CVE-2023-34734: Stored Cross-Site Scripting (XSS) Vulnerability in 安网科技 AC集中管理平台 1.02.040 · Issue #3 · prismbreak/vulnerabilities

1. Search vulnerable products on internet

Go to https://hunter.qianxin.com/, and use this syntax to search potential vulnerable products existing on internet: web.body="//var get_val=getCookie"

Please note not all assets shows in the result form is target product. The one has “智能AC管理系统” string appear at the login form is target product, as follows:

Product source: https://aiqicha.baidu.com/copyright?pid=45648122632021&softId=copyright_f6fd34622c3d70d81a7b9095d446a532

A list of vulnerable targets are as follows:
http://220.180.33.80:800/
http://14.221.175.124:800/
http://14.157.86.99:800/
http://14.204.162.84:800/
http://14.221.237.136:800/
http://1.189.202.121:800/
http://27.44.196.207:800/
http://39.172.116.112:800/
http://39.164.1.78:800/
http://111.8.100.163:800/
http://111.56.77.174:800/

2. Login with default credential

The default credential is admin : admin

Login successful.

3. Upload your payloads

Click “系统配置” and “AP系统管理” go to the vulnerable function.

Then click “选择文件” button to choose a file to upload.
Remember to choose a “.trx” file to upload, because there is file extension restriction on the front end.
At last, we click “上传” button to upload the file, then intercept it with Burpsuite.

In Burp, we change the value of parameter filename to "1.html", a html file with payload <script>alert(“A stored XSS!”)</script>, then send the request. The path to the uploaded file will be output in the response, which is /tmp/ac_upgrade/other/1.html

At last, we access this url from our web browser, as you can see, the payload is triggered.

It is important that victims can access this url without login in.