Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The function parameter [Route] has reflective XSS #4

Closed
Stellarsss opened this issue Jun 18, 2020 · 1 comment
Closed

The function parameter [Route] has reflective XSS #4

Stellarsss opened this issue Jun 18, 2020 · 1 comment

Comments

@Stellarsss
Copy link

First follow to the index.php entry file, which will load the frame file directly, so just visit the following address
http://20.20.20.130:8000/zibbs/index.php
http://20.20.20.130:8000/zibbs
Will directly load the framework file and instantiate the framework class
图片
Directly trace to the core/framework.php file. After analysis, this CMS handles the processing of each controller and operation through 【route】, wherein the parameter route is the controller name and action name to be filled in in this GET request.
core/framework.php
图片
A normal GET request would look like this
http://20.20.20.130:8000/zibbs/index.php?route=admin/login
图片
And here the parameter 【route】 is controllable, The value of the input parameter 【route】 is processed as follows, The value of the parameter【router】is first split through /,Such as route=aaa/bbb, the aaa Is the controller name,bbb for the action of, It also makes conditional judgments about whether the controller and the action name exist, When the Controller name does not exist, it will directly output "aaa Controller Controller does not exist 11111", as shown below
图片
图片
This is for the parameter 【route】, If the controller doesn't exist, The value of the input parameter 【route】 is displayed directly, And the following values, without XSS filtering, Only the addslashes() method is done here, and there is no XSS filtering function in this aspect
图片
Because there is no filtering here, there is reflective XSS, which is tested as follows
Because of the split for / here, the regular XSS payload cannot be taken from a bomb frame, so using the following XSS payload can make a bomb fram

http://20.20.20.130:8000/zibbs/index.php?route=1111%3Cimg%20src=x%20onerror=prompt(1)%3E
图片
图片
The following test statement can also cause a pop-up as normal
route=admin/

图片
Solution:
filter or encode special characters like this
<

"
'
&
%
... ...
and filter some keyword like this

script
javascript

... ...
or filter some label function which can run javascript like this
onclick
onerror
onload
... ...

@xujinliang
Copy link
Owner

3Q ,you are a good man

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants