Skip to content

The function parameter [Route] has reflective XSS #4

Closed
@Stellarsss

Description

@Stellarsss

First follow to the index.php entry file, which will load the frame file directly, so just visit the following address
http://20.20.20.130:8000/zibbs/index.php
http://20.20.20.130:8000/zibbs
Will directly load the framework file and instantiate the framework class
图片
Directly trace to the core/framework.php file. After analysis, this CMS handles the processing of each controller and operation through 【route】, wherein the parameter route is the controller name and action name to be filled in in this GET request.
core/framework.php
图片
A normal GET request would look like this
http://20.20.20.130:8000/zibbs/index.php?route=admin/login
图片
And here the parameter 【route】 is controllable, The value of the input parameter 【route】 is processed as follows, The value of the parameter【router】is first split through /,Such as route=aaa/bbb, the aaa Is the controller name,bbb for the action of, It also makes conditional judgments about whether the controller and the action name exist, When the Controller name does not exist, it will directly output "aaa Controller Controller does not exist 11111", as shown below
图片
图片
This is for the parameter 【route】, If the controller doesn't exist, The value of the input parameter 【route】 is displayed directly, And the following values, without XSS filtering, Only the addslashes() method is done here, and there is no XSS filtering function in this aspect
图片
Because there is no filtering here, there is reflective XSS, which is tested as follows
Because of the split for / here, the regular XSS payload cannot be taken from a bomb frame, so using the following XSS payload can make a bomb fram

http://20.20.20.130:8000/zibbs/index.php?route=1111%3Cimg%20src=x%20onerror=prompt(1)%3E
图片
图片
The following test statement can also cause a pop-up as normal
route=admin/

图片
Solution:
filter or encode special characters like this
<

"
'
&
%
... ...
and filter some keyword like this

script
javascript

... ...
or filter some label function which can run javascript like this
onclick
onerror
onload
... ...

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions