### 简要描述:
xss
### 详细说明:
官方演示站点最新版:http://demo.cuumall.com/
Google:Power by CuuMall v2.3
在地址处填写`<script>alert(1)></script>`
[<img src="https://images.seebug.org/upload/201407/28115006281997c245febfb65d9992d7fb90372a.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/28115006281997c245febfb65d9992d7fb90372a.jpg)
会提示非法注入
[<img src="https://images.seebug.org/upload/201407/2811502416e460822d4f8aab051507fd84cfb4bf.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/2811502416e460822d4f8aab051507fd84cfb4bf.jpg)
然后把地址改成<h6 onmouseover=alert(document.cookie)>dz
[<img src="https://images.seebug.org/upload/201407/28115408ec1f318076f3413d7d9e96833993f410.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/28115408ec1f318076f3413d7d9e96833993f410.jpg)
可以打后台
提交订单后台查看
[<img src="https://images.seebug.org/upload/201407/2811570666c76338dd22ef0eaee1ad793442cd01.jpg" alt="4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/2811570666c76338dd22ef0eaee1ad793442cd01.jpg)
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201407/2811570666c76338dd22ef0eaee1ad793442cd01.jpg" alt="4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/2811570666c76338dd22ef0eaee1ad793442cd01.jpg)
京公网安备 11010502034610号
暂无评论