Summary
Some of the data stored in automation_tree_rules_form_save()
function in automation_tree_rules.php
is not thoroughly checked and is used to concatenate the HTML statement in form_confirm()
function from lib/html.php
, finally resulting in XSS.
Details
In the SQL table automation_tree_rules stored in database, the name field is controllable. The writing of dirty data can be done from automation_tree_rules_form_save()
function in automation_tree_rules.php.
Both writing and reading require administrator privileges
![image](https://private-user-images.githubusercontent.com/88656937/313118871-5f2ebf52-fb25-4a56-82cc-272a6c2bacc7.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTkwMTQyNDAsIm5iZiI6MTcxOTAxMzk0MCwicGF0aCI6Ii84ODY1NjkzNy8zMTMxMTg4NzEtNWYyZWJmNTItZmIyNS00YTU2LTgyY2MtMjcyYTZjMmJhY2M3LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MjElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjIxVDIzNTIyMFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTI5ODQxZDA4NmJiNTFlMjg1NTM5OGQ1MjY2ZGJhMTcyOWI3NjFjZDI3YzBiOTljNzA4YjU2OTkxZjcxZDI5OTImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.1I0HRUInz75pf7NIQdYfsdiYx-22oEVD3F2DC1e7UY8)
The attack starts with the automation_tree_rules_remove()
function in automation_tree_rules.php.
Reading table automation_tree_rules and calling form_confirm()
function.
![image](https://private-user-images.githubusercontent.com/88656937/313119837-4ff2bea5-df76-461d-9f7e-f2b90746d350.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTkwMTQyNDAsIm5iZiI6MTcxOTAxMzk0MCwicGF0aCI6Ii84ODY1NjkzNy8zMTMxMTk4MzctNGZmMmJlYTUtZGY3Ni00NjFkLTlmN2UtZjJiOTA3NDZkMzUwLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MjElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjIxVDIzNTIyMFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWFkYjM0YjE1OGVjMDFlYTQ2Yjk1MDFhYzYwMjhlZWM2MzI1N2YyNmI5YTgwMDFiOTM4MDBjYTUxMzI3MTdlYzMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.Gg34X3iN1Tui33DwvlTTP9Ns82a1zn6W6CvU4yPHwEc)
Finally arriving at lib/html.php
. Variable $text
is not checked and concatenated directly, resulting in XSS.
![image](https://private-user-images.githubusercontent.com/88656937/313120053-8b9033f1-b812-4d3d-855e-8a45b94f1c17.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTkwMTQyNDAsIm5iZiI6MTcxOTAxMzk0MCwicGF0aCI6Ii84ODY1NjkzNy8zMTMxMjAwNTMtOGI5MDMzZjEtYjgxMi00ZDNkLTg1NWUtOGE0NWI5NGYxYzE3LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MjElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjIxVDIzNTIyMFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTZhZmViZjQ5OTdmYTE3ZjllOWI3YTljNDJlZGZkMTI5OWNhMDJiNDAwNTcyOTkzYTM2MzE0ZmNkODZiMGVhN2QmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.7giznYFlAj5sTda0BVSgckjtYvDFLSw8ZPKwalOILY4)
![image](https://private-user-images.githubusercontent.com/88656937/313120088-75536641-31b3-43b2-9a3b-f1865534e50f.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTkwMTQyNDAsIm5iZiI6MTcxOTAxMzk0MCwicGF0aCI6Ii84ODY1NjkzNy8zMTMxMjAwODgtNzU1MzY2NDEtMzFiMy00M2IyLTlhM2ItZjE4NjU1MzRlNTBmLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MjElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjIxVDIzNTIyMFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTc0Y2Q2ZGRmNTg0ZWE5MmUwMTdkYTgxNDQxOThkNDBlN2U0NjQyODk5ZmZiNmFmOWNjZjNhNzc3ZDdhMjEwZjImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.VZQgCM1rPSCWbbXUs7v6WgqCs6XosaZeL2JZ_5ATZCw)
PoC
POST access automation_tree_rules.php
and submit the following data:
- 'save_component_automation_graph_rule' => 1,
- 'action'=>'save',
- '__csrf_magic'=> '',
- 'id'=>'4',
- 'name'=>'<script>alert(1);</script>',
- 'snmp_query_id'=>0,
check field in tableautomation_tree_rules table.
