Alibaba trademanager client stores xss (1-3 sets)

Alibaba trademanager client stores xss (1-3 sets)

Local ~ It's similar to the QQ group ~ But there are some conditions, but it doesn't matter ~~ In fact, it is very easy ~

I enter the group announcement to modify the group announcement content. More information <iframe/onload = alert (1)>

Is this sentence very dead?


 

 

After you click Edit ~~~~ Haha ~~ You know ~~~
 

Xss directly ~~~

By the way ~ You need to fix the IMG label ~ I think he can make another breakthrough ~~

 

This vulnerability is in trademanager for MAC.

In the MAC version of trademanager, we enter the group and set our group card as XSS Code <iframe src = "http://2cto.com">
Then, as long as the administrator turns you into an administrator or removes you, the Administrator has a notification in the group ~ Therefore, xss

 

 

 

You can test it in person ~~ Iframe directly pops up the webpage ~



No conditions ~~ I don't know if I can play the calculator ~

This time, the problem lies in the windows version. Although you have performed filtering on the windows version, however, I have successfully modified all the filtering items through aliwangwang of the MAC version. For example, your group names are not allowed to appear <> (however, you can add them directly on MAC.

Well, this problem is still the nickname of the group, but it is brilliant on windows ~



Let's first create a group, and then the attacker will do one more thing to go to the settings of Alibaba trademanager to change the blister mode,
 

Then you can reply to anything ~~~ As long as you reply.

Why do you need to change the code? After the change, you can @ people and the encoding process is different.
 

After changing the bubble, you can see that the white one is @ man,

Next, let's change the nickname of another person or his group to an XSS code
 

Next, let's @ the user who previously changed the nickname of the group and then send it out. At this time, as long as the people in the group open it, there will be a window for discussion ~~~ (The friendly reminder is that after the nickname of this group is changed, you can @ him on both windows and mac, and then send it to xss ~)
 

The impact is huge ~~~~ Hey hey ~

Then, the administrator can help test whether the calculator can be played ~ I am really powerless... Many tests cannot be performed ~~
 

Solution:

Filter out ~~~