### 简要描述:
cmseasy 5.5.0.20140605
### 详细说明:
bbs/ajax.php
```
$data = array();
$_POST['content'] = unescape($_POST['content']);
$data['aid'] = isset($_POST['aid']) ? intval($_POST['aid']) : exit(0);
$data['tid'] = isset($_POST['tid']) ? intval($_POST['tid']) : 0;
$data['content'] = isset($_POST['content']) ? $_POST['content'] : exit(0);
$data['username'] = isset($_COOKIE['username']) ? $_COOKIE['username'] : '';
//$data['userid'] = $admin->userid;
$data['addtime'] = mktime();
$data['ip'] = $_SERVER['REMOTE_ADDR'];
$reply = db_bbs_reply::getInstance();
$r = $reply->inserData($data);
if($r){
$archive = db_bbs_archive::getInstance();
$archive->updateClickReply($data['aid'],'replynum');
......
```
看到unescape 函数。
```
function unescape($str) {
$str = rawurldecode($str);
preg_match_all("/%u.{4}|&#x.{4};|&#d+;|.+/U",$str,$r);
$ar = $r[0];
foreach($ar as $k=>$v){
if(substr($v,0,2) == "%u"){
$ar[$k] = iconv("UCS-2","UTF-8",pack("H4",substr($v,-4)));
}elseif(substr($v,0,3) == "&#x"){
$ar[$k] = iconv("UCS-2","UTF-8",pack("H4",substr($v,3,-1)));
}elseif(substr($v,0,2) == "&#"){
$ar[$k] = iconv("UCS-2","UTF-8",pack("n",substr($v,2,-1)));
}
}
return join("",$ar);
}
```
有了 rawurldecode
所以提交 url格式编码数据。绕过remove_xss检测。再rawurldecode还原。即可xss
列如 %3Cscript%3Ealert(1)%3C%2Fscript%3E
[<img src="https://images.seebug.org/upload/201406/2119140462a636392fc409323c16cb53a323fe30.jpg" alt="c11.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/2119140462a636392fc409323c16cb53a323fe30.jpg)
[<img src="https://images.seebug.org/upload/201406/211914203f901e6b6f44c2c4f85c47b585bd4b43.jpg" alt="c5.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/211914203f901e6b6f44c2c4f85c47b585bd4b43.jpg)
### 漏洞证明:
如上所诉
京公网安备 11010502034610号
暂无评论