts/S2-048(CVE-CVE-2017-9791))

##### WordPress
#### WordPress
- [WordPress_4.4_SSRF](WordPress/WordPress_4.4_SSRF)
- [WordPress_4.7_Info_Disclosure](WordPress/WordPress_4.7_Info_Disclosure)
- [WordPress_4.7.0-4.7.1_未授权内容注入](WordPress/WordPress_4.7.0-4.7.1_未授权内容注入)

##### PHPCMS
#### PHPCMS
- [PHPCMS_v9.6.0_SQL注入](PHPCMS/PHPCMS_v9.6.0_SQL注入)
- [PHPCMS_v9.6.0_任意文件上传](PHPCMS/PHPCMS_v9.6.0_任意文件上传)
- [PHPCMS_v9.6.1_任意文件下载](PHPCMS/PHPCMS_v9.6.1_任意文件下载)
- [PHPCMS_v9.6.2_任意文件下载](PHPCMS/PHPCMS_v9.6.2_任意文件下载)

##### Joomla!
#### Joomla!
- [Joomla_3.7.0_SQL注入(CVE-2017-8917)](Joomla/Joomla_3.7.0_SQL注入(CVE-2017-8917))
- [Joomla_3.4.4-3.6.3_未授权创建特权用户(CVE-2016-8869)](Joomla/Joomla_3.4.4-3.6.3_未授权创建特权用户(CVE-2016-8869))

##### FineCMS
#### FineCMS
- [FineCMS最新版5.0.8两处getshell](https://github.com/SecWiki/CMS-Hunter/tree/master/FineCMS/FineCMS%E6%9C%80%E6%96%B0%E7%89%885.0.8%E4%B8%A4%E5%A4%84getshell)

### 项目维护
Expand Down

0 comments on commit a596f87

Please sign in to comment.