XSS vulnerability exists in the background administrator article management office when adding and modifying
Where Chinese and English names are entered, enter " onmousemove=alert(document.cookie) src=x,Following chart
Move the mouse over the label in the background article management area and the administrator cookie will pop up, as shown in the following figure
User cookies will also pop up when the front page mouse moves over the title
csrf
It is found that CSRF exists at the same time of adding and modifying
Before use
When the following page is constructed, the administrator can be induced to click
After the user accesses the link, the hidden iframe automatically submits the form and successfully adds the article classification with malicious code without the user's knowledge. Malicious code can send the user's cookie to the attacker's remote server and steal the user's cookie or administrator's cookie.
The text was updated successfully, but these errors were encountered:
Trepverterless
changed the title
后台存在csrf和XSS漏洞,可以结合两个漏洞,盗取用户cookie和管理员cookie
There are CSRF and XSS vulnerabilities in the background, which can be combined to steal user cookies and administrator cookies
Dec 2, 2019
xss
XSS vulnerability exists in the background administrator article management office when adding and modifying



Where Chinese and English names are entered, enter
" onmousemove=alert(document.cookie) src=x,Following chartMove the mouse over the label in the background article management area and the administrator cookie will pop up, as shown in the following figure
User cookies will also pop up when the front page mouse moves over the title
csrf
It is found that CSRF exists at the same time of adding and modifying

Before use
When the following page is constructed, the administrator can be induced to click
When the administrator visits the click Page

Category added successfully

csrf+xss
Here, CSRF and XSS can be used together, and attackers can use CSRF vulnerability to add or fix code brought in by articles,
After the user accesses the link, the hidden iframe automatically submits the form and successfully adds the article classification with malicious code without the user's knowledge. Malicious code can send the user's cookie to the attacker's remote server and steal the user's cookie or administrator's cookie.

The text was updated successfully, but these errors were encountered: