Search...

thinksaas最新版xss2

2015-03-30T00:00:00

ID SSV:94314
Type seebug
Reporter Root
Modified 2015-03-30T00:00:00

Description

简要描述：

详细说明：

\app\group\action\add.php

``` // 执行发布帖子 case "do" :

    if ($_POST ['token'] != $_SESSION ['token']) {
        tsNotice ( '非法操作！' );
    }

    $authcode = strtolower ( $_POST ['authcode'] );

    if ($TS_SITE ['base'] ['isauthcode']) {
        if ($authcode != $_SESSION ['verify']) {
            tsNotice ( "验证码输入有误，请重新输入！" );
        }
    }

    $groupid = intval ( $_POST ['groupid'] );
    $title = trim( $_POST ['title'] );//重点在这里，没有过滤题目。

```

漏洞证明：

登录1111账号-小组-发布帖子。

登录另一账号与1111账号在同一小组的admin---我的社区触发漏洞：

JSON Vulners Source

Initial Source

{"type": "seebug", "lastseen": "2017-11-19T12:34:13", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "href": "https://www.seebug.org/vuldb/ssvid-94314", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "modified": "2015-03-30T00:00:00", "reporter": "Root", "description": "### \u7b80\u8981\u63cf\u8ff0\uff1a\n\n\n\n### \u8be6\u7ec6\u8bf4\u660e\uff1a\n\n\\app\\group\\action\\add.php\n\n\n```\n// \u6267\u884c\u53d1\u5e03\u5e16\u5b50\n\tcase \"do\" :\n\t\t\n\t\tif ($_POST ['token'] != $_SESSION ['token']) {\n\t\t\ttsNotice ( '\u975e\u6cd5\u64cd\u4f5c\uff01' );\n\t\t}\n\t\t\n\t\t$authcode = strtolower ( $_POST ['authcode'] );\n\t\t\n\t\tif ($TS_SITE ['base'] ['isauthcode']) {\n\t\t\tif ($authcode != $_SESSION ['verify']) {\n\t\t\t\ttsNotice ( \"\u9a8c\u8bc1\u7801\u8f93\u5165\u6709\u8bef\uff0c\u8bf7\u91cd\u65b0\u8f93\u5165\uff01\" );\n\t\t\t}\n\t\t}\n\t\t\n\t\t$groupid = intval ( $_POST ['groupid'] );\n\t\t$title = trim( $_POST ['title'] );//\u91cd\u70b9\u5728\u8fd9\u91cc\uff0c\u6ca1\u6709\u8fc7\u6ee4\u9898\u76ee\u3002\n```\n\n\n \n\n### \u6f0f\u6d1e\u8bc1\u660e\uff1a\n\n\u767b\u5f551111\u8d26\u53f7-\u5c0f\u7ec4-\u53d1\u5e03\u5e16\u5b50\u3002\n\n\n[<img src=\"https://images.seebug.org/upload/201503/2620344577affe4cb34c7794db58c2fa88201abc.png\" alt=\"20.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201503/2620344577affe4cb34c7794db58c2fa88201abc.png)\n\n\n\u767b\u5f55\u53e6\u4e00\u8d26\u53f7\u4e0e1111\u8d26\u53f7\u5728\u540c\u4e00\u5c0f\u7ec4\u7684admin---\u6211\u7684\u793e\u533a\n\u89e6\u53d1\u6f0f\u6d1e\uff1a\n\n\n[<img src=\"https://images.seebug.org/upload/201503/26203508e9bb3dcb21982a509dd09d6e135d49da.png\" alt=\"21.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201503/26203508e9bb3dcb21982a509dd09d6e135d49da.png)\n\n\n\n\n[<img src=\"https://images.seebug.org/upload/201503/262035194941e0c1c6a16f67356c044d5cdda34b.png\" alt=\"22.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201503/262035194941e0c1c6a16f67356c044d5cdda34b.png)", "bulletinFamily": "exploit", "references": [], "objectVersion": "1.4", "viewCount": 0, "status": "details", "sourceHref": "", "cvelist": [], "enchantments_done": [], "title": "thinksaas\u6700\u65b0\u7248xss2", "id": "SSV:94314", "sourceData": "", "published": "2015-03-30T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}, "vulnersScore": 7.5}, "_object_type": "robots.models.seebug.SeebugBulletin"}