![image](https://private-user-images.githubusercontent.com/88656937/313121801-d46876e0-c46c-4ac7-a9ce-e5a97dfe75da.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTkwMTQyNDAsIm5iZiI6MTcxOTAxMzk0MCwicGF0aCI6Ii84ODY1NjkzNy8zMTMxMjE4MDEtZDQ2ODc2ZTAtYzQ2Yy00YWM3LWE5Y2UtZTVhOTdkZmU3NWRhLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MjElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjIxVDIzNTIyMFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWNhYzRiMWI2Y2U1ZmRjZDVmYjJkZDg0Yjg1MzQ1YzJkZWQwYWQyZmJiNTE5ZGE2MGNkNjUzYTc5NGExYmNhYzcmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.2Lag3Z-pQDSpxMPv6k6N0DUijli1HVggJi3YRSl4E_w)
GET access : "http://ip:port/automation_graph_rules.php?action=remove&id=4".
![image](https://private-user-images.githubusercontent.com/88656937/313122042-1b820950-eb64-40da-9b82-b6e0cb88827f.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTkwMTQyNDAsIm5iZiI6MTcxOTAxMzk0MCwicGF0aCI6Ii84ODY1NjkzNy8zMTMxMjIwNDItMWI4MjA5NTAtZWI2NC00MGRhLTliODItYjZlMGNiODg4MjdmLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MjElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjIxVDIzNTIyMFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTJmYmNhNzI1NzE1YTg5MDNlN2JkOThiMTEwMzc3YjZhMDg1NDcwYjQyYjlkYjkzMmJiZmI4M2I2YWY5YzNhNDMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.Im61JdfcSbt_ygjnUySDx7HZ3rkoe9wfzuDjJ7CnmJo)
Researcher: ISHGARD-2, USTC
Summary
Some of the data stored in
automation_tree_rules_form_save()
function inautomation_tree_rules.php
is not thoroughly checked and is used to concatenate the HTML statement inform_confirm()
function fromlib/html.php
, finally resulting in XSS.Details
In the SQL table automation_tree_rules stored in database, the name field is controllable. The writing of dirty data can be done from
![image](https://private-user-images.githubusercontent.com/88656937/313118871-5f2ebf52-fb25-4a56-82cc-272a6c2bacc7.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTkwMTQyNDAsIm5iZiI6MTcxOTAxMzk0MCwicGF0aCI6Ii84ODY1NjkzNy8zMTMxMTg4NzEtNWYyZWJmNTItZmIyNS00YTU2LTgyY2MtMjcyYTZjMmJhY2M3LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MjElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjIxVDIzNTIyMFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTI5ODQxZDA4NmJiNTFlMjg1NTM5OGQ1MjY2ZGJhMTcyOWI3NjFjZDI3YzBiOTljNzA4YjU2OTkxZjcxZDI5OTImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.1I0HRUInz75pf7NIQdYfsdiYx-22oEVD3F2DC1e7UY8)
automation_tree_rules_form_save()
function inautomation_tree_rules.php.
Both writing and reading require administrator privileges
The attack starts with the
![image](https://private-user-images.githubusercontent.com/88656937/313119837-4ff2bea5-df76-461d-9f7e-f2b90746d350.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTkwMTQyNDAsIm5iZiI6MTcxOTAxMzk0MCwicGF0aCI6Ii84ODY1NjkzNy8zMTMxMTk4MzctNGZmMmJlYTUtZGY3Ni00NjFkLTlmN2UtZjJiOTA3NDZkMzUwLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MjElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjIxVDIzNTIyMFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWFkYjM0YjE1OGVjMDFlYTQ2Yjk1MDFhYzYwMjhlZWM2MzI1N2YyNmI5YTgwMDFiOTM4MDBjYTUxMzI3MTdlYzMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.Gg34X3iN1Tui33DwvlTTP9Ns82a1zn6W6CvU4yPHwEc)
automation_tree_rules_remove()
function inautomation_tree_rules.php.
