根据截图中的信息,可以获取到以下关于漏洞的关键信息: 漏洞名称及目标: GetSimple CMS My SMTP Contact Plugin <= v1.1.1 - CSRF to Stored XSS to RCE 作者: - Exploit Author: Bobby Cooke (boku) 漏洞描述: - The My SMTP Contact v1.1.2 plugin for GetSimple CMS suffers from a Stored Cross-Site Scripting (XSS) vulnerability which when chained together with the CSRF vulnerability in v1.1.1 allows remote unauthenticated attackers to achieve Remote Code Execution on the hosting server when an authenticated administrator visits a malicious third party website. - The PHP function htmlspecialchars() attempts to sanitize user input but is trivially bypassed by passing dangerous characters as escaped hex bytes. - After the admin submits the POST request from the CSRF attack, the attacker can post arbitrary client-side code within the admin's browser. - Since GetSimple CMS has a known PHP code injection vulnerability within the theme's edit page, the attacker can create an admin session and perform a chain of XHR requests within the admin's browser. - The XHR chain will collect the CSRF token from the theme's edit page and use the token to exploit the PHP code injection vulnerability to upload a webshell within every page hosted by the CMS. 漏洞数据: - CVSS Base Score: 9.6 - CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H 提供了漏洞利用的演示,通过Python脚本证明其有效性并获取到webshell。