xpshop商城管理系统储存型XSS,可盲打后台#2(demo演示+浏览器通杀)

2015-03-20T00:00:00
ID SSV:96024
Type seebug
Reporter Root
Modified 2015-03-20T00:00:00

Description

简要描述:

xss

详细说明:

http://wooyun.org/bugs/wooyun-2015-0101571/trace/72e031e551be9369419de37fb75f49cb 继续额~ 先来到demo演示地址注册个账号:http://etp.xpshop.cn/

<img src="https://images.seebug.org/upload/201503/15212228ede8870d00d09309267ae86ce0ead10b.png" alt="11.png" width="600" onerror="javascript:errimg(this);">

然后随便选个东西加入购物车

<img src="https://images.seebug.org/upload/201503/15212258f79f683106c325017b6687534fa5a3bb.png" alt="22.png" width="600" onerror="javascript:errimg(this);">

等全部提交完以后我们直接查看订单

<img src="https://images.seebug.org/upload/201503/15221054b7cee496fea54b505e8c77fecb6d2f6e.png" alt="22.png" width="600" onerror="javascript:errimg(this);">

有个留言,在留言的地方插入:"/&gt;&lt;svg onload=alert(/1/)&gt;

<img src="https://images.seebug.org/upload/201503/1522112301fbcbc4970f0eb893764379e5dcbd7a.png" alt="33.png" width="600" onerror="javascript:errimg(this);">

返回后查看订单成功弹窗

<img src="https://images.seebug.org/upload/201503/152211316698d18a588feb3a397bd78102cdbbf9.png" alt="11.png" width="600" onerror="javascript:errimg(this);">

为证明非self-xss,接下来我们来到后台查看一下吧:http://etp.xpshop.cn/admin,用户名:admin 密码:888888 进入后台后点击查看订单后成功弹窗

<img src="https://images.seebug.org/upload/201503/15221139b9ebe18ada17cef7eac592e7e204a8c6.png" alt="44.png" width="600" onerror="javascript:errimg(this);">

漏洞证明:

<img src="https://images.seebug.org/upload/201503/15221139b9ebe18ada17cef7eac592e7e204a8c6.png" alt="44.png" width="600" onerror="javascript:errimg(this);">