Support Ticket System CMS Webshell Upload& XSS - CXSecurity.com

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1571340 漏洞类型
发布时间 2019-04-16 更新时间 2019-04-16
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019040136
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
The Support Ticket System CMS have no input or file filters, so you can upload any PHP file u want + use input fields for XSS.
PoC: go to the demo website http://support.deadlockinfotech.com/login.php and press the «Sign in» button, then go to the settings page http://support.deadlockinfotech.com/settings.php. Here u can see many unfiltered input fields and one file upload field. Choose any PHP file (WebShell, uploader or something u want) and scroll down to «Submit» button. By default developer disabled this button, but u can submit this form via jQuery in Developers Console or just simply delete the «disabled» attribute from the <button> element (final result must be <button class="btn btn-bold btn-primary" name="update" type="submit">Update</button>), so this button will be enabled and u can now submit this form.
After that check out your avatar on the upper right corner and «inspect» this element in Console (uploaded PHP file will be inside this directory http://support.deadlockinfotech.com/assets/img/avatar/ ).

XSS is less interesting but still, u can put any code u want inside input fields and this code will work («Website name» field data will work on each page u can go to) - no WAF or filtering over here, do whatever u want.