Reading table automation_tree_rules and callingform_confirm()
function.Finally arriving at
![image](https://private-user-images.githubusercontent.com/88656937/313120053-8b9033f1-b812-4d3d-855e-8a45b94f1c17.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTkwMTQyNDAsIm5iZiI6MTcxOTAxMzk0MCwicGF0aCI6Ii84ODY1NjkzNy8zMTMxMjAwNTMtOGI5MDMzZjEtYjgxMi00ZDNkLTg1NWUtOGE0NWI5NGYxYzE3LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MjElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjIxVDIzNTIyMFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTZhZmViZjQ5OTdmYTE3ZjllOWI3YTljNDJlZGZkMTI5OWNhMDJiNDAwNTcyOTkzYTM2MzE0ZmNkODZiMGVhN2QmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.7giznYFlAj5sTda0BVSgckjtYvDFLSw8ZPKwalOILY4)
![image](https://private-user-images.githubusercontent.com/88656937/313120088-75536641-31b3-43b2-9a3b-f1865534e50f.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTkwMTQyNDAsIm5iZiI6MTcxOTAxMzk0MCwicGF0aCI6Ii84ODY1NjkzNy8zMTMxMjAwODgtNzU1MzY2NDEtMzFiMy00M2IyLTlhM2ItZjE4NjU1MzRlNTBmLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MjElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjIxVDIzNTIyMFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTc0Y2Q2ZGRmNTg0ZWE5MmUwMTdkYTgxNDQxOThkNDBlN2U0NjQyODk5ZmZiNmFmOWNjZjNhNzc3ZDdhMjEwZjImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.VZQgCM1rPSCWbbXUs7v6WgqCs6XosaZeL2JZ_5ATZCw)
lib/html.php
. Variable$text
is not checked and concatenated directly, resulting in XSS.PoC
POST access
automation_tree_rules.php
and submit the following data:check field in tableautomation_tree_rules table.
![image](https://private-user-images.githubusercontent.com/88656937/313121801-d46876e0-c46c-4ac7-a9ce-e5a97dfe75da.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTkwMTQyNDAsIm5iZiI6MTcxOTAxMzk0MCwicGF0aCI6Ii84ODY1NjkzNy8zMTMxMjE4MDEtZDQ2ODc2ZTAtYzQ2Yy00YWM3LWE5Y2UtZTVhOTdkZmU3NWRhLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MjElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjIxVDIzNTIyMFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWNhYzRiMWI2Y2U1ZmRjZDVmYjJkZDg0Yjg1MzQ1YzJkZWQwYWQyZmJiNTE5ZGE2MGNkNjUzYTc5NGExYmNhYzcmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.2Lag3Z-pQDSpxMPv6k6N0DUijli1HVggJi3YRSl4E_w)
GET access : "http://ip:port/automation_graph_rules.php?action=remove&id=4".
![image](https://private-user-images.githubusercontent.com/88656937/313122042-1b820950-eb64-40da-9b82-b6e0cb88827f.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MTkwMTQyNDAsIm5iZiI6MTcxOTAxMzk0MCwicGF0aCI6Ii84ODY1NjkzNy8zMTMxMjIwNDItMWI4MjA5NTAtZWI2NC00MGRhLTliODItYjZlMGNiODg4MjdmLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA2MjElMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNjIxVDIzNTIyMFomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTJmYmNhNzI1NzE1YTg5MDNlN2JkOThiMTEwMzc3YjZhMDg1NDcwYjQyYjlkYjkzMmJiZmI4M2I2YWY5YzNhNDMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.Im61JdfcSbt_ygjnUySDx7HZ3rkoe9wfzuDjJ7CnmJo)
Researcher: ISHGARD-2, USTC