MiniCMS install.php installation files lead to storage xss vulnerabilities #50
Description
Preparatory work:
Download the install.php file from Releases.
Download the CMS source code and install.php installation files.
Copy the edited install.php file to the source code root.
Contents of the original install.php file:
Ctrl + F search version
Change 1.11 to the xss code:
<script>alert(7788)</script>
Copy to the root directory after modification.
Visit install.php
Click the "开始升级" button
Clicking the "开始体验" button and jumping to the background page will trigger the xss code
Any page in the background will trigger a vulnerability.
The location where the xss code is stored is:
mc-admin/mc-conf.php
As shown in the figure: our xss code is saved in version