Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

3 XSSes found #32

Open
PwnMonkeyLab opened this issue Jul 4, 2019 · 0 comments

Comments

@PwnMonkeyLab
Copy link

commented Jul 4, 2019

Three stored XSSes were found, and all of them have not been found before. And the first one is similar to the third one, but the first one is in post-edit page while the other in page-edit page.

Stored XSS 1:

In /MiniCMS/mc-admin/post-edit.php
Payload:<script>alert(document.domain)</script>

POC:

  1. Go to the article edit page, input payload into the content box:
    XSS1-1

  2. Use burpsuite and edit the payload(the frontstage will encode the payload):
    XSS1-2

  3. After that, tern to the article page:
    XSS1-3

  4. Then you get the window popped with the domain:
    XSS1-4

Stored XSS 2:

In/MiniCMS/mc-admin/conf.php
Payload:<script>alert("2:"+document.domain)</script>

POC:

  1. Enter config page
    XSS2-1

  2. Upload the payload in comment
    XSS2-2

  3. Then write an article and set the comment code into true and save
    XSS2-3

  4. When someone is reading the article, awindowwillpopwiththedomain
    XSS2-4

Stored XSS 3:

Payload:<script>alert("3: "+document.domain)</script>
In /MiniCMS/mc-admin/page-edit.php

POC:

  1. Go to the page-edit page and input the payload into the content box ,click save button :
    XSS3-1

2.Use burpsuite to edit the payload. Pay attention that the “+” needs to be url-encoded:
XSS3-2

3.After that, go to the page we have saved:
XSS3-3

4.Window will pop with the domain:
XSS3-4

@PwnMonkeyLab PwnMonkeyLab changed the title Another XSS found 3 XSSes found Jul 5, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.