ROUYI CMS vulnerabilities


ROUYI CMS vulnerabilities

Storage XSS

  • There are two roles in default cms ,admin and common.
  • Both of them have the permission to modify bulletin
  • What’s more , /system/notice is the only path out of the XSS Filter.
  • so, we can input xss payload and trigger in anyone who has watch the notice include admin .

1.png
2.png

Insecure Permissions

  • Other than administrator , any account can add the same level roles.
  • But it isn’t configured correctly,we can add any roles with any permissions,even admin.

  • we use a common role and go to the user registration page
    3.png

  • You can see that you can only register common role.
    4.png
  • we interecept the request and change the roleid to any role you want.
    5.png
  • In the database , we create a admin account.
    6.png