ThinkSAAS最新版2.4 Xss漏洞

2015-12-28T00:00:00
ID SSV:94358
Type seebug
Reporter Root
Modified 2015-12-28T00:00:00

Description

简要描述:

未过滤

详细说明:

先看写入代码: /var/www/html/thinksaas/app/my/action/setting.php

``` case "citydo":

    $province = trim($_POST['province']); 
    $city = trim($_POST['city']);//只过滤两处空白

//这里就直接写入数据库了 $new['my']->update('user_info',array( 'userid'=>$userid, ),array(

        'province'=>$province,
        'city'=>$city,

    ));
    tsNotice("常居地更新成功!");

    break;

```

Update:

`` public function update($table, $conditions, $row) { $where = ""; if (empty ( $row )) return FALSE; if (is_array ( $conditions )) { $join = array (); foreach ( $conditions as $key => $condition ) { $condition = $this->escape ( $condition ); $join [] = "{$key}= {$condition}"; } $where = "WHERE " . join ( " AND ", $join ); } else { if (null != $conditions) $where = "WHERE " . $conditions; } foreach ( $row as $key => $value ) { $value = $this->escape ( $value ); //只做了转义 //$vals [] = "$key` = $value"; $vals [] = "{$key} = {$value}"; } $values = join ( ", ", $vals ); $sql = "UPDATE " . dbprefix . "{$table} SET {$values} {$where}";

    return $this->db->query ( $sql );
}

```

再来看取出: /var/www/html/thinksaas/app/user/class.user.php

``` //获取一个用户的信息 function getOneUser($userid){

        $strUser = $this->find('user_info',array(
            'userid'=>$userid,
        ));

        if($strUser){

            $strUser['username'] = tsTitle($strUser['username']);

            if($strUser['face'] && $strUser['path']){
                $strUser['face'] = tsXimg($strUser['face'],'user',120,120,$strUser['path'],1);
            }elseif($strUser['face'] && $strUser['path']==''){
                $strUser['face']    = SITE_URL.'public/images/'.$strUser['face'];
            }else{
                //没有头像
                $strUser['face']    = SITE_URL.'public/images/user_large.jpg';
            }
        }else{
            $strUser = '';
        }

        return $strUser; //没任何过滤
}

```

漏洞证明:

<img src="https://images.seebug.org/upload/201512/251130037d7fc4a08f8b68c547c5972e50168c6a.png" alt="thi1.png" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201512/25113012d074f5bbde88fbd5273a3bae4440e3c0.png" alt="thi2.png" width="600" onerror="javascript:errimg(this);">