标签:详情 cve 商业网站 line enc fir 辅助 tput www
/S = Recursive searching
/P = Skip files with non-printable characters
/I = Case insensitive
/N = Prints the line number
/c:<STR> = String to look for
代码:
findstr /SPIN /c:"<input" "c:\xampp\htdocs\witycms-0.6.1*.html"
命令行运行后的结果:
script>alert(1)</script>
findstr /SPIN /c:"$_POST" "c:\xampp\htdocs\witycms-0.6.1*.php"
这个命令类似于我们之前查找包含“input”标记的文件,但是这次,我们尝试在.php文件中查找引用"$_POST"的地方。
因为其他文件都与默认包含的库有关,这些都pass掉。所以命令的结果指向文WMain.hp,WRequest.php和WSession.php。浏览这些文件将我们发现在WRequest中有一个有趣的函数。如下所示,当防护机制发现脚本标示符时,这些标示符将被一个空字符串替换:
- Vulnerability Type: Cross-Site Scripting
- (漏洞类型:xss)
- Product: wityCMS
- (厂商:wityCMS)
- Version: 0.6.1
- (版本:0.6.1)
- Vendor confirmed the vulnerability? No (Not acknowledged yet at the time - of request)
- 厂商是否已确认该漏洞 没有 (漏洞提交时厂商未确认)
- Attack Type: Remote
- 攻击类型:远程
- Impact: Code execution
- (影响:代码执行)
- Affected Components: Source code files showing “site_title” as output
- 受影响的组件:输出"site_title"的源文件
- Attack Vector: To exploit the vulnerability, one must craft and enter a script in the Site name field of the system
- 攻击方式:必须在系统的站点名称字段中手工注入脚本
- Suggested Description: Stored cross-site scripting (XSS) vulnerability in the "Website‘s name" field found in the "Settings" page under the "General" menu in Creatiwity wityCMS 0.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to admin/settings/general.
- 漏洞详情:在creatiwitycms 0.6.1的“设置”菜单下的“网站名称”字段中存在存储型XSS漏洞,允许远程攻击者通过一个经过验证的POST HTTP请求向admin/ Settings / General注入任意的web脚本或HTML。
- Discoverer: Nathu Nandwani
- (发现者:Nathu Nandwani)
- Reference(s): https://github.com/Creatiwity/wityCMS/issues/150, https://github.com/Creatiwity/wityCMS/co...229147de44
- 参考
作者: nats</br>
翻译:i春秋翻译小组-prison</br>
翻译来源:https://greysec.net/showthread.php?tid=3202
大家有问题可以留言,也欢迎大家到春秋论坛玩耍哟~
发现CVE-2018-11512-wityCMS 0.6.1 持久型XSS
标签:详情 cve 商业网站 line enc fir 辅助 tput www
原文地址:https://www.cnblogs.com/ichunqiu/p/9449456.html