Skip to content

Mogu blog has a vulnerability to upload arbitrary files #65

Closed
@UUFR

Description

Using mogu2021:mogu2021 to log in the Mogu blog.
http://demoweb.moguit.cn/
1 0
1 1
Choose User Center > User Avatar > Image
1 2
2
At this point, use the burp suite to capture the request packet.
Use the Repeater module in BurpSuite.
Try to change the file contents in the request package to the XSS payload and try to change the file name to the HTML suffix.
You can see the successful upload and the file path in the response package.
3
Open your browser to access the HTML file you just uploaded
4

Metadata

Assignees

Labels

bugSomething isn't working

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions