Description
代码审计 (Code audit)
在我对phpcms v9.7.2与我现安装的phpcms v9.6.3,进行比较时发现v9.7.2也存在同样的存储型xss漏洞,但是此次我复现的还是在v9.6.3下
When I compared phpcms v9.7.2 with phpcms v9.6.3 that I have installed it, I found that v9.7.2 also has the same storage XSS vulnerability, but this time I reproduce it under v9.6.3
上述所图为v9.7.2的代码
The above figure shows the code for v9.7.2
接下来就是我在v9.6.3下发现的存储型xss漏洞的样式与分析
Next, I will look at the style and analysis of the storage-optimized XSS vulnerabilities I found in V9.6.3
代码分析 (Code analysis)
漏洞位置:访问管理后台=>我的面板=>修改个人信息
Vulnerability location: Access to the Admin Console = > My Panel = > Modify personal information
输入真实姓名 Enter your real name
由于有前端的字符限制很难受,我就在burpsuite下传递参数
Since the character limit on the front-end is uncomfortable, I pass the arguments under the burpsuite
我们可以很容易发现,他并没有进行对relname的参数进行任何过滤
It's easy to see that he doesn't do any filtering on the relname parameters
并且成功嵌入了我们数据库中
And it was successfully embedded in our database
当我在次访问管理后台=>我的面板=>修改个人信息
When I visit the admin console = > my panel = > change my personal information
走入以下逻辑 Let's go into the following logic
根据$userid进行取出info信息,并将输出在界面,而输出界面的echo也没有做任何编码,从而造成存储型xss漏洞
The info information is retrieved based on the $userid and output to the interface, and the echo of the output interface is not encoded, resulting in a storage-oriented XSS vulnerability
