thinksaas最新版xss

2015-03-31T00:00:00
ID SSV:94315
Type seebug
Reporter Root
Modified 2015-03-31T00:00:00

Description

简要描述:

thinksaas最新版xss

详细说明:

漏洞文件:\app\group\action\create.php

``` case "do":

    if($TS_APP['options']['iscreate'] == 0 || $TS_USER['user']['isadmin']==1){

        $groupname = trim($_POST['groupname']);//这里没有过滤
        $groupdesc = tsClean($_POST['groupdesc']);//重点函数tsClean过滤了

        if($groupname=='' || $groupdesc=='') {
            tsNotice('小组名称和介绍不能为空!');
        }

        //过滤内容开始
        if($TS_USER['user']['isadmin']!=1){
            aac('system')->antiWord($groupname);
            aac('system')->antiWord($groupdesc);
        }
        //过滤内容结束

        //配置文件是否需要审核
        $isaudit = intval($TS_APP['options']['isaudit']);
        if($TS_USER['user']['isadmin']==1){
            $isaudit = 0;
        }

        $isGroup = $new['group']->findCount('group',array(
            'groupname'=>$groupname,
        ));

        if($isGroup > 0) {
            tsNotice("小组名称已经存在,请更换其他小组名称!");
        }
        $groupid = $new['group']->create('group',array(
            'userid'    => $userid,
            'groupname' => $groupname,
            'groupdesc' => $groupdesc,
            'isaudit'   => $isaudit,
            'addtime'   => time(),//重点,这里插入进去,未过滤。
        ));

```

漏洞证明:

利用过程: 登录-小组-创建小组-小组名称未过滤。

<img src="https://images.seebug.org/upload/201503/2617283608a22de7fba4d9ef683997c4b613bb44.png" alt="7.png" width="600" onerror="javascript:errimg(this);">

创建之后

<img src="https://images.seebug.org/upload/201503/261728574d3e71038c1106db1e20c424b5cd0d50.png" alt="8.png" width="600" onerror="javascript:errimg(this);">

1. 点击发布帖子,触发漏洞

<img src="https://images.seebug.org/upload/201503/261729210aa24d2cf383b58db3ce93e953b04c0b.png" alt="9.png" width="600" onerror="javascript:errimg(this);">

2.设置-小组-创建的小组

<img src="https://images.seebug.org/upload/201503/26172943a024ee700d3176f51728b36e4dc98ea8.png" alt="18.png" width="600" onerror="javascript:errimg(this);">