| Title | Zorlan skycaiji 2.8 Cross Site Scripting |
|---|
| Description | You can see the detailed exploit details on my blog, the password is fushuling123:https://fushuling.com/index.php/2024/06/13/test2/
In the latest version of skycaiji 2.8 (https://github.com/zorlan/skycaiji), I found an XSS vulnerability. The reason is that although the source code prohibits some possible xss tags, the target does not filter the img tag enough, which allows the attacker to bypass it through eval(String.fromCharCode()) and finally cause the xss attack.
We can construct malicious data on our own website. If the target collects data on our website, it will cause XSS to appear.
<?php
$data = array(
'xss' => '<img src=\'xss\' onerror="eval(String.fromCharCode(97,108,101,114,116,40,39,88,83,83,39,41))">',
);
$json = json_encode($data);
header('Content-type: application/json');
echo $json;
When the target creates a task to collect data on a malicious web page and clicks on the preview, the malicious code will be triggered, causing XSS to occur.
Enter the webpage where we have constructed malicious data
Since the webpage constructed by the source code has a login record field, and the value of this field is fixed and will not change, if the attacker obtains the cookie through XSS and then writes it into the webshell through the previously submitted code injection function, the attacker can completely execute unauthorized commands in the foreground
My repair suggestion: Filter the collected data to prevent malicious code injection |
|---|
| Source | ⚠️ https://github.com/zorlan/skycaiji |
|---|
| User | fushuling (UID 45488) |
|---|
| Submission | 06/13/2024 06:56 (2 years ago) |
|---|
| Moderation | 06/21/2024 18:32 (8 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 269419 [Zorlan SkyCaiji up to 2.8 Task onerror cross site scripting] |
|---|
| Points | 20 |
|---|