bbs/ajax.php
$data = array(); $_POST['content'] = unescape($_POST['content']); $data['aid'] = isset($_POST['aid']) ? intval($_POST['aid']) : exit(0); $data['tid'] = isset($_POST['tid']) ? intval($_POST['tid']) : 0; $data['content'] = isset($_POST['content']) ? $_POST['content'] : exit(0); $data['username'] = isset($_COOKIE['username']) ? $_COOKIE['username'] : ''; //$data['userid'] = $admin->userid; $data['addtime'] = mktime(); $data['ip'] = $_SERVER['REMOTE_ADDR']; $reply = db_bbs_reply::getInstance(); $r = $reply->inserData($data); if($r){ $archive = db_bbs_archive::getInstance(); $archive->updateClickReply($data['aid'],'replynum'); ......
看到unescape 函数。
function unescape($str) { $str = rawurldecode($str); preg_match_all("/%u.{4}|&#x.{4};|&#d+;|.+/U",$str,$r); $ar = $r[0]; foreach($ar as $k=>$v){ if(substr($v,0,2) == "%u"){ $ar[$k] = iconv("UCS-2","UTF-8",pack("H4",substr($v,-4))); }elseif(substr($v,0,3) == "&#x"){ $ar[$k] = iconv("UCS-2","UTF-8",pack("H4",substr($v,3,-1))); }elseif(substr($v,0,2) == "&#"){ $ar[$k] = iconv("UCS-2","UTF-8",pack("n",substr($v,2,-1))); } } return join("",$ar); }有了 rawurldecode 所以提交 url格式编码数据。绕过remove_xss检测。再rawurldecode还原。即可xss 列如 %3Cscript%3Ealert(1)%3C%2Fscript%3E
修复方案:
修复
查看更多关于cmseasy最新版存储型XSS+代码分析(可绕过xss防护机的详细内容...
声明:本文来自网络,不代表【好得很程序员自学网】立场,转载请注明出处:http://haodehen.cn/did15199