ThinkSAAS最新版2.4 Xss漏洞 指谁打谁

### 简要描述： thinksaas2.4+php2.6+apache2 未过滤 感谢@xfkxfk ### 详细说明： 先看消息写入代码： /var/www/html/thinksaas/app/user/action/message.php ``` case "do": $msg_userid = $userid; $msg_touserid = intval($_POST['touserid']); $msg_content = tsFilter($_POST['content']); //用tsFilter过滤 aac('system')->antiWord($msg_content); //过滤垃圾词 aac('message')->sendmsg($msg_userid,$msg_touserid,$msg_content); /× //发送消息 public function sendmsg($userid,$touserid,$content){ $userid = intval($userid); $touserid = intval($touserid); $content = str_replace(SITE_URL,'[SITE_URL]',$content); $content = addslashes(trim($content)); if($touserid && $content){ $messageid = $this->create('message',array( 'userid' => $userid, 'touserid' => $touserid, 'content' => $content, 'addtime' => time(), )); } } } ×/ header("Location: ".tsUrl('message','my')); break; } ``` /var/www/html/thinksaas/thinksaas/tsFunction.php ``` function tsFilter($value) { $value = trim($value); //定义不允许提交的SQl命令和关键字 $words = array(); $words[] = "add "; $words[] = "and "; $words[] = "count "; $words[] = "order "; $words[] = "table "; $words[] = "by "; $words[] = "create "; $words[] = "delete "; $words[] = "drop "; $words[] = "from "; $words[] = "grant "; $words[] = "insert "; $words[] = "select "; $words[] = "truncate "; $words[] = "update "; $words[] = "use "; $words[] = "--"; $words[] = "#"; $words[] = "group_concat"; $words[] = "column_name"; $words[] = "information_schema.columns"; $words[] = "table_schema"; $words[] = "union "; $words[] = "where "; $words[] = "alert"; $value = strtolower($value); //转换为小写 foreach ($words as $word) { if (strstr($value, $word)) { $value = str_replace($word, '', $value); } } return $value; } ``` 可以看到只过滤了一些sql注入关键字，问题是仅仅过滤了一遍。继续来看取出有没有过滤 /var/www/html/thinksaas/app/message/action/my.php ``` <?php defined('IN_TS') or die('Access Denied.'); $arrMsg = $new['message']->findAll('message',array( 'touserid'=>$strUser['userid'], 'isread'=>'0', )); foreach($arrMsg as $key=>$item){ //可以看到没编码也没过滤 $arrMsg[$key]['content'] = str_replace('[SITE_URL]',SITE_URL,$item['content']); if($item['userid']){ $arrMsg[$key]['user'] = aac('user')->getOneUser($item['userid']); } } $title = '我的消息盒子'; include template("my"); ``` ### 漏洞证明： [<img src="https://images.seebug.org/upload/201512/251050037b33243aa7b137ec894b0b57dead9cc0.png" alt="th1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/251050037b33243aa7b137ec894b0b57dead9cc0.png) [<img src="https://images.seebug.org/upload/201512/251050100ea4af784d78f3b527a6284d7c4ce5c7.png" alt="th2.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/251050100ea4af784d78f3b527a6284d7c4ce5c7.png) [<img src="https://images.seebug.org/upload/201512/2510501768a505f10bf7a6cc536767efc4eb5a13.png" alt="th4.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/2510501768a505f10bf7a6cc536767efc4eb5a13.png) [<img src="https://images.seebug.org/upload/201512/251050240441e4513c29d059c2b6ba34d0c65aef.png" alt="th5.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201512/251050240441e4513c29d059c2b6ba34d0c65aef.png)