概述
一、以前安装过,我这先验证下漏洞
注册普通账号权限:
进入到会员中心的短消息:
这里给管理员发送短消息:
管理员登录后点击我们发的消息:
直接实际测试:
我们后台已经拿到cookie了
利用获取的cooKie成功登录admin账户:
二、好了分析源码:
elseif($job=='send')
{
if($step==2)
{
$rsdb=$userDB->get_passport($touser,'name');
if(!$rsdb)
{
showerr("当前用户不存在");
}
if(!$title){
showerr("标题不能为空");
}
if(strlen($array[title])>100){
showerr("标题太长了!");
}
$array[touid]=$rsdb[uid];
$array[fromuid]=$lfjuid;
$array[fromer]=$lfjid;
$array[title]=filtrate($title);
//针对火狐浏览器做的处理
$postdb[content] = str_replace("=\"../$webdb[updir]/","=\"$webdb[www_url]/$webdb[updir]/",$postdb[content]);
$postdb[content] = preg_replace('/javascript/i','java script',$postdb[content]);
$postdb[content] = preg_replace('/<iframe ([^<>]+)>/i','<iframe \1>',$postdb[content]);
$array[content] = stripslashes($postdb[content]);
pm_msgbox($array);
refreshto("?job=list","发送成功",1);
}
if($uid){
$rsdb = $userDB->get_passport($uid);
$username = $rsdb[username];
}
require(dirname(__FILE__)."/"."head.php");
require(dirname(__FILE__)."/"."template/pm/send.htm");
require(dirname(__FILE__)."/"."foot.php");
}搜索 function pm_msgbox(
//发站内消息
function pm_msgbox($array){
global $db,$pre,$timestamp,$webdb,$TB_pre,$TB,$userDB,$db_modes;
$array[content] = addslashes($array[content]);
$array[title] = addslashes($array[title]);
if( ereg("^pwbbs",$webdb[passport_type]) &&!is_array($db_modes) )
{
if(strlen($array[title])>130){
showerr("标题不能大于65个汉字");
}
if(is_table("{$TB_pre}msgc")){
$db->query("INSERT INTO {$TB_pre}msg (`touid`,`fromuid`, `username`, `type`, `ifnew`, `mdate`) VALUES ('$array[touid]','$array[fromuid]', '$array[fromer]', 'rebox', '1', '$timestamp')");
$mid=$db->insert_id();
$db->query("INSERT INTO {$TB_pre}msgc (`mid`, `title`, `content`) VALUES ('$mid','$array[title]','$array[content]')");
}else{
$db->query("INSERT INTO {$TB_pre}msg (`touid`,`fromuid`, `username`, `type`, `ifnew`, `title`, `mdate`, `content`) VALUES ('$array[touid]','$array[fromuid]', '$array[fromer]', 'rebox', '1', '$array[title]', '$timestamp', '$array[content]')");
}
$array=array(
'uid'=>$array[touid],
'newpm'=>1
);
$userDB->edit_pw_member($array);
}
elseif(defined("UC_CONNECT"))
{
if(strlen($array[title])>75){
showerr("标题不能大于32个汉字");
}
uc_pm_send('$array[fromuid]','$array[touid]','$array[title]','$array[content]',1,0,1);
}
else
{
if(strlen($array[title])>130){
showerr("标题不能大于65个汉字");
}
$db->query("INSERT INTO `{$pre}pm` (`touid`,`fromuid`, `username`, `type`, `ifnew`, `title`, `mdate`, `content`) VALUES ('$array[touid]','$array[fromuid]', '$array[fromer]', 'rebox', '1', '$array[title]', '$timestamp', '$array[content]')");
}
}没有过滤xss,concent直接插入数据库了
然后在读取内容的时候,代码如下:
elseif($job=='read')
{
if( ereg("^pwbbs",$webdb[passport_type]) &&!is_array($db_modes) )
{
if($newpw){
$SQL="SELECT A.*,B.* FROM {$TB_pre}msg A LEFT JOIN {$TB_pre}msgc B ON A.mid=B.mid WHERE A.`touid`='$lfjuid' AND A.type='rebox' AND A.mid='$mid'";
}else{
$SQL="SELECT * FROM {$TB_pre}msg WHERE `touid`='$lfjuid' AND type='rebox' AND mid='$mid'";
}
$db->query("UPDATE {$TB_pre}msg SET `ifnew`=0 WHERE `touid`='$lfjuid' AND type='rebox' AND mid='$mid'");
$rs=$db->get_one("SELECT * FROM {$TB_pre}msg WHERE `touid`='$lfjuid' AND type='rebox' AND ifnew=1");
if(!$rs){
$array=array(
'uid'=>$lfjuid,
'username'=>$lfjid,
'newpm'=>0
);
$userDB->edit_pw_member($array);
}
}
else
{
$SQL="SELECT * FROM `{$pre}pm` WHERE `touid`='$lfjuid' AND type='rebox' AND mid='$mid'";
$db->query("UPDATE `{$pre}pm` SET `ifnew`=0 WHERE `touid`='$lfjuid' AND type='rebox' AND mid='$mid'");
}
$rsdb=$db->get_one($SQL);
$rsdb[mdate]=date("Y-m-d H:i",$rsdb[mdate]);
require_once(ROOT_PATH."inc/encode.php");
$rsdb[content]=format_text($rsdb[content]);
require(dirname(__FILE__)."/"."head.php");
require(dirname(__FILE__)."/"."template/pm/read.htm");
require(dirname(__FILE__)."/"."foot.php");
}function format_text($message){
return convert($message);
}
function convert($message,$allow='',$type="post")
{
global $code_num,$code_htm,$updir,$powerck,$N_path,$badword,$usr_style,$webdb;
$code_num=0;
$code_htm=array();
if(strpos($message,"[code]") !== false && strpos($message,"[/code]") !== false){
$message=preg_replace("/[code](.+?)[/code]/eis","phpcode('\1')",$message);
}else{//1
$message=str_replace("r","",$message);
$message=str_replace(">n",">",$message);
$message=preg_replace("/(>)([^<]*)(<td)/","\1\3",$message);
$message=preg_replace("/(/td>)([^<]*)(</tr)/","\1\3",$message);
$message=preg_replace("/(>)([^<]*)(<tr)/","\1\3",$message);
$message=str_replace("n","<br>",$message);
$message =str_replace("[u]","<u>",$message);
$message =str_replace("[/u]","</u>",$message);
$message =str_replace("[b]","<b>",$message);
$message =str_replace("[/b]","</b>",$message);
$message =str_replace("[i]","<i>",$message);
$message =str_replace("[/i]","</i>",$message);
$message =str_replace("[list]","<ul>",$message);
$message =str_replace('[list=1]', '<ol type=1>', $message);
$message =str_replace('[list=a]', '<ol type=a>', $message);
$message =str_replace('[list=A]', '<ol type=A>', $message);
$message =str_replace('[*]', '<li>', $message);
$message =str_replace("[/list]","</ul>",$message);
//$message =str_replace("><IMG","><IMG onload='if(this.width>screen.width-460)this.width=screen.width-460' onmousewheel='return bbimg(this)' ",$message);
$message = autoimg($message);
//主要是为了兼容旧版本的
//$message = str_replace("[www_mmcbbs_com]",$webdb[www_url]."/".$webdb[updir]."/",$message);
//$message= preg_replace("/[UploadFile=s*(S+?)s*]/is","<IMG onload='if(this.width>screen.width-460)this.width=screen.width-460' src=./oldpic/\1 ><br>",$message);
/*
if($webdb['filtrate_content']){
$detail=explode("rn",$webdb['filtrate_content']);
for($i=0;$i<count($detail);$i++){
$detail2=explode("|",$detail[$i]);
$message =str_replace($detail2[0],"<font color=#FF00FF>$detail2[1]</font>",$message);
}
}
*/
$searcharray = array(
"/[font=([^[]*)](.+?)[/font]/is",
"/[color=([#0-9a-z]{1,10})](.+?)[/color]/is",
"/[email=([^[]*)](.+?)[/email]/is",
"/[email]([^[]*)[/email]/is",
"/[size=([^[]*)](.+?)[/size]/is",
"/([fly])(.+?)([/fly])/is",
"/([move])(.+?)([/move])/is",
"/([align=)(left|center|right)(])(.+?)([/align])/is",
"/([glow=)(S+?)(,)(.+?)(,)(.+?)(])(.+?)([/glow])/is"
//"/[url=([^[]*)](.+?)[/url]/is",
//"/[url]([^[]*)[/url]/is"
);
$replacearray = array(
"<font face='\1'>\2</font>",
