Home >Backend Development >PHP Tutorial >phpcms Q&A on a certain module storage type xss_PHP tutorial

phpcms Q&A on a certain module storage type xss_PHP tutorial

WBOY
WBOYOriginal
2016-07-20 11:17:231068browse

The blacklist is causing trouble


In the reply area, there is an editor function.

There is an editor that can edit source code, which was the first reaction at the time. There is definitely xss here.

Sure enough, but, test it at the beginning


<script>alert(1)</script>

and


, I found that the js code could not be executed.

So, I went to http://html5sec.org/ to find some unorthodox code tests.

When testing:

, I was surprised to find that there was no filter. As shown in the picture, it triggers after clicking


phpcms问答某模块存储型xss 帮客之家


Of course, this still requires clicking. After all, not everyone who replies will click. So how can we increase the success rate of xss?

Don’t worry.

In http://html5sec.org/, there are still a lot of codes that can be used. For example:

Triggered when opening the page (valid for ie10, Google, Firefox 4.5)

In addition to the above, there are many other browsers that are used to kill browsers. Without testing them one by one, they only use this to prove the harm.



This way we can cast a wide net to catch fish.
Vulnerability Proof: Worth mentioning. Although js is executed with onfocus. But don't forget we still have eval. You can construct

to complete the attack. The constructed js is as follows:



When a user visits this post, they are a victim.





No more trying them one by one. I hope the phpcms team will also pay attention to this issue.


Fix:

The editor is based on blacklist filtering. If you really want to enable the source code editing function, it is recommended to use whitelist filtering. Otherwise, it is best to turn off the permissions of the open source editing function, because you have no idea what code the cross-site engineer will use that you have no idea about.

There is also a reflective xss here, by the way:

http://118.244.225.145/index.php?m=ask&c=team&a=team_list&order=team_point&catid=&belong=team&name=">