Search...

ThinkSAAS最新版2.4 Xss漏洞

2015-12-28T00:00:00

ID SSV:94358
Type seebug
Reporter Root
Modified 2015-12-28T00:00:00

Description

简要描述：

未过滤

详细说明：

先看写入代码： /var/www/html/thinksaas/app/my/action/setting.php

``` case "citydo":

    $province = trim($_POST['province']); 
    $city = trim($_POST['city']);//只过滤两处空白

//这里就直接写入数据库了 $new['my']->update('user_info',array( 'userid'=>$userid, ),array(

        'province'=&gt;$province,
        'city'=&gt;$city,

    ));
    tsNotice("常居地更新成功！");

    break;

```

Update:

`` public function update($table, $conditions, $row) { $where = ""; if (empty ( $row )) return FALSE; if (is_array ( $conditions )) { $join = array (); foreach ( $conditions as $key => $condition ) { $condition = $this->escape ( $condition ); $join [] = "{$key}= {$condition}"; } $where = "WHERE " . join ( " AND ", $join ); } else { if (null != $conditions) $where = "WHERE " . $conditions; } foreach ( $row as $key => $value ) { $value = $this->escape ( $value ); //只做了转义 //$vals [] = "$key` = $value"; $vals [] = "{$key} = {$value}"; } $values = join ( ", ", $vals ); $sql = "UPDATE " . dbprefix . "{$table} SET {$values} {$where}";

    return $this-&gt;db-&gt;query ( $sql );
}

```

再来看取出： /var/www/html/thinksaas/app/user/class.user.php

``` //获取一个用户的信息 function getOneUser($userid){

        $strUser = $this-&gt;find('user_info',array(
            'userid'=&gt;$userid,
        ));

        if($strUser){

            $strUser['username'] = tsTitle($strUser['username']);

            if($strUser['face'] && $strUser['path']){
                $strUser['face'] = tsXimg($strUser['face'],'user',120,120,$strUser['path'],1);
            }elseif($strUser['face'] && $strUser['path']==''){
                $strUser['face']    = SITE_URL.'public/images/'.$strUser['face'];
            }else{
                //没有头像
                $strUser['face']    = SITE_URL.'public/images/user_large.jpg';
            }
        }else{
            $strUser = '';
        }

        return $strUser; //没任何过滤
}

```

漏洞证明：

JSON Vulners Source

Initial Source

{"id": "SSV:94358", "type": "seebug", "bulletinFamily": "exploit", "title": "ThinkSAAS\u6700\u65b0\u72482.4 Xss\u6f0f\u6d1e", "description": "### \u7b80\u8981\u63cf\u8ff0\uff1a\n\n\u672a\u8fc7\u6ee4\n\n### \u8be6\u7ec6\u8bf4\u660e\uff1a\n\n\u5148\u770b\u5199\u5165\u4ee3\u7801\uff1a\n/var/www/html/thinksaas/app/my/action/setting.php\n\n\n```\ncase \"citydo\":\n\t\n\t\t$province = trim($_POST['province']); \n\t\t$city = trim($_POST['city']);//\u53ea\u8fc7\u6ee4\u4e24\u5904\u7a7a\u767d\n\t\t\n//\u8fd9\u91cc\u5c31\u76f4\u63a5\u5199\u5165\u6570\u636e\u5e93\u4e86\n\t\t$new['my']->update('user_info',array(\n\t\t\t'userid'=>$userid,\n\t\t),array(\n\t\t\n\t\t\t'province'=>$province,\n\t\t\t'city'=>$city,\n\t\t\n\t\t));\n\t\ttsNotice(\"\u5e38\u5c45\u5730\u66f4\u65b0\u6210\u529f\uff01\");\n\t\n\t\tbreak;\n```\n\n\nUpdate:\n\n\n```\npublic function update($table, $conditions, $row) {\n\t\t$where = \"\";\n\t\tif (empty ( $row ))\n\t\t\treturn FALSE;\n\t\tif (is_array ( $conditions )) {\n\t\t\t$join = array ();\n\t\t\tforeach ( $conditions as $key => $condition ) {\n\t\t\t\t$condition = $this->escape ( $condition );\n\t\t\t\t$join [] = \"`{$key}` = {$condition}\";\n\t\t\t}\n\t\t\t$where = \"WHERE \" . join ( \" AND \", $join );\n\t\t} else {\n\t\t\tif (null != $conditions)\n\t\t\t\t$where = \"WHERE \" . $conditions;\n\t\t}\n\t\tforeach ( $row as $key => $value ) {\n\t\t\t$value = $this->escape ( $value ); //\u53ea\u505a\u4e86\u8f6c\u4e49\n\t\t\t//$vals [] = \"`$key` = $value\";\n\t\t\t$vals [] = \"{$key} = {$value}\";\n\t\t}\n\t\t$values = join ( \", \", $vals );\n\t\t$sql = \"UPDATE \" . dbprefix . \"{$table} SET {$values} {$where}\";\n\t\t\n\t\treturn $this->db->query ( $sql );\n\t}\n```\n\n\n\u518d\u6765\u770b\u53d6\u51fa\uff1a\n/var/www/html/thinksaas/app/user/class.user.php\n\n\n```\n//\u83b7\u53d6\u4e00\u4e2a\u7528\u6237\u7684\u4fe1\u606f\n\tfunction getOneUser($userid){\n\t\t\t\n\t\t\t$strUser = $this->find('user_info',array(\n\t\t\t\t'userid'=>$userid,\n\t\t\t));\n\t\t\t\n\t\t\tif($strUser){\n\t\t\t\n\t\t\t\t$strUser['username'] = tsTitle($strUser['username']);\n\t\t\t\n\t\t\t\tif($strUser['face'] && $strUser['path']){\n\t\t\t\t\t$strUser['face'] = tsXimg($strUser['face'],'user',120,120,$strUser['path'],1);\n\t\t\t\t}elseif($strUser['face'] && $strUser['path']==''){\n\t\t\t\t\t$strUser['face']\t= SITE_URL.'public/images/'.$strUser['face'];\n\t\t\t\t}else{\n\t\t\t\t\t//\u6ca1\u6709\u5934\u50cf\n\t\t\t\t\t$strUser['face']\t= SITE_URL.'public/images/user_large.jpg';\n\t\t\t\t}\n\t\t\t}else{\n\t\t\t\t$strUser = '';\n\t\t\t}\n\t\t\t\n\t\t\treturn $strUser; //\u6ca1\u4efb\u4f55\u8fc7\u6ee4\n\t}\n```\n\n \n\n### \u6f0f\u6d1e\u8bc1\u660e\uff1a\n\n\n\n[<img src=\"https://images.seebug.org/upload/201512/251130037d7fc4a08f8b68c547c5972e50168c6a.png\" alt=\"thi1.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201512/251130037d7fc4a08f8b68c547c5972e50168c6a.png)\n\n\n\n\n[<img src=\"https://images.seebug.org/upload/201512/25113012d074f5bbde88fbd5273a3bae4440e3c0.png\" alt=\"thi2.png\" width=\"600\" onerror=\"javascript:errimg(this);\">](https://images.seebug.org/upload/201512/25113012d074f5bbde88fbd5273a3bae4440e3c0.png)", "published": "2015-12-28T00:00:00", "modified": "2015-12-28T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.seebug.org/vuldb/ssvid-94358", "reporter": "Root", "references": [], "cvelist": [], "lastseen": "2017-11-19T12:21:32", "history": [], "viewCount": 0, "enchantments": {"vulnersScore": 3.5}, "enchantments_done": [], "objectVersion": "1.4", "sourceHref": "", "sourceData": "", "status": "details", "_object_type": "robots.models.seebug.SeebugBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"]}