"<font color='\1'>\2</font>",
"<a href='mailto:\1'>\2</a>",
"<a href='mailto:\1'>\1</a>",
"<font size='\1'>\2</font>",
"<marquee width=90% behavior=alternate scrollamount=3>\2</marquee>",
"<marquee scrollamount=3>\2</marquee>",
"<DIV Align=\2>\4</DIV>",
"<span style='WIDTH:\2;filter:glow(color=\4, strength=\6)'>\8</span>"
//"<a target=_blank href='\1'>\2</a>",
//"<a target=_blank href='\1'>\1</a>"
);
$message=preg_replace($searcharray,$replacearray,$message);
//if ($allow['pic']){
$message = preg_replace("/[img](.+?)[/img]/eis","cvpic('\1')",$message);
//} else{
// $message = preg_replace("/[img](.+?)[/img]/eis","nopic('\1')",$message);
//}
if(strpos($message,'[/URL]')!==false || strpos($message,'[/url]')!==false){
$searcharray = array(
"/[url=(https?|ftp|gopher|news|telnet|mms|rtsp)([^[]*)](.+?)[/url]/eis",
"/[url]www.([^[]*)[/url]/eis",
//"/[url][^www.]([^[]*)[/url]/eis",
"/[url](https?|ftp|gopher|news|telnet|mms|rtsp)([^[]*)[/url]/eis"
);
$replacearray = array(
"cvurl('\1','\2','\3')",
"cvurl('\1')",
//"cvurl('\1')",
"cvurl('\1','\2')",
);
$message=preg_replace($searcharray,$replacearray,$message);
}
//if ($allow['flash']){
$message = preg_replace("/([flash=)(S+?)(,)(S+?)(])(S+?)([/flash])/is","<OBJECT CLASSID="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" WIDTH=\2 HEIGHT=\4><PARAM NAME=MOVIE VALUE=\6><PARAM NAME=PLAY VALUE=TRUE><PARAM NAME=LOOP VALUE=TRUE><PARAM NAME=QUALITY VALUE=HIGH><EMBED SRC=\6 WIDTH=\2 HEIGHT=\4 PLAY=TRUE LOOP=TRUE QUALITY=HIGH></EMBED></OBJECT><br />[<a target=_blank href=\6>Full Screen</a>] ",$message);
//$message = preg_replace("/([swf])(S+?)([/swf])/is","<OBJECT CLASSID="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" WIDTH=600 HEIGHT=400><PARAM NAME=MOVIE VALUE=\1><PARAM NAME=PLAY VALUE=TRUE><PARAM NAME=LOOP VALUE=TRUE><PARAM NAME=QUALITY VALUE=HIGH><EMBED SRC=\1 WIDTH=600 HEIGHT=400 PLAY=TRUE LOOP=TRUE QUALITY=HIGH></EMBED></OBJECT><br />[<a target=_blank href=\1>Full Screen</a>] ",$message);
$message= preg_replace("/[swf]s*(S+?)s*[/swf]/is","<OBJECT CLASSID="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" WIDTH=600 HEIGHT=400><PARAM NAME=MOVIE VALUE=\1><PARAM NAME=PLAY VALUE=TRUE><PARAM NAME=LOOP VALUE=TRUE><PARAM NAME=QUALITY VALUE=HIGH><EMBED SRC=\1 WIDTH=600 HEIGHT=400 PLAY=TRUE LOOP=TRUE QUALITY=HIGH></EMBED></OBJECT><br />[<a target=_blank href=\1>Full Screen</a>] <br>",$message);
//}else{
// $message = preg_replace("/([flash=)(S+?)(,)(S+?)(])(S+?)([/flash])/is","<img src='./images/default/swf.gif' align='absbottom'> <a target=_blank href=\6>flash: \6</a>",$message);
//}
if($type=="post"){
if($allow['mpeg']){
$message = preg_replace("/[wmv]s*(S+?)s*[/wmv]/is","<CENTER><object classid='clsid:22D6F312-B0F6-11D0-94AB-0080C74C7E95' type='application/x-oleobject' width=350 height=280 align='middle' standby='Loading Microsoft?Windows?Media Player components...' id='MediaPlayer1'>
<param name='transparentAtStart' value='True'>
<param name='transparentAtStop' value='True'>
<param name='AnimationAtStart' value='Ture'>
<param name='AutoStart' value='True'>
<param name='AutoRewind' value='true'>
<param name='DisplaySize' value='0'>
