xxl-api v1.3.0及以下版本,项目管理、数据类型管理、业务线管理及用户管理等模块存在跨站脚本攻击漏洞,以下仅展示业务线管理模块中的漏洞利用,其余模块均可参照此步骤复现(Xxl-api v1.3.0 and below, there are cross-site script attack vulnerabilities in modules such as project management, data type management, business line management and user management. The following only shows the exploit of vulnerabilities in the business line management module, and the rest of the modules can be reproduced by referring to this step. )
LockeTom
xxl-api v1.3.0及以下版本,增加、删除、修改等接口允许使用get方式请求,存在跨站请求伪造漏洞,以下仅展示用户管理模块中新增用户的接口的漏洞利用,其余接口均可参照此步骤复现(In xxl-api v1.3.0 and earlier versions, interfaces for adding, deleting, and modifying allow GET requests, which leads to cross-site request forgery vulnerabilities. The following only demonstrates the vulnerability exploitation of the interface for adding new users in the user management module. The same steps can be followed to reproduce the vulnerabilities in other interfaces.)
拉起最新的代码,本地部署运行。(Pull up the latest code and run it on-premises.)
使用burp代理用户管理模块新增用户的请求,并将该请求方法修改为get方法。(Use the burp proxy user management module to add a user's request and modify the request method to the get method.)