DouPHP存储型XSS一枚可打后台管理

### 简要描述： xss ### 详细说明： 漏洞文件：admin/login.php:68行 ``` $query = $dou->select($dou->table(admin), '*', "user_name = '$_POST[user_name]'"); $user = $dou->fetch_array($query); if (!is_array($user)) { $dou->create_admin_log($_LANG['login_action'] . ": " . $_POST['user_name'] . " ( " . $_LANG['login_user_name_wrong'] . " ) "); $dou->dou_msg($_LANG['login_input_wrong'], 'login.php', 'out'); exit; } elseif (md5($_POST['password']) != $user['password']) { if ($_POST['password']) { $dou->create_admin_log($_LANG['login_action'] . ": " . $_POST['user_name'] . " ( " . $_LANG['login_password_wrong'] . " ) "); } $dou->dou_msg($_LANG['login_input_wrong'], 'login.php', 'out'); exit; } ``` 可以看到当用户名或密码错误时有一次create_admin_log操作： admin/include/action.class.php:210行 ``` function create_admin_log($action) { $create_time = time(); $ip = $this->get_ip(); $sql = "INSERT INTO " . $this->table('admin_log') . " (id, create_time, user_id, action ,ip)" . " VALUES (NULL, '$create_time', '$_SESSION[user_id]', '$action', '$ip')"; $this->query($sql); } ``` 记录相关信息到admin_log中，我们来看看ip来自get_ip() include/common.class.php:122行 ``` function get_ip() { static $ip; if (isset ($_SERVER)) { if (isset ($_SERVER["HTTP_X_FORWARDED_FOR"])) { $ip = $_SERVER["HTTP_X_FORWARDED_FOR"]; } else if (isset ($_SERVER["HTTP_CLIENT_IP"])) { $ip = $_SERVER["HTTP_CLIENT_IP"]; } else { $ip = $_SERVER["REMOTE_ADDR"]; } } else { if (getenv("HTTP_X_FORWARDED_FOR")) { $ip = getenv("HTTP_X_FORWARDED_FOR"); } else if (getenv("HTTP_CLIENT_IP")) { $ip = getenv("HTTP_CLIENT_IP"); } else { $ip = getenv("REMOTE_ADDR"); } } return $ip; } ``` XFF,本来想用来注入的，但是不报错，而且每次都要输验证码，转而想到XSS,于是发现后台操作记录查看的地方会有get_admin_log操作 ``` function get_admin_log($user_id = '', $num = '') { if ($user_id) { $where = " WHERE user_id = " . $user_id; } if ($num) { $limit = " LIMIT $num"; } $sql = "SELECT * FROM " . $this->table('admin_log') . $where . " ORDER BY id DESC" . $limit; $query = $this->query($sql); while ($row = $this->fetch_array($query)) { $create_time = date("Y-m-d", $row[create_time]); $user_name = $this->get_one("SELECT user_name FROM " . $this->table('admin') . " WHERE user_id = " . $row['user_id']); $log_list[] = array ( "id" => $row['id'], "create_time" => $create_time, "user_name" => $user_name, "action" => $row['action'], "ip" => $row['ip'] ); } return $log_list; } ``` 同样没做什么过滤， 由于数据库中IP字段长度限制，所以构造多次payload: 1、 ``` */</script> ``` 2、 ``` */alert(2)/* ``` 3、 ``` <script>/* ``` 由于按时间排序，所以顺序相反，分多次插入，中间用/**/注释，代码成功执行， [<img src="https://images.seebug.org/upload/201407/0114250007edde3018f698c9a327a039d57b52d5.png" alt="QQ20140701-1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/0114250007edde3018f698c9a327a039d57b52d5.png) 当然用到IP地方有很多处，也请厂商自己修正下。 ### 漏洞证明： [<img src="https://images.seebug.org/upload/201407/0114250007edde3018f698c9a327a039d57b52d5.png" alt="QQ20140701-1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/0114250007edde3018f698c9a327a039d57b52d5.png)