<param name='AutoSize' value='false'>
<param name='ShowDisplay' value='false'>
<param name='ShowStatusBar' value='1'>
<param name='ShowControls' value='ture'>
<param name='FileName' value='\1'>
<param name='Volume' value='0'>
<embed src='' width='350' height=280 autostart='True' align='middle' transparentatstart='True' transparentatstop='True' animationatstart='Ture' autorewind='true' displaysize='0' autosize='false' showdisplay='False' showstatusbar='-1' showcontrols='ture' filename='\1' volume='0'>
</embed>
</object></CENTER>",$message);
$message = preg_replace("/[rm]s*(S+?)s*[/rm]/is","<object classid=clsid:CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA height=241 id=Player width=316 VIEWASTEXT><param name="_ExtentX" value="12726"><param name="_ExtentY" value="8520"><param name="AUTOSTART" value="0"><param name="SHUFFLE" value="0"><param name="PREFETCH" value="0"><param name="NOLABELS" value="0"><param name="CONTROLS" value="ImageWindow"><param name="CONSOLE" value="_master"><param name="LOOP" value="0"><param name="NUMLOOP" value="0"><param name="CENTER" value="0"><param name="MAINTAINASPECT" value="\1"><param name="BACKGROUNDCOLOR" value="#000000"></object><br><object classid=clsid:CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA height=32 id=Player width=316 VIEWASTEXT><param name="_ExtentX" value="18256"><param name="_ExtentY" value="794"><param name="AUTOSTART" value="1"><param name="SHUFFLE" value="0"><param name="PREFETCH" value="0"><param name="NOLABELS" value="0"><param name="CONTROLS" value="controlpanel"><param name="CONSOLE" value="_master"><param name="LOOP" value="0"><param name="NUMLOOP" value="0"><param name="CENTER" value="0"><param name="MAINTAINASPECT" value="0"><param name="BACKGROUNDCOLOR" value="#000000"><param name="SRC" value="\1"></object>",$message);
}else{
$message = preg_replace("/([wmv])(S+?)([/wmv])/is","<img src='./images/default/music.gif' align='absbottom'> <a target=_blank href='\2'>\2</a>",$message);
$message = preg_replace("/([rm])(S+?)([/rm])/is","<img src='./images/default/music.gif' align='absbottom'> <a target=_blank href='\2'>\2</a>",$message);
}
if ($allow['iframe']) {
$message = preg_replace("/[iframe]s*(S+?)s*[/iframe]/is","<IFRAME SRC=\1 FRAMEBORDER=0 ALLOWTRANSPARENCY=true SCROLLING=YES WIDTH=97% HEIGHT=340></IFRAME>",$message);
}else{
$message = preg_replace("/([iframe])(S+?)([/iframe])/is","Iframe Close: <a target=_blank href='\2'>\2</a>",$message);
}
//此处位置不可调换
if (strpos($message,"[quote]") !== false && strpos($message,"[/quote]") !== false){
$message=preg_replace("/[quote](.+?)[/quote]/eis","qoute('\1')",$message);
}
}
}//1
if(is_array($code_htm)){
krsort($code_htm);
foreach($code_htm as $key1=>$codehtm){
foreach($codehtm as $key=>$value){
$message=str_replace("[tbbs_code_$keyt]",$value,$message);
}
}
}
return $message;
}
最后
以上就是谨慎大雁为你收集整理的php代码审计【24】齐博CMS xss 漏洞漏洞的全部内容,希望文章能够帮你解决php代码审计【24】齐博CMS xss 漏洞漏洞所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
![BUU CODE REVIEW 1-[传送门->BUUCTF]0x01、Web](/uploads/reation/bcimg5.png)
![[NCTF2019]SQLi regexp正则注入](/uploads/reation/bcimg6.png)
发表评论 取消回复