Arya

Yzmcms3.0存在的xss漏洞
漏洞文件:/application/member/controller/index.class.php/*** 用...
扫描右侧二维码阅读全文
24
2017/01

Yzmcms3.0存在的xss漏洞

漏洞文件:/application/member/controller/index.class.php


/*
*
* 用户修改资料
*/

public function account(){

        if(isset($_POST['dosubmit'])){
            if(!is_mobile($_POST['mobile'])) showmsg('手机号不正确!');
            unset($_POST['userpic'], $_POST['guest']);
            $res = D('member_detail')->update($_POST, array('userid'=>$this->userid));
            if($res){
                showmsg('更新资料成功!','',1);
            }else{
                showmsg(L('data_not_modified'));
            }
        }

        yzm_base::load_sys_class('form','',0);
        $memberinfo = $this->memberinfo;
        extract($memberinfo);
        if($area){
            list($cmbProvince,$cmbCity,$cmbArea) = explode('|',$area); //分配地区
        }else{
            $cmbProvince = $cmbCity = $cmbArea ='';
        }       
        include template('member', 'account');
    }


模块方法对应的url以及其页面如下:

http://localhost/Yzmcms/index.php/member/index/account.html

Imagey1.png



除了昵称是默认的以外,别的都可以随意填写,从上面的方法可以看出,只对手机号的输入做了限制,然后就直接进入数据库了。。。

$res = D('member_detail')->update($_POST, array('userid'=>$this->userid));

于是尝试观察是否在前端进行了过滤



<tr><td>昵称:</td><td><input type="text" name="nickname" value="{$nickname}"  class="input"><span class="red">*</span></td></tr>
       <tr><td>性别:</td><td>
       <label><input class="radio" type="radio" name="sex" value="男" {if $sex != '女'}checked="checked"{/if}>男</label>
       <label><input class="radio" type="radio" name="sex" value="女" {if $sex == '女'}checked="checked"{/if}>女</label>
       </td></tr>
       <tr><td>QQ:</td><td><input type="text" name="qq"  value="{$qq}" class="input"><span class="red">*</span></td></tr>
       <tr><td>手机:</td><td><input type="text" name="mobile"  value="{$mobile}" class="input"><span class="red">*</span></td></tr>
       <tr><td>电话:</td><td><input type="text" name="phone" value="{$phone}" class="input"></td></tr>
       <tr><td>生日:</td><td>{form::datetime('birthday', $birthday)}</td></tr>
       <tr><td>行业:</td><td><input type="text" name="industry" value="{$industry}" class="input"></td></tr>
       <tr><td>所在地:</td><td>
       <select id="cmbProvince"></select><select id="cmbCity"></select><select id="cmbArea"></select>
       <input type="hidden" name="area" id="area" value="{$area}">       

好吧,并没有。。尴尬了

直接插入啦~~~

playload:"><script>alert(1)</script>

Imagey2.png

个人主页

Imagey3.png



进入后台

Imagey4.png

尝试着打cookie

Imagey5.png


Last modification:January 23rd, 2019 at 11:14 pm
If you think my article is useful to you, please feel free to appreciate

Leave a Comment