### 简要描述:
cmseay存储型xss 下载的版本为CmsEasy_5.5_UTF-8_20130910
### 详细说明:
bbs/add-archive.php
```
<?php
require_once 'bbs_public.php';
//验证用户登陆相关操作,所以测试前需要注册一个用户
$admin = new action_admin();
$admin->check_login(); //验证用户登录
......省略........
if(isset($_POST['submit'])){
if(strtolower(trim($_POST['verify'])) != strtolower($_SESSION['verify'])){ //确认验证码
action_public::turnPage('index.php','验证码输入错误!');
}
$archive = db_bbs_archive::getInstance();
unset($_POST['submit']);
unset($_POST['verify']);
$_POST['username'] = $_COOKIE['login_username']; //验证用户登录
$_POST['userid'] = $admin->userid;
$_POST['ip'] = $_SERVER['REMOTE_ADDR'];
$_POST['addtime'] = mktime();
if($id = $archive->inserData($_POST)){ //问题在这里,title没有未过滤
action_public::turnPage('archive-display.php?aid='.$id,'文章添加成功');
}else{
action_public::turnPage('index.php','添加失败,请联系我们!');
}
}
```
跟进路径inserData()->insert()->getInsertString()函数
```
public function inserData($data){
$r = $this->odb->insert($this->tblName,$data); //
if($r)
return $this->odb->getInsertId();
else
return false;
}
跟进insert
public function insert($table, $data)
{
$sql = $this->getInsertString($table, $data);
return $this->execSql($sql);
}
跟进getInsertString
public function getInsertString($table, $data)
{
$n_str = '';
$v_str = '';
$table = $this->filterString($table);
foreach ($data as $k => $v)
{
$n_str .= $this->filterString($k).','; //此处进行过滤
$v_str .= "'".$this->filterString($v)."',";
}
$n_str = preg_replace( "/,$/", "", $n_str );
$v_str = preg_replace( "/,$/", "", $v_str );
$str = 'INSERT INTO '.$table.' ('.$n_str.') VALUES('.$v_str.')';
return $str;
}
```
分析filterString()函数
```
public function filterString($str)
{
if ($this->magic_quotes)
{
$str = stripslashes($str);
}
if ( is_numeric($str) ) {
return $str;
} else {
$ret = @mysqli_real_escape_string($this->con, $str);
if ( strlen($str) && !isset($ret) ) {
$r = $this->checkConnection();
if ($r !== true) {
$this->closeDB();
$ret = $str;
}
}
return $ret;
}
```
应用mysqli_real_escape_string过滤'"进行了过滤,不完整
发表文章查看数据:
[<img src="https://images.seebug.org/upload/201309/281248331585a87e4675373cb76fad9a57c333d4.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/281248331585a87e4675373cb76fad9a57c333d4.png)
[<img src="https://images.seebug.org/upload/201309/28124931ab2b2b272c8129202d6c5ca78c1d6782.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/28124931ab2b2b272c8129202d6c5ca78c1d6782.png)
分析再看一下bbs/index.php输出
```
<?php foreach ($category_data as $v) {
$archive_arr = $archive->getDataLimit('aid,cid,lid,title,username,replynum,click,addtime',"cid='{$v['cid']}' AND isstop='0' order by aid desc limit 10 ");
?>
跟进getDataLimit
public function getDataLimit($field = '*',$where = '1'){
$sql = "SELECT {$field} FROM {$this->tblName} WHERE {$where}";//构成sql语句
$data = $this->odb->getRows($sql);//跟进瞧了一眼没有过滤
return $data;//输出数据
}
```
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201309/281252053d7dd883add1482397f37b92fc3dd38b.png" alt="3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/281252053d7dd883add1482397f37b92fc3dd38b.png)
京公网安备 11010502034610号
暂无评论