Skip to content

phpcms v9.6.3 会员中心存在存储型xss漏洞 /PhPCMS V9.6.3 has a storage XSS vulnerability in the member center #2

Description

@trymonoly

可能存在rce的(需要去绕过全局的GPC转义),已经确定存储型xssThere may be an RCE (which needs to bypass the global GPC escape), and the storage XSS has been identified

漏洞影响版本 phpcms v9.6.3
The vulnerability affects version phpcms v9.6.3

漏洞复现/Vulnerability Recurrence:

此页面为管理员后台页面/This page is the admin page

uri:/index.php?m=member&c=member_menu&a=manage&menuid=1349&pc_hash=G5Kyaa&&pc_hash=G5Kyaa

Image

通过添加菜单(注意一定要带上登录后的hash)/By adding the menu (be sure to bring the hash after logging in)

Image

Image
成功嵌入我们页面中,并且会员中心登录的所有用户都会被xss漏洞影响。

Successfully embedded in our page and all users logged in to the Member Center will be affected by the XSS vulnerability.

Image
会员中心是前台允许所有用户注册用户页面/The Member Center is a front-end page that allows all users to register as users
Image

代码分析/ Code analysis

引起漏洞的文件:phpcms/modules/member/member_menu.php
File causing the vulnerability: phpcms/modules/member/member_menu.php

function add() {
		if(isset($_POST['dosubmit'])) {
			$this->db->insert($_POST['info']);
			//开发过程中用于自动创建语言包
			$file = PC_PATH.'languages'.DIRECTORY_SEPARATOR.'zh-cn'.DIRECTORY_SEPARATOR.'member_menu.lang.php';
			if(file_exists($file)) {
				$content = file_get_contents($file);
				$content = substr($content,0,-2);
				$key = $_POST['info']['name'];
				$data = $content."\$LANG['$key'] = '$_POST[language]';\r\n?>";
				file_put_contents($file,$data);
			} else {
				
				$key = $_POST['info']['name'];
				$data = "<?php\r\n\$LANG['$key'] = '$_POST[language]';\r\n?>";
				file_put_contents($file,$data);
			}
			//结束
			showmessage(L('add_success'));
		} else {
			$show_validator = '';
			$tree = pc_base::load_sys_class('tree');
			$result = $this->db->select();
			foreach($result as $r) {
				$r['cname'] = L($r['name'], '', 'member_menu');
				$r['selected'] = $r['id'] == $_GET['parentid'] ? 'selected' : '';
				$array[] = $r;
			}
			$str  = "<option value='\$id' \$selected>\$spacer \$cname</option>";
			$tree->init($array);
			$select_categorys = $tree->get_tree(0, $str);
			
			include $this->admin_tpl('member_menu');
		}
	}

漏洞函数为file_put_contents($file,$data);将代码写入phpcms\languages\zh-cn\member_menu.lang.php

Image
利用链逻辑:

The vulnerability function is file_put_contents ($file, $data);

Leverage chain logic:

$key = $_POST['info']['name']; → $data = $content."$LANG['$key'] = '$_POST[language]';\r\n?>"; → file_put_contents($file,$data); → $result = $this->db->select(); → include $this->admin_tpl('member_menu'); → echo $categorys;

Image
模板渲染在phpcms/modules/member/templates/member_menu.tpl.php下的
The template is rendered under phpcms/modules/member/templates/member_menu.tpl.php
<?php echo $categorys;?>

Image
进行渲染触发xss漏洞/Rendering triggers an XSS vulnerability

大致就是后台管理员的会员中心菜单界面添加了一个插入xss模块,从而触发所有用户登录自己的后台都会看见xss的弹框,源码没有对输入和输出进行实体编码从而导致存储型xss。

Roughly speaking, the menu interface of the member center of the background administrator has added an insert xss module, so that all users will see the xss pop-up box when they log in to their own background, and the source code does not physically encode the input and output, resulting in stored xss.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions