### 简要描述:
齐博CMS存储型xss一枚 打任意用户cookie 指哪打哪
### 详细说明:
在编辑出这块的 内容处源码模式插入
```
<img src=# onerror=alert(/Keyboard/)>
```
这个标签可以 没过滤
[<img src="https://images.seebug.org/upload/201504/252109094bbd32fbfe88b49481693e60a77d3ac7.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/252109094bbd32fbfe88b49481693e60a77d3ac7.png)
访问新闻页面就
[<img src="https://images.seebug.org/upload/201504/25211451375e55ad9d1c2bbdd026256f3a772e20.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/25211451375e55ad9d1c2bbdd026256f3a772e20.jpg)
[<img src="https://images.seebug.org/upload/201504/252114571c23ec2fcd52cf559bd22c9735b07bd3.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/252114571c23ec2fcd52cf559bd22c9735b07bd3.png)
ok
触发任意用户访问都可以
[<img src="https://images.seebug.org/upload/201504/2521100361c158c8432021f195642d266bcd3861.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/2521100361c158c8432021f195642d266bcd3861.jpg)
调用xss平台 插入js语句 就可以了
[<img src="https://images.seebug.org/upload/201504/252110280eea8e4f0b9862b1fc9fc8b65aa3b535.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/252110280eea8e4f0b9862b1fc9fc8b65aa3b535.jpg)
cookie就打到了 任意用户访问都可以
编辑器漏洞啊 是发送消息插入也ok
[<img src="https://images.seebug.org/upload/201504/25211809b877b659ca4d0384cdd948223b80d71d.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/25211809b877b659ca4d0384cdd948223b80d71d.jpg)
[<img src="https://images.seebug.org/upload/201504/252118151ef9e42ae4806b84e7b5269d05266726.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/252118151ef9e42ae4806b84e7b5269d05266726.png)
ok指哪打哪
### 漏洞证明:
在编辑出这块的 内容处源码模式插入
```
<img src=# onerror=alert(/Keyboard/)>
```
这个标签可以 没过滤
[<img src="https://images.seebug.org/upload/201504/252109094bbd32fbfe88b49481693e60a77d3ac7.png" alt="1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/252109094bbd32fbfe88b49481693e60a77d3ac7.png)
访问新闻页面就
[<img src="https://images.seebug.org/upload/201504/25211451375e55ad9d1c2bbdd026256f3a772e20.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/25211451375e55ad9d1c2bbdd026256f3a772e20.jpg)
[<img src="https://images.seebug.org/upload/201504/252114571c23ec2fcd52cf559bd22c9735b07bd3.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/252114571c23ec2fcd52cf559bd22c9735b07bd3.png)
ok
触发任意用户访问都可以
[<img src="https://images.seebug.org/upload/201504/2521100361c158c8432021f195642d266bcd3861.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/2521100361c158c8432021f195642d266bcd3861.jpg)
调用xss平台 插入js语句 就可以了
[<img src="https://images.seebug.org/upload/201504/252110280eea8e4f0b9862b1fc9fc8b65aa3b535.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/252110280eea8e4f0b9862b1fc9fc8b65aa3b535.jpg)
cookie就打到了 任意用户访问都可以
编辑器漏洞啊 是发送消息插入也ok
[<img src="https://images.seebug.org/upload/201504/25211809b877b659ca4d0384cdd948223b80d71d.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/25211809b877b659ca4d0384cdd948223b80d71d.jpg)
[<img src="https://images.seebug.org/upload/201504/252118151ef9e42ae4806b84e7b5269d05266726.png" alt="2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/252118151ef9e42ae4806b84e7b5269d05266726.png)
ok指哪打哪
京公网安备 11010502034610号
暂无评论