Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

188Jianzhan V 2.10 XSS vulnerability exists #4

Closed
tr0uble-mAker opened this issue Aug 18, 2021 · 1 comment
Closed

188Jianzhan V 2.10 XSS vulnerability exists #4

tr0uble-mAker opened this issue Aug 18, 2021 · 1 comment

Comments

@tr0uble-mAker
Copy link

tr0uble-mAker commented Aug 18, 2021

In '/admin/reg.php'
{`4DX3IH9N1H93%K%V%1GPG
We can see that after the user and pwd parameters are obtained, the length of the user name and other characters are directly stored in the database without verification
Only the '/system/safe/360webscan. PHP' file is filtered in the middle!
)G5_ML )G9SAMYY}JF1XC
The interception rules are as follows

$postfilter = "<.=(&#\d+?;?)+?>|<.data=data:text\/html.>|\b(alert\(|confirm\(|expression\(|prompt\(|benchmark\s?(.)|sleep\s?(.)|\b(group_)?concat[\s\/\]?\([^\\)]+?\)|\bcase[\s/*]?when[\s/*]?([^\)]+?)|load_file\s?\()|<[^>]?\b(onerror|onmousemove|onload|onclick|onmouseover)\b|\b(and|or)\b\s?([\(\)'"\d]+?=[\(\)'"\d]+?|[\(\)'"a-zA-Z]+?=[\(\)'"a-zA-Z]+?|>|<|\s+?[\w]+?\s+?\bin\b\s*?(|\blike\b\s+?["'])|\/\.\\/|<\sscript\b|\bEXEC\b|UNION.+?SELECT\s*((.+)\s*|@{1,2}.+?\s*|\s+?.+?|(|'|\").*?(|'|")\s*)|UPDATE\s*((.+)\s*|@{1,2}.+?\s*|\s+?.+?|(|'|\").*?(|'|")\s*)SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE)(\(.+\)|\s+?.+?\s+?|(|'|\").*?(|'|"))FROM(\(.+\)|\s+?.+?|(|'|\").*?(|'|"))|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)|<.*(iframe|frame|style|embed|object|frameset|meta|xml|a|img)";

We only need to set the user name to XSS code when registering,like

<input onfocus=\u0061\u006c\u0065\u0072\u0074(1)
image

The protection can be bypassed
Where onfocus attribute is' alert (1) 'after HTML encoding
This coding can bypass the detection and execute arbitrary JS code, which is triggered when the administrator clicks
After registration, you can see XSS in the background '/ admin / userlist. PHP' file
PL4Z7H5UWBV~KZ96)ZM46X5
1

@qq348069510
Copy link
Collaborator

Hello, we have received your feedback.
This is the case at present, the v2.10 version has exceeded its life cycle and no longer supports update and maintenance.
If you want to help fix this vulnerability, you may wish to submit a PR, we will complete the review and merger as soon as possible, for this, we sincerely thank you for your attention.

@qq348069510 qq348069510 pinned this issue Aug 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants