Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
47 lines (39 sloc) 2.63 KB

XSS1


Code analysis

Vulnerability code is located destoon\admin\setting.inc.php 64 to 139 lines First looking at destoon\admin.php 56 to 60 lines When the module parameter is not POST, the default is destoon. it will inclusion a file, and the file is derived from the file parameter, so we go to the POST package to view it. You can see that the POST file parameter is set, and the splicing with the source code can get the include file as /admin/setting.inc.php

Vulnerability display

XSS2


Do not do too much explanation, the source code is not filtered Visit the homepage Click below for details(详细介绍)

XSS3


Code analysis

Also in file destoon\admin.php When the module parameter is not POST, the default is destoon. it will inclusion a file, and the file is derived from the file parameter, so we go to the POST package to view it. You can see that the POST file parameter is category, and the splicing with the source code can get the include file as /admin/category.inc.php You can see the case operation of the incoming action here. The action in the current data packet is edit, but after analyzing add or copy, there is also a problem. I will not analyze it here, only analyze the edit branch. Code in 76 to 90 lines It can be seen that when the action is edit, the judgment is first made to determine whether the classification name is empty and equal to catid, and the judgment based on category[catname] and category[parentid] are both incoming data.

Vulnerability display

You can’t perform that action at this time.