Shulou(Shulou.com)05/31 Report--

This article will explain in detail for you about the use of PDF generator XSS vulnerability to read the system local file example analysis, Xiaobian think quite practical, so share with you as a reference, I hope you can read this article after harvest.

For reference only.

Vulnerability Background

The test target is a health management APP, which can be pre-installed in Android mobile devices, and its file system is closed and cannot be accessed and read. The APP has a custom launcher that users cannot change or access its built-in interface data. Therefore, here, because the use of XSS to read local files bypasses the original business logic of the APP, it is a relatively serious vulnerability.

XSS => LFI

Although XSS vulnerabilities are common, it is not easy to find XSS vulnerabilities in mobile apps, and I found one in its built-in PDF generator.

Since the app allows users to edit their own medical records and save them as PDF prints, I tried adding the following normal HTML Payload to the medical records to see if it would trigger XSS when PDF is generated.

testtest2

Then, during PDF generation, the Payload is triggered, but this is no surprise, next we will see how to use this XSS to break the logic of the app. Let's start by reading local file data, and then I construct the following code to read local file data:

x=new XMLHttpRequest; x.onload=function(){ [xss_clean](this.responseText) }; x.open("GET","file:///etc/passwd"); x.send();

After the test, nothing showed. And then I used

Continue construction:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.