taocms
taocms copied to clipboard
taogogo
taoCMS is an incredible tiny CMS( Content Management System) , writen in PHP and support MySQL/Sqlite as the database(MIT License)
 ``` GET /admin/admin.php?action=cms&id=1)or(sleep(5))--+&ctrl=del HTTP/1.1 Host: taocms.test Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://taocms.test/admin/admin.php?action=admin&ctrl=lists Accept-Encoding: gzip, deflate Accept-Language:...
## analysis The location of the vulnerability is line 33 in taocms\include\Model\Article.php, and the incoming sql statement in the update() method does not use intval to process id,and Link.php extends...
## poc After login as admin,file manager and downloadfunction  after change path param can read arbitrary file  ## analysis location:include/File.php   we can use ../ to traverse...
1.The location of the vulnerability is in taocms\include\Model\file.php from line 60 to line 72 and line 64 to determine whether the incoming folder is empty. Delete the empty folder. If...
1.The location of the vulnerability is line 59 in taocms\include\Model\Cms.php, and the incoming sql statement in the update() method does not use intval to process id The location of the...
First, we enter the background and use the administrator admin we created:  Let's click "file management" on the left:  Then use Burp Suite and click Download to grab...
First, we enter the background and use the column administrator admin we created:  Let's click "add article" on the left:  Insert xss payload at the title : Return...
Log in to the background as the default account admin.  We click in order and grab packets:    There is a time-based blind SQL injection vulnerability in...
First, construct our POC and put it on our website, the url is `http://test.com/id-1502.html`. The POC is as follows: ```html Test title Testcontent-1 Testcontent-2 ``` Then log in to the...
