### 简要描述:
thinksaas最新版xss
### 详细说明:
漏洞文件:\app\group\action\create.php
```
case "do":
if($TS_APP['options']['iscreate'] == 0 || $TS_USER['user']['isadmin']==1){
$groupname = trim($_POST['groupname']);//这里没有过滤
$groupdesc = tsClean($_POST['groupdesc']);//重点函数tsClean过滤了
if($groupname=='' || $groupdesc=='') {
tsNotice('小组名称和介绍不能为空!');
}
//过滤内容开始
if($TS_USER['user']['isadmin']!=1){
aac('system')->antiWord($groupname);
aac('system')->antiWord($groupdesc);
}
//过滤内容结束
//配置文件是否需要审核
$isaudit = intval($TS_APP['options']['isaudit']);
if($TS_USER['user']['isadmin']==1){
$isaudit = 0;
}
$isGroup = $new['group']->findCount('group',array(
'groupname'=>$groupname,
));
if($isGroup > 0) {
tsNotice("小组名称已经存在,请更换其他小组名称!");
}
$groupid = $new['group']->create('group',array(
'userid' => $userid,
'groupname' => $groupname,
'groupdesc' => $groupdesc,
'isaudit' => $isaudit,
'addtime' => time(),//重点,这里插入进去,未过滤。
));
```
### 漏洞证明:
利用过程:
登录-小组-创建小组-小组名称未过滤。
[<img src="https://images.seebug.org/upload/201503/2617283608a22de7fba4d9ef683997c4b613bb44.png" alt="7.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/2617283608a22de7fba4d9ef683997c4b613bb44.png)
创建之后
[<img src="https://images.seebug.org/upload/201503/261728574d3e71038c1106db1e20c424b5cd0d50.png" alt="8.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/261728574d3e71038c1106db1e20c424b5cd0d50.png)
1.
点击发布帖子,触发漏洞
[<img src="https://images.seebug.org/upload/201503/261729210aa24d2cf383b58db3ce93e953b04c0b.png" alt="9.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/261729210aa24d2cf383b58db3ce93e953b04c0b.png)
2.设置-小组-创建的小组
[<img src="https://images.seebug.org/upload/201503/26172943a024ee700d3176f51728b36e4dc98ea8.png" alt="18.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201503/26172943a024ee700d3176f51728b36e4dc98ea8.png)
京公网安备 11010502034610号
暂无评论