phpmps存储xss demo测试成功 (需点击)

漏洞作者:

hello

详细说明:

漏洞主要源码

case 'updateinfo':

                $id       = intval($_POST['id']);

                checkInfoUser($id, trim($_REQUEST['password']));



                $title    = $_POST['title'] ? htmlspecialchars_deep(trim($_POST['title'])) : '';

                $areaid   = $_POST['areaid'] ? intval($_POST['areaid']) : '';

                $enddate  = !empty($_POST['enddate']) ? (intval($_POST['enddate']*3600*24)) + time() : '0';

                $content  = $_POST['content'] ? htmlspecialchars_deep(trim($_POST['content'])) : '';

                $linkman  = $_POST['linkman'] ? htmlspecialchars_deep(trim($_POST['linkman'])) : '';

                $phone    = $_POST['phone'] ? trim($_POST['phone']) : ''; //没用html函数处理

                $qq       = $_POST['qq'] ? intval($_POST['qq']) : '';

                $email    = $_POST['email'] ? htmlspecialchars_deep(trim($_POST['email'])) : '';

                $address  = $_POST['address'] ? trim($_POST['address']) : '';

                $mappoint = $_POST['mappoint'] ? trim($_POST['mappoint']) : '';



                if(empty($title))showmsg("标题不能为空");

                if(empty($phone) && empty($qq) && empty($email))showmsg("电话、qq、email,必须填写一项");

                check_words(array($title,$content));



                $items = array(

                        'areaid' => $areaid,

                        'title' => $title,

                        'content' => $content,

                        'linkman' => $linkman,

                        'email' => $email,

                        'qq' => $qq,

                        'phone' => $phone,

                        'mappoint' => $mappoint,

                        'address' => $address,

                        'enddate' => $enddate

                );

                $res = editInfo($items, $_POST['cus_value'], $id);



                $res ? $msg="恭喜您,修改成功!" : $msg="抱歉修改失败,请与客服联系。";

                $link = "view.php?id=$id";

                showmsg($msg, $link);

        break;
 

漏洞证明:

漏洞证明



随便注册一个用户然后登陆官网demo



在个人中心处 点击 发布

0216195109e5aebcc257f3051ad2619308cd930d[1]

随便输入内容 后 然后点击我的信息

0216201659b41e814074a044db22b860c4aac1f9[1]

点击编辑



在移动电话处输入

');alert('xss
 

然后确定



然后查看发布内容



点击查看归属地按钮 就弹框了

02162106bc1d0461436568475511a3897965bdc4[1]

0216221948f936ca21a6e2fbdb160662996a19f1[1]

 

发表评论