cmseasy最新版存储型XSS+代码分析(可绕过xss防护机

时间: 2020-10-11|tag: 31次围观|0 条评论

cmseasy 5.5.0.20140605

bbs/ajax.php

 

$data = array();
      $_POST['content'] = unescape($_POST['content']);
      $data['aid'] = isset($_POST['aid']) ? intval($_POST['aid']) : exit(0);
      $data['tid'] = isset($_POST['tid']) ? intval($_POST['tid']) : 0;
      $data['content'] = isset($_POST['content']) ? $_POST['content'] : exit(0);
      $data['username'] = isset($_COOKIE['username']) ? $_COOKIE['username'] : '';
      //$data['userid'] = $admin->userid;
      $data['addtime'] = mktime();
      $data['ip'] = $_SERVER['REMOTE_ADDR'];
      $reply = db_bbs_reply::getInstance();
      $r = $reply->inserData($data);
      if($r){
        $archive = db_bbs_archive::getInstance();
          $archive->updateClickReply($data['aid'],'replynum');
......

看到unescape 函数。
 

function unescape($str) {
$str = rawurldecode($str);
preg_match_all("/%u.{4}|&#x.{4};|&#d+;|.+/U",$str,$r);
$ar = $r[0];
foreach($ar as $k=>$v){
if(substr($v,0,2) == "%u"){
$ar[$k] = iconv("UCS-2","UTF-8",pack("H4",substr($v,-4)));
}elseif(substr($v,0,3) == "&#x"){
$ar[$k] = iconv("UCS-2","UTF-8",pack("H4",substr($v,3,-1))); 
}elseif(substr($v,0,2) == "&#"){
$ar[$k] = iconv("UCS-2","UTF-8",pack("n",substr($v,2,-1)));
}
}
return join("",$ar); 
}

有了 rawurldecode

所以提交 url格式编码数据。绕过remove_xss检测。再rawurldecode还原。即可xss

列如 %3Cscript%3Ealert(1)%3C%2Fscript%3E
 

cmseasy最新版存储型XSS+代码分析(可绕过xss防护机插图

 

cmseasy最新版存储型XSS+代码分析(可绕过xss防护机插图1

修复方案:

修复
    上一篇: 芒果云KODExplorer任意文件上传导致代码执行(二)

    下一篇: 美丽约多处业务安全漏洞(任意密码修改、刷金
本博客所有文章如无特别注明均为原创。
复制或转载请以超链接形式注明转自起风了,原文地址《cmseasy最新版存储型XSS+代码分析(可绕过xss防护机
   

还没有人抢沙